diff --git a/app/controllers/admin/profile_controller.rb b/app/controllers/admin/profile_controller.rb index ef118f7..b176ac2 100644 --- a/app/controllers/admin/profile_controller.rb +++ b/app/controllers/admin/profile_controller.rb @@ -26,7 +26,7 @@ module Admin private def user_params - params.require(:user).permit(:name, :email, :password, :password_confirmation) + params.require(:user).permit(policy(User).permitted_attributes) end end end diff --git a/app/controllers/admin/user_controller.rb b/app/controllers/admin/user_controller.rb index 3b37e55..d8ab69a 100644 --- a/app/controllers/admin/user_controller.rb +++ b/app/controllers/admin/user_controller.rb @@ -50,7 +50,7 @@ module Admin private def user_params - params.require(:user).permit(:name, :email, :role, :password, quiz_ids: []) + params.require(:user).permit(policy(User).permitted_attributes) end end end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index dad8c7f..5a1140e 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -17,6 +17,11 @@ class UserPolicy < ApplicationPolicy user.admin? || user == record end + def permitted_attributes + return [:name, :email, :role, :password, quiz_ids: []] if user.admin? + [:name, :email, :password, :password_confirmation] + end + class Scope < Scope def resolve return scope if user.admin?