From 9f09c495e46b62a780d61daacd775087ac0c83f1 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 13 Dec 2020 19:09:49 -0600 Subject: [PATCH] users: don't allow admins to edit user levels directly. Don't allow admins to bypass promotion restrictions by manually updating user levels with a `PUT /users/:id` API call. Level changes have to go through the /admin/users/:id/edit page. --- app/policies/user_policy.rb | 1 - test/functional/users_controller_test.rb | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 0c9c0469c..6ca305635 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -47,7 +47,6 @@ class UserPolicy < ApplicationPolicy :disable_tagged_filenames, :disable_cropped_thumbnails, :disable_mobile_gestures, :enable_safe_mode, :enable_desktop_mode, :disable_post_tooltips, - (:level if CurrentUser.is_admin?) ].compact end diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb index c6c02d522..7d35e591f 100644 --- a/test/functional/users_controller_test.rb +++ b/test/functional/users_controller_test.rb @@ -335,11 +335,11 @@ class UsersControllerTest < ActionDispatch::IntegrationTest context "changing the level" do should "not work" do - @cuser = create(:user) - put_auth user_path(@user), @cuser, params: {:user => {:level => 40}} + @owner = create(:owner_user) + put_auth user_path(@user), @owner, params: { user: { level: User::Levels::BUILDER }} assert_response 403 - assert_equal(20, @user.reload.level) + assert_equal(User::Levels::MEMBER, @user.reload.level) end end