Correct policing of access to private user details

[rails.git] / app / controllers / api / users_controller.rb

diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index b4a2efc7c3043fd06d9aee6b7deaaa76dab6f59a..a452cb9301ead6467f3c8ed6852156c55ba71e56 100644 (file)
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -1,6 +1,7 @@
 module Api
   class UsersController < ApiController
     before_action :disable_terms_redirect, :only => [:details]
+    before_action :setup_user_auth, :only => [:show, :index]
     before_action :authorize, :only => [:details, :gpx_files]
 
     authorize_resource