Prevent anon/banned/member users from voting (fix #2719).

There was a regression in 6d6d00b; `before_filter :voter_only` was a no-op in the post vote controller because it merely returned false, which does not halt the request. The fix is to arrange for a voter_only method to be defined that properly redirects to the access denied page.
2016-10-14 04:40:48 +00:00
parent 5e75dcecea
commit d84184b5f1
3 changed files with 17 additions and 9 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -16,6 +16,16 @@ class User < ActiveRecord::Base
    ADMIN = 50
  end

+  # Used for `before_filter :<role>_only`. Must have a corresponding `is_<role>?` method.
+  Roles = Levels.constants.map(&:downcase) + [
+    :anonymous,
+    :banned,
+    :approver,
+    :voter,
+    :super_voter,
+    :verified,
+  ]
+
  BOOLEAN_ATTRIBUTES = %w(
    is_banned
    has_mail
@@ -384,6 +394,10 @@ class User < ActiveRecord::Base
      true
    end

+    def is_blocked?
+      is_banned?
+    end
+
    def is_builder?
      level >= Levels::BUILDER
    end