Download as
Browse Code »

Commit f24094442a753a86f58d203627e8894a9603f4b9

Authored by Cyril Mougel
1 parent a7870164
Exists in master and in 1 other branch production

Avoid user delete admin access of current user logged 

Fix #456
Showing 4 changed files with 59 additions and 26 deletions   Show diff stats
@@ -5,6 +5,8 @@ @@ -5,6 +5,8 @@
5 - Update some gems ([@shingara][]) 5 - Update some gems ([@shingara][])
6 - [#492][] Improve some Pjax call ([@nfedyashev][]) 6 - [#492][] Improve some Pjax call ([@nfedyashev][])
7 - [#428][] Add the support of Unfuddle Tracker ([@parallel588][]) 7 - [#428][] Add the support of Unfuddle Tracker ([@parallel588][])
  8 +- Avoid to delete his own user ([@shingara][])
  9 +- [#456] Avoid to delete admin access of current user logged ([@shingara][])
8 10
9 ### Bug Fixes 11 ### Bug Fixes
10 12
@@ -48,6 +50,7 @@ @@ -48,6 +50,7 @@
48 [#428]: https://github.com/errbit/errbit/issues/428 50 [#428]: https://github.com/errbit/errbit/issues/428
49 [#453]: https://github.com/errbit/errbit/issues/453 51 [#453]: https://github.com/errbit/errbit/issues/453
50 [#455]: https://github.com/errbit/errbit/issues/455 52 [#455]: https://github.com/errbit/errbit/issues/455
  53 +[#456]: https://github.com/errbit/errbit/issues/456
51 [#457]: https://github.com/errbit/errbit/issues/457 54 [#457]: https://github.com/errbit/errbit/issues/457
52 [#460]: https://github.com/errbit/errbit/issues/460 55 [#460]: https://github.com/errbit/errbit/issues/460
53 [#466]: https://github.com/errbit/errbit/issues/466 56 [#466]: https://github.com/errbit/errbit/issues/466
app/controllers/users_controller.rb
  Diff comments   View file @f240944
@@ -25,26 +25,25 @@ class UsersController < ApplicationController @@ -25,26 +25,25 @@ class UsersController < ApplicationController
25 end 25 end
26 26
27 def update 27 def update
28 - # Devise Hack  
29 - # if params[:user][:password].blank? && params[:user][:password_confirmation].blank?  
30 - # params[:user].delete(:password)  
31 - # params[:user].delete(:password_confirmation)  
32 - # end  
33 -  
34 if user.update_attributes(user_params) 28 if user.update_attributes(user_params)
35 - flash[:success] = "#{user.name}'s information was successfully updated" 29 + flash[:success] = I18n.t('controllers.users.flash.update.success', :name => user.name)
36 redirect_to user_path(user) 30 redirect_to user_path(user)
37 else 31 else
38 render :edit 32 render :edit
39 end 33 end
40 end 34 end
41 35
  36 + ##
  37 + # Destroy the user pass in args
  38 + #
  39 + # @param [ String ] id the id of user we want delete
  40 + #
42 def destroy 41 def destroy
43 if user == current_user 42 if user == current_user
44 flash[:error] = I18n.t('controllers.users.flash.destroy.error') 43 flash[:error] = I18n.t('controllers.users.flash.destroy.error')
45 else 44 else
46 UserDestroy.new(user).destroy 45 UserDestroy.new(user).destroy
47 - flash[:success] = "That's sad. #{user.name} is no longer part of your team." 46 + flash[:success] = I18n.t('controllers.users.flash.destroy.success', :name => user.name)
48 end 47 end
49 redirect_to users_path 48 redirect_to users_path
50 end 49 end
@@ -62,14 +61,19 @@ class UsersController < ApplicationController @@ -62,14 +61,19 @@ class UsersController < ApplicationController
62 end 61 end
63 62
64 def user_params 63 def user_params
65 - params[:user] ? params.require(:user).permit(*user_permit_params) : {} 64 + @user_params ||= params[:user] ? params.require(:user).permit(*user_permit_params) : {}
66 end 65 end
67 66
68 def user_permit_params 67 def user_permit_params
69 - @user_permit_params ||= [:name, :username, :email, :github_login, :per_page, :time_zone, :password, :password_confirmation]  
70 - @user_permit_params << :admin if current_user.admin? 68 + @user_permit_params ||= [:name,:username, :email, :github_login, :per_page, :time_zone]
