diff options
author | http://jneen.net/ <jneen@jneen.net> | 2017-03-01 00:19:52 +0300 |
---|---|---|
committer | http://jneen.net/ <jneen@jneen.net> | 2017-03-09 22:49:52 +0300 |
commit | 0ea04cc5bfcc125875a6e0f46702389f0e2e19c0 (patch) | |
tree | d5cb804a8ce4c5a28bd9cc40724fc96457c29e7f /app/controllers/application_controller.rb | |
parent | d9cfed07cd1048328499ae06807368be29bdeb2c (diff) |
use the policy stack to protect logins
Diffstat (limited to 'app/controllers/application_controller.rb')
-rw-r--r-- | app/controllers/application_controller.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 9b381336fab..b7ce081a5cd 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -67,7 +67,7 @@ class ApplicationController < ActionController::Base token_string = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence user = User.find_by_authentication_token(token_string) || User.find_by_personal_access_token(token_string) - if user + if user && can?(user, :log_in) # Notice we are passing store false, so the user is not # actually stored in the session and a token is needed # for every request. If you want the token to work as a |