Regular users shouldn't be able to modify Vacation Requests from another user

[hopsor]

Right now a regular user (not admin) is able to edit the vacation request from another user. This should be forbidden in the backend.

Was this an intended behavior @javiercr ?

[javiercr]

I don't think this was intended. I can't find any reason why we would want that :)

[jekuno]

@hopsor Did you really manage to change a vacation request? I do see the buttons "Accept" and "Reject" but as soon as I confirm the popup nothing happens because currently there's already the following check in the VacationRequestsController:
before_action :check_admin_user, only: [:approve, :reject]

For usability reasons one could hide or disable the buttons but at least I don't see a security issue with this.