jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

users: don't allow admins to edit user levels directly.

Browse Source 
Don't allow