fixes #1285

2013-04-16 20:49:51 -07:00
parent 10f8e070af
commit 6c5887c94a
2 changed files with 23 additions and 0 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -44,6 +44,7 @@ class UsersController < ApplicationController
  def update
    @user = User.find(params[:id])
    check_privilege(@user)
+    sanitize_params!
    @user.update_attributes(params[:user], :as => CurrentUser.role)
    respond_with(@user)
  end
@@ -67,6 +68,14 @@ class UsersController < ApplicationController
  end

 private
+  def sanitize_params!
+    return if CurrentUser.is_admin?
+    
+    if params[:user] && params[:user][:level].to_i >= User::Levels::MODERATOR
+      params[:user][:level] = User::Levels::JANITOR
+    end
+  end
+
  def check_privilege(user)
    raise User::PrivilegeError unless (user.id == CurrentUser.id || CurrentUser.is_admin?)
  end