jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

users: allow site owner to reset passwords of other users.

Browse Source
This commit is contained in:
evazion
2020-12-13 19:07:19 -06:00
parent d8b51e3f02
commit 86bba56eda
3 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/passwords_controller.rb
View File

@@ -9,7 +9,7 @@ class PasswordsController < ApplicationController
def update
@user = authorize User.find(params[:user_id]), policy_class: PasswordPolicy
if @user.authenticate_password(params[:user][:old_password]) || @user.authenticate_login_key(params[:user][:signed_user_id])
if @user.authenticate_password(params[:user][:old_password]) || @user.authenticate_login_key(params[:user][:signed_user_id]) || CurrentUser.user.is_owner?
@user.update(password: params[:user][:password], password_confirmation: params[:user][:password_confirmation])
else
@user.errors.add(:base, "Incorrect password")

2
app/policies/password_policy.rb
View File

@@ -1,5 +1,5 @@
class PasswordPolicy < ApplicationPolicy
def update?
record.id == user.id || user.is_admin?
record.id == user.id || user.is_owner?
end
end

18
test/functional/passwords_controller_test.rb
View File

@@ -31,6 +31,24 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
assert_equal(@user, @user.authenticate_password("abcde"))
end
should "allow the site owner to change the password of other users" do
@owner = create(:owner_user)
put_auth user_password_path(@user), @owner, params: { user: { password: "abcde", password_confirmation: "abcde" } }
assert_redirected_to @user
assert_equal(false, @user.reload.authenticate_password("12345"))
assert_equal(@user, @user.authenticate_password("abcde"))
end
should "not allow non-owners to change the password of other users" do
@admin = create(:admin_user)
put_auth user_password_path(@user), @admin, params: { user: { old_password: "12345", password: "abcde", password_confirmation: "abcde" } }
assert_response 403
assert_equal(@user, @user.reload.authenticate_password("12345"))
assert_equal(false, @user.authenticate_password("abcde"))
end
should "not update the password when given an invalid old password" do
put_auth user_password_path(@user), @user, params: { user: { old_password: "3qoirjqe", password: "abcde", password_confirmation: "abcde" } }