Merge pull request #482 from MaMpf-HD/fix/elevated-user-list

[Security fix] Add authorization to generic user list API
MaMpf-HD · Apr 28, 2023 · 33b46ce · 33b46ce
2 parents e4c2498 + f7f79b1
commit 33b46ce
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -54,6 +54,7 @@ def list
   end
 
   def list_generic_users
+    authorize! :list_generic_user, @user
     result = User.where.not(id: @elevated_users.pluck(:id))
                  .values_for_select
     render json: result