fixes #1285

app/controllers/admin/users_controller.rb

@@ -1,6 +1,7 @@
 module Admin
   class UsersController < ApplicationController
     before_filter :moderator_only
+    rescue_from User::PrivilegeError, :with => :access_denied
 
     def edit
       @user = User.find(params[:id])
@@ -8,10 +9,23 @@ module Admin
 
     def update
       @user = User.find(params[:id])
+      sanitize_params!
       @user.level = params[:user][:level]
       @user.inviter_id = CurrentUser.id unless @user.inviter_id.present?
       @user.save
       redirect_to edit_admin_user_path(@user, :notice => "User updated"), :notice => "User updated"
     end
+
+  protected
+    def sanitize_params!
+      # admins can do anything
+      return if CurrentUser.is_admin?
+
+      # can't promote/demote moderators
+      raise User::PrivilegeError if @user.is_moderator?
+
+      # can't promote to admin      
+      raise User::PrivilegeError if params[:user] && params[:user][:level].to_i >= User::Levels::ADMIN
+    end
   end
 end

app/controllers/users_controller.rb

@@ -44,6 +44,7 @@ class UsersController < ApplicationController
   def update
     @user = User.find(params[:id])
     check_privilege(@user)
+    sanitize_params!
     @user.update_attributes(params[:user], :as => CurrentUser.role)
     respond_with(@user)
   end
@@ -67,6 +68,14 @@ class UsersController < ApplicationController
   end
 
 private
+  def sanitize_params!
+    return if CurrentUser.is_admin?
+    
+    if params[:user] && params[:user][:level].to_i >= User::Levels::MODERATOR
+      params[:user][:level] = User::Levels::JANITOR
+    end
+  end
+
   def check_privilege(user)
     raise User::PrivilegeError unless (user.id == CurrentUser.id || CurrentUser.is_admin?)
   end