From 0c186fe46bbd5fa0b09ea9025c0d6ed256d8d11d Mon Sep 17 00:00:00 2001 From: hukl Date: Tue, 3 Nov 2009 20:16:40 +0100 Subject: Prevent regular users from promoting themselves to admins --- app/controllers/users_controller.rb | 1 + app/models/user.rb | 6 +++++- test/functional/users_controller_test.rb | 18 ++++++++++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index eb1cd4c..87df678 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -33,6 +33,7 @@ class UsersController < ApplicationController end def update + params[:user].delete(:admin) unless current_user.is_admin? if @user.update_attributes(params[:user]) flash[:notice] = "Updated user #{@user.login}" redirect_to user_path(@user) diff --git a/app/models/user.rb b/app/models/user.rb index 035a145..ce5503f 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -79,7 +79,11 @@ class User < ActiveRecord::Base return false end - private + def is_admin? + !!admin + end + + private def set_permission(granted, node) permission = self.permissions.for_node(node).first diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb index 307ba4c..89c6dc2 100644 --- a/test/functional/users_controller_test.rb +++ b/test/functional/users_controller_test.rb @@ -158,5 +158,23 @@ class UsersControllerTest < ActionController::TestCase assert_redirected_to users_path end + test "admin user can promote regular users to admins" do + login_as :aaron + user = users(:quentin) + put :update, :id => user.id, :user => {:admin => true} + + user.reload + assert_equal true, user.is_admin? + end + + test "regular users cannot promote themselves to admins" do + login_as :quentin + user = users(:quentin) + put :update, :id => user.id, :user => {:admin => true} + + user.reload + assert_equal false, user.is_admin? + end + end -- cgit v1.3