Restrict editing of ownership and type in enterprise api controller

2026-01-28 21:07:16 +00:00 · 2014-09-12 12:47:16 +10:00
parent cc65faadd0
commit 5c7ab2efa3
1 changed files with 13 additions and 0 deletions
--- a/app/controllers/api/enterprises_controller.rb
+++ b/app/controllers/api/enterprises_controller.rb
@@ -1,5 +1,8 @@
 module Api
  class EnterprisesController < Spree::Api::BaseController
+
+    before_filter :override_owner, only: [:create, :update]
+    before_filter :check_type, only: :update
    respond_to :json

    def managed
@@ -33,5 +36,15 @@ module Api
        invalid_resource!(@enterprise)
      end
    end
+
+    private
+
+    def override_owner
+      params[:enterprise][:owner_id] = current_api_user.id
+    end
+
+    def check_type
+      params[:enterprise].delete :type unless current_api_user.admin?
+    end
  end
 end