From 6c5887c94ad7a8754550597db918e60b30ef11b3 Mon Sep 17 00:00:00 2001
From: r888888888 <r888888888@gmail.com>
Date: Tue, 16 Apr 2013 20:49:51 -0700
Subject: [PATCH] fixes #1285

---
 app/controllers/admin/users_controller.rb | 14 ++++++++++++++
 app/controllers/users_controller.rb       |  9 +++++++++
 2 files changed, 23 insertions(+)

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 0a48f367d..46af70f57 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -1,6 +1,7 @@
 module Admin
   class UsersController < ApplicationController
     before_filter :moderator_only
+    rescue_from User::PrivilegeError, :with => :access_denied
 
     def edit
       @user = User.find(params[:id])
@@ -8,10 +9,23 @@ module Admin
 
     def update
       @user = User.find(params[:id])
+      sanitize_params!
       @user.level = params[:user][:level]
       @user.inviter_id = CurrentUser.id unless @user.inviter_id.present?
       @user.save
       redirect_to edit_admin_user_path(@user, :notice => "User updated"), :notice => "User updated"
     end
+
+  protected
+    def sanitize_params!
+      # admins can do anything
+      return if CurrentUser.is_admin?
+
+      # can't promote/demote moderators
+      raise User::PrivilegeError if @user.is_moderator?
+
+      # can't promote to admin      
+      raise User::PrivilegeError if params[:user] && params[:user][:level].to_i >= User::Levels::ADMIN
+    end
   end
 end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 684fde00b..bb6445b4f 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -44,6 +44,7 @@ class UsersController < ApplicationController
   def update
     @user = User.find(params[:id])
     check_privilege(@user)
+    sanitize_params!
     @user.update_attributes(params[:user], :as => CurrentUser.role)
     respond_with(@user)
   end
@@ -67,6 +68,14 @@ class UsersController < ApplicationController
   end
 
 private
+  def sanitize_params!
+    return if CurrentUser.is_admin?
+    
+    if params[:user] && params[:user][:level].to_i >= User::Levels::MODERATOR
+      params[:user][:level] = User::Levels::JANITOR
+    end
+  end
+
   def check_privilege(user)
     raise User::PrivilegeError unless (user.id == CurrentUser.id || CurrentUser.is_admin?)
   end