show sensitive information when using jwt for password reset. #687

datacite · Dec 16, 2020 · bd254a3 · bd254a3
1 parent 06250e1
commit bd254a3
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -164,12 +164,12 @@ def initialize(user)
       end
     elsif user.role_id == "temporary"
       can %i[read], Provider
-      can %i[update], Provider, symbol: "ADMIN" if user.uid == "admin"
+      can %i[update read_contact_information], Provider, symbol: "ADMIN" if user.uid == "admin"
       if user.provider_id.present?
-        can %i[update], Provider, symbol: user.provider_id.upcase
+        can %i[update read_contact_information], Provider, symbol: user.provider_id.upcase
       end
       if user.client_id.present?
-        can %i[read update], Client, symbol: user.client_id.upcase
+        can %i[read update read_contact_information], Client, symbol: user.client_id.upcase
       end
       can %i[read], Doi, client_id: user.client_id if user.client_id.present?
       can %i[read get_url], Doi