Allow only admins to attach CKEditor images

Right now allowing regular users to attach images would make us
vulnerable to CSRF attacks.
This commit is contained in:
Javi Martín
2018-09-07 13:26:47 +02:00
parent 116bdebc96
commit 471061f475
3 changed files with 3 additions and 5 deletions

View File

@@ -79,6 +79,9 @@ module Abilities
can :manage, SiteCustomization::Image
can :manage, SiteCustomization::ContentBlock
can :access, :ckeditor
can :manage, Ckeditor::Picture
can [:manage], ::Legislation::Process
can [:manage], ::Legislation::DraftVersion
can [:manage], ::Legislation::Question

View File

@@ -5,9 +5,6 @@ module Abilities
def initialize(user)
merge Abilities::Everyone.new(user)
can :access, :ckeditor # needed to access Ckeditor filebrowser
can [:access, :create, :destroy], Ckeditor::Picture, id: user.id
can [:read, :update], User, id: user.id
can :read, Debate

View File

@@ -3,8 +3,6 @@ module Abilities
include CanCan::Ability
def initialize(user)
can :read, Ckeditor::Picture
can [:read, :map], Debate
can [:read, :map, :summary, :share], Proposal
can :read, Comment