laurentS
commented
9 months ago You should look into adding a before action hook to the controller and an ability using the
requester_or_admin?helper to limit access.
Hi @gbp thanks for merging this. In the controller, there is this which I believe prevents unauthorised access. At least it does on madada.fr (for instance here). The code is probably not optimal, but it seems to work. Did I miss anything?
This PR modifies the template to make the appeal document link visible to admins and request owners only, and moves the link to before the "regular" document, as requested by Transparencia.