controllers: allow banned users to use GET actions.

Make member_only et al only apply to non-GET actions. This avoids doing IP ban checks when simply viewing members-only pages.
2020-02-16 04:21:20 -06:00
parent 594c4ea0c9
commit 998eece95d
1 changed files with 7 additions and 3 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -154,11 +154,15 @@ class ApplicationController < ActionController::Base
    render_error_page(status, error)
  end

+  def role_only!(role)
+    raise User::PrivilegeError if !CurrentUser.send("is_#{role}?")
+    raise User::PrivilegeError if !request.get? && CurrentUser.user.is_banned?
+    raise User::PrivilegeError if !request.get? && IpBan.is_banned?(CurrentUser.ip_addr)
+  end
+
  User::Roles.each do |role|
    define_method("#{role}_only") do
-      if !CurrentUser.user.send("is_#{role}?") || CurrentUser.user.is_banned? || IpBan.is_banned?(CurrentUser.ip_addr)
-        raise User::PrivilegeError
-      end
+      role_only!(role)
    end
  end