Use scoped view for StudyPolicy to prevent leaking other groups

2019-05-15 17:39:12 +02:00
parent 1d842a4422
commit 652dc7001e
1 changed files with 1 additions and 1 deletions
--- a/app/controllers/study_groups_controller.rb
+++ b/app/controllers/study_groups_controller.rb
@ -4,7 +4,7 @@ class StudyGroupsController < ApplicationController
  before_action :set_group, only: MEMBER_ACTIONS

  def index
-    @search = StudyGroup.ransack(params[:q])
+    @search = policy_scope(StudyGroup).ransack(params[:q])
    @study_groups = @search.result.includes(:consumer).order(:name).paginate(page: params[:page])
    authorize!
  end