Only allow admins to pass show_deleted parameter

Relates to spree#1626
Scoutmob · Jun 3, 2012 · 25efab3 · 25efab3
1 parent 4a75480
commit 25efab3
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/api/app/controllers/spree/api/v1/base_controller.rb b/api/app/controllers/spree/api/v1/base_controller.rb
@@ -68,12 +68,12 @@ def find_product(id)
         def product_scope
           if current_api_user.has_role?("admin")
             scope = Product
+            unless params[:show_deleted]
+              scope = scope.not_deleted
+            end
           else
             scope = Product.active
           end
-          unless params[:show_deleted]
-            scope = scope.not_deleted
-          end
 
           scope.includes(:master)
         end