users: allow site owner to reset passwords of other users.

2020-12-13 19:07:19 -06:00
parent d8b51e3f02
commit 86bba56eda
3 changed files with 20 additions and 2 deletions
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -9,7 +9,7 @@ class PasswordsController < ApplicationController
  def update
    @user = authorize User.find(params[:user_id]), policy_class: PasswordPolicy

-    if @user.authenticate_password(params[:user][:old_password]) || @user.authenticate_login_key(params[:user][:signed_user_id])
+    if @user.authenticate_password(params[:user][:old_password]) || @user.authenticate_login_key(params[:user][:signed_user_id]) || CurrentUser.user.is_owner?
      @user.update(password: params[:user][:password], password_confirmation: params[:user][:password_confirmation])
    else
      @user.errors.add(:base, "Incorrect password")