jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

users: don't allow admins to edit user levels directly.

Browse Source 
Don't allow admins to bypass promotion restrictions by manually updating
user levels with a `PUT /users/:id` API call. Level changes have to go
through the /admin/users/:id/edit page.
This commit is contained in:
evazion
2020-12-13 19:09:49 -06:00
parent 86bba56eda
commit 9f09c495e4
2 changed files with 3 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
test/functional/users_controller_test.rb
View File

@@ -335,11 +335,11 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
context "changing the level" do
should "not work" do
@cuser = create(:user)
put_auth user_path(@user), @cuser, params: {:user => {:level => 40}}
@owner = create(:owner_user)
put_auth user_path(@user), @owner, params: { user: { level: User::Levels::BUILDER }}
assert_response 403
assert_equal(20, @user.reload.level)
assert_equal(User::Levels::MEMBER, @user.reload.level)
end
end