Allow only admins to attach CKEditor images
Right now allowing regular users to attach images would make us vulnerable to CSRF attacks.
This commit is contained in:
@@ -79,6 +79,9 @@ module Abilities
|
||||
can :manage, SiteCustomization::Image
|
||||
can :manage, SiteCustomization::ContentBlock
|
||||
|
||||
can :access, :ckeditor
|
||||
can :manage, Ckeditor::Picture
|
||||
|
||||
can [:manage], ::Legislation::Process
|
||||
can [:manage], ::Legislation::DraftVersion
|
||||
can [:manage], ::Legislation::Question
|
||||
|
||||
@@ -5,9 +5,6 @@ module Abilities
|
||||
def initialize(user)
|
||||
merge Abilities::Everyone.new(user)
|
||||
|
||||
can :access, :ckeditor # needed to access Ckeditor filebrowser
|
||||
can [:access, :create, :destroy], Ckeditor::Picture, id: user.id
|
||||
|
||||
can [:read, :update], User, id: user.id
|
||||
|
||||
can :read, Debate
|
||||
|
||||
@@ -3,8 +3,6 @@ module Abilities
|
||||
include CanCan::Ability
|
||||
|
||||
def initialize(user)
|
||||
|
||||
can :read, Ckeditor::Picture
|
||||
can [:read, :map], Debate
|
||||
can [:read, :map, :summary, :share], Proposal
|
||||
can :read, Comment
|
||||
|
||||
Reference in New Issue
Block a user