From 55f2636e15ce44df9780b676794f9e79ff480cf2 Mon Sep 17 00:00:00 2001
From: Nick Recobra <oruen@undev.ru>
Date: Tue, 23 Nov 2010 16:02:38 +0300
Subject: [PATCH] Admin is able to make other admins on user creation.

---
 app/controllers/users_controller.rb       |  3 +++
 spec/controllers/users_controller_spec.rb | 28 ++++++++++++++++++++++------
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 70aaa70..2537355 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -23,6 +23,9 @@ class UsersController < ApplicationController
   def create
     @user = User.new(params[:user])
     
+    # Set protected attributes
+    @user.admin = params[:user].try(:[], :admin) if current_user.admin?
+    
     if @user.save
       flash[:success] = "#{@user.name} is now part of the team. Be sure to add them as a project watcher."
       redirect_to user_path(@user)
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index f05a6b3..de8eabe 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -48,6 +48,11 @@ describe UsersController do
           put :update, :id => @user.to_param, :user => {:name => 'Kermit'}
           response.should redirect_to(user_path(@user))
         end
+        
+        it "should not be able to become an admin" do
+          put :update, :id => @user.to_param, :user => {:admin => true}
+          @user.reload.admin.should be_false
+        end
       end
       
       context "when the update is unsuccessful" do        
@@ -100,19 +105,24 @@ describe UsersController do
     context "POST /users" do
       context "when the create is successful" do
         before do
-          @user = Factory(:user)
-          User.should_receive(:new).and_return(@user)
-          @user.should_receive(:save).and_return(true)
+          @attrs = {:user => Factory.attributes_for(:user)}
         end
         
         it "sets a message to display" do
-          post :create
+          post :create, @attrs
           request.flash[:success].should include('part of the team')
         end
         
         it "redirects to the user's page" do
-          post :create
-          response.should redirect_to(user_path(@user))
+          post :create, @attrs
+          response.should redirect_to(user_path(assigns(:user)))
+        end
+
+        it "should be able to create admin" do
+          @attrs[:user][:admin] = true
+          post :create, @attrs
+          response.should be_redirect
+          User.find(assigns(:user).to_param).admin.should be_true
         end
       end
       
@@ -145,6 +155,12 @@ describe UsersController do
           put :update, :id => @user.to_param, :user => {:name => 'Kermit'}
           response.should redirect_to(user_path(@user))
         end
+        
+        it "should be able to make user an admin" do
+          put :update, :id => @user.to_param, :user => {:admin => true}
+          response.should be_redirect
+          User.find(assigns(:user).to_param).admin.should be_true
+        end
       end
       
       context "when the update is unsuccessful" do
--
libgit2 0.21.2