apmonroe
commented
13 years ago put a require_admin method in admin user and course controller. called in a before_filter. added individual checking for the show action in users controller. show action for courses is globally visible to logged in users
Right now, anyone can access the user admin pages by straight up typing it in the address bar. DO VALIDATION DAMNIT, add a before filter on the users controller and courses controller that ensure that the logged in user is a user admin