From 3e787f7e7d0a013376735dbe2b60054166a61499 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Mon, 3 Apr 2017 12:59:55 +0000
Subject: Deny edit/update/delete for anonymous user (#25483).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@16464 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/users_controller.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'app/controllers')

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 7dcaa7962..f26b9b6d8 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -20,7 +20,8 @@ class UsersController < ApplicationController
   self.main_menu = false
 
   before_action :require_admin, :except => :show
-  before_action :find_user, :only => [:show, :edit, :update, :destroy]
+  before_action ->{ find_user(false) }, :only => :show
+  before_action :find_user, :only => [:edit, :update, :destroy]
   accept_api_auth :index, :show, :create, :update, :destroy
 
   helper :sort
@@ -174,10 +175,12 @@ class UsersController < ApplicationController
 
   private
 
-  def find_user
+  def find_user(logged = true)
     if params[:id] == 'current'
       require_login || return
       @user = User.current
+    elsif logged
+      @user = User.logged.find(params[:id])
     else
       @user = User.find(params[:id])
     end
-- 
cgit v1.2.3