fix problem: protected user can't show own page (2) when OAuth Echo

author: re4k <re4k@re4k.info> 2013-05-07 00:38:42 +0900
committer: re4k <re4k@re4k.info> 2013-05-07 00:38:42 +0900
commit: a76f8493000ed9b3322a575a53773a1379df4d20 (patch)
tree: 38e38436266eb806cea6a18d5bdc0df0fdb1e4d0 /app/controllers/application_controller.rb
parent: b0b8ba91f3915f4786f21aa466f16699e393818c (diff)
download: aclog-a76f8493000ed9b3322a575a53773a1379df4d20.tar.gz
1 files changed, 2 insertions, 3 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index c109819..dfe866a 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -17,16 +17,15 @@ class ApplicationController < ActionController::Base
 
   def authorized_to_show?(user)
     return true if not user.protected?
-    return true if session[:user_id] == user.id
 
     if session[:user_id]
-      return session[:account].following?(user.id)
+      return session[:user_id] == user.id || session[:account].following?(user.id)
     elsif request.headers["X-Verify-Credentials-Authorization"]
       # OAuth Echo
       user_id = authenticate_with_twitter_oauth_echo
       account = Account.find_by(user_id: user_id)
       if account
-        return account.following?(user.id)
+        return account.user_id == user.id || account.following?(user.id)
       else
         return false
       end
author	re4k <re4k@re4k.info>	2013-05-07 00:38:42 +0900
committer	re4k <re4k@re4k.info>	2013-05-07 00:38:42 +0900
commit	a76f8493000ed9b3322a575a53773a1379df4d20 (patch)
tree	38e38436266eb806cea6a18d5bdc0df0fdb1e4d0 /app/controllers/application_controller.rb
parent	b0b8ba91f3915f4786f21aa466f16699e393818c (diff)
download	aclog-a76f8493000ed9b3322a575a53773a1379df4d20.tar.gz