users: disallow banned users from changing email or deleting account.

This is to prevent people from wiping their email address after they've been banned and reusing it to verify a new account.
2021-05-15 03:02:56 -05:00
parent 4cf62c520c
commit 2537145b02
4 changed files with 24 additions and 1 deletions
--- a/test/unit/user_deletion_test.rb
+++ b/test/unit/user_deletion_test.rb
@@ -26,6 +26,15 @@ class UserDeletionTest < ActiveSupport::TestCase
        assert_includes(@deletion.errors[:base], "Admins cannot delete their account")
      end
    end
+
+    context "for a banned user" do
+      should "fail" do
+        @user = create(:banned_user)
+        @deletion = UserDeletion.new(@user, "password", @request)
+        @deletion.delete!
+        assert_includes(@deletion.errors[:base], "You cannot delete your account if you are banned")
+      end
+    end
  end

  context "a valid user deletion" do