fixes #1285
This commit is contained in:
r888888888
@@ -1,6 +1,7 @@
|
||||
module Admin
|
||||
class UsersController < ApplicationController
|
||||
before_filter :moderator_only
|
||||
rescue_from User::PrivilegeError, :with => :access_denied
|
||||
|
||||
def edit
|
||||
@user = User.find(params[:id])
|
||||
@@ -8,10 +9,23 @@ module Admin
|
||||
|
||||
def update
|
||||
@user = User.find(params[:id])
|
||||
sanitize_params!
|
||||
@user.level = params[:user][:level]
|
||||
@user.inviter_id = CurrentUser.id unless @user.inviter_id.present?
|
||||
@user.save
|
||||
redirect_to edit_admin_user_path(@user, :notice => "User updated"), :notice => "User updated"
|
||||
end
|
||||
|
||||
protected
|
||||
def sanitize_params!
|
||||
# admins can do anything
|
||||
return if CurrentUser.is_admin?
|
||||
|
||||
# can't promote/demote moderators
|
||||
raise User::PrivilegeError if @user.is_moderator?
|
||||
|
||||
# can't promote to admin
|
||||
raise User::PrivilegeError if params[:user] && params[:user][:level].to_i >= User::Levels::ADMIN
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -44,6 +44,7 @@ class UsersController < ApplicationController
|
||||
def update
|
||||
@user = User.find(params[:id])
|
||||
check_privilege(@user)
|
||||
sanitize_params!
|
||||
@user.update_attributes(params[:user], :as => CurrentUser.role)
|
||||
respond_with(@user)
|
||||
end
|
||||
@@ -67,6 +68,14 @@ class UsersController < ApplicationController
|
||||
end
|
||||
|
||||
private
|
||||
def sanitize_params!
|
||||
return if CurrentUser.is_admin?
|
||||
|
||||
if params[:user] && params[:user][:level].to_i >= User::Levels::MODERATOR
|
||||
params[:user][:level] = User::Levels::JANITOR
|
||||
end
|
||||
end
|
||||
|
||||
def check_privilege(user)
|
||||
raise User::PrivilegeError unless (user.id == CurrentUser.id || CurrentUser.is_admin?)
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user