<role>_only: fix role checking logic to check ip bans last.

Make <role>_only methods check the role first and ip bans last. This avoids hitting the database for anonymous users, since they'll always fail the is_<role>? check before the ip check.
2018-09-09 20:01:26 -05:00
parent e546e52bd7
commit de10ea66a1
2 changed files with 2 additions and 9 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -184,11 +184,8 @@ class ApplicationController < ActionController::Base

  User::Roles.each do |role|
    define_method("#{role}_only") do
-      if !CurrentUser.user.is_banned_or_ip_banned? && CurrentUser.user.__send__("is_#{role}?")
-        true
-      else
-        access_denied()
-        false
+      if !CurrentUser.user.send("is_#{role}?") || CurrentUser.user.is_banned? || IpBan.is_banned?(CurrentUser.ip_addr)
+        access_denied
      end
    end
  end