granblue.team/hensei-api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix bug in who can see restricted parties

Browse source
This commit is contained in:
Justin Edmund 2023-08-25 14:42:52 -07:00
parent 6a55279c35
commit 5562c92d46
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/controllers/api/v1/parties_controller.rb
View file

@ -33,7 +33,9 @@ module Api
def show def show
# If a party is private, check that the user is the owner or an admin # If a party is private, check that the user is the owner or an admin
return render_unauthorized_response if !current_user || (@party.private? && not_owner && !admin_mode) if (@party.private? && !current_user) || (@party.private? && not_owner && !admin_mode)
return render_unauthorized_response
end
return render json: PartyBlueprint.render(@party, view: :full, root: :party) if @party return render json: PartyBlueprint.render(@party, view: :full, root: :party) if @party
@ -107,7 +109,7 @@ module Api
private private
def authorize def authorize
render_unauthorized_response if not_owner || @party.edit_key != edit_key || !admin_mode render_unauthorized_response if (not_owner && !admin_mode) || (@party.edit_key != edit_key && !admin_mode)
end end
def not_owner def not_owner