  69 + @user_permit_params << :admin if current_user.admin? && current_user.id != params[:id]
  70 + @user_permit_params |= [:password, :password_confirmation] if user_password_params.values.all?{|pa| !pa.blank? }
71 @user_permit_params 71 @user_permit_params
72 end 72 end
73 73
  74 + def user_password_params
  75 + @user_password_params ||= params[:user] ? params.require(:user).permit(:password, :password_confirmation) : {}
  76 + end
  77 +
74 end 78 end
75 79
config/locales/en.yml
  Diff comments   View file @f240944
@@ -22,3 +22,5 @@ en: @@ -22,3 +22,5 @@ en:
22 destroy: 22 destroy:
23 success: "That's sad. %{name} is no longer part of your team." 23 success: "That's sad. %{name} is no longer part of your team."
24 error: "You can't delete yourself" 24 error: "You can't delete yourself"
  25 + update:
  26 + success: "%{name}'s information was successfully updated."
spec/controllers/users_controller_spec.rb
  Diff comments   View file @f240944
@@ -183,24 +183,18 @@ describe UsersController do @@ -183,24 +183,18 @@ describe UsersController do
183 183
184 context "PUT /users/:id" do 184 context "PUT /users/:id" do
185 context "when the update is successful" do 185 context "when the update is successful" do
  186 + before {
  187 + put :update, :id => user.to_param, :user => user_params
  188 + }
186 189
187 - it "sets a message to display" do  
188 - put :update, :id => user.to_param, :user => {:name => 'Kermit'}  
189 - request.flash[:success].should include('updated')  
190 - end  
191 -  
192 - it "redirects to the user's page" do  
193 - put :update, :id => user.to_param, :user => {:name => 'Kermit'}  
194 - response.should redirect_to(user_path(user))  
195 - end  
196 -  
197 - it "should be able to make user an admin" do  
198 - put :update, :id => user.to_param, :user => {:admin => true}  
199 - response.should be_redirect  
200 - User.find(controller.user.to_param).admin.should be_true 190 + context "with normal params" do
  191 + let(:user_params) { {:name => 'Kermit'} }
  192 + it "sets a message to display" do
  193 + expect(request.flash[:success]).to eq I18n.t('controllers.users.flash.update.success', :name => user.name)
  194 + expect(response).to redirect_to(user_path(user))
  195 + end
201 end 196 end
202 end 197 end
203 -  
204 context "when the update is unsuccessful" do 198 context "when the update is unsuccessful" do
205 199
206 it "renders the edit page" do 200 it "renders the edit page" do
@@ -238,6 +232,36 @@ describe UsersController do @@ -238,6 +232,36 @@ describe UsersController do
238 end 232 end
239 end 233 end
240 end 234 end
  235 +
  236 + describe "#user_params" do
  237 + context "with current user not admin" do
  238 + before {
  239 + controller.stub(:current_user).and_return(user)
  240 + controller.stub(:params).and_return(ActionController::Parameters.new(user_param))
  241 + }
  242 + let(:user_param) { {'user' => { :name => 'foo', :admin => true }} }
  243 + it 'not have admin field' do
  244 + expect(controller.send(:user_params)).to eq ({'name' => 'foo'})
  245 + end
  246 + context "with password and password_confirmation empty?" do
  247 + let(:user_param) { {'user' => { :name => 'foo', 'password' => '', 'password_confirmation' => '' }} }
  248 + it 'not have password and password_confirmation field' do
  249 + expect(controller.send(:user_params)).to eq ({'name' => 'foo'})
  250 + end
  251 + end
  252 + end
  253 +
  254 + context "with current user admin" do
  255 + it 'have admin field'
  256 + context "with password and password_confirmation empty?" do
  257 + it 'not have password and password_confirmation field'
  258 + end
  259 + context "on his own user" do
  260 + it 'not have admin field'
  261 + end
  262 + end
  263 + end
  264 +
241 end 265 end
242 266
243 end 267 end