summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhukl <contact@smyck.org>2009-11-03 20:16:40 +0100
committerhukl <contact@smyck.org>2009-11-03 20:16:40 +0100
commit0c186fe46bbd5fa0b09ea9025c0d6ed256d8d11d (patch)
tree963a74ebada9e1479656a03d644683a2f6929991
parent3b35b3a0bba7991a243eb794303b838ae90bb69c (diff)
Prevent regular users from promoting themselves to admins
-rw-r--r--app/controllers/users_controller.rb1
-rw-r--r--app/models/user.rb6
-rw-r--r--test/functional/users_controller_test.rb18
3 files changed, 24 insertions, 1 deletions
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index eb1cd4c..87df678 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -33,6 +33,7 @@ class UsersController < ApplicationController
33 end 33 end
34 34
35 def update 35 def update
36 params[:user].delete(:admin) unless current_user.is_admin?
36 if @user.update_attributes(params[:user]) 37 if @user.update_attributes(params[:user])
37 flash[:notice] = "Updated user #{@user.login}" 38 flash[:notice] = "Updated user #{@user.login}"
38 redirect_to user_path(@user) 39 redirect_to user_path(@user)
diff --git a/app/models/user.rb b/app/models/user.rb
index 035a145..ce5503f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -79,7 +79,11 @@ class User < ActiveRecord::Base
79 return false 79 return false
80 end 80 end
81 81
82 private 82 def is_admin?
83 !!admin
84 end
85
86 private
83 87
84 def set_permission(granted, node) 88 def set_permission(granted, node)
85 permission = self.permissions.for_node(node).first 89 permission = self.permissions.for_node(node).first
diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index 307ba4c..89c6dc2 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -158,5 +158,23 @@ class UsersControllerTest < ActionController::TestCase
158 assert_redirected_to users_path 158 assert_redirected_to users_path
159 end 159 end
160 160
161 test "admin user can promote regular users to admins" do
162 login_as :aaron
163 user = users(:quentin)
164 put :update, :id => user.id, :user => {:admin => true}
165
166 user.reload
167 assert_equal true, user.is_admin?
168 end
169
170 test "regular users cannot promote themselves to admins" do
171 login_as :quentin
172 user = users(:quentin)
173 put :update, :id => user.id, :user => {:admin => true}
174
175 user.reload
176 assert_equal false, user.is_admin?
177 end
178
161 179
162end 180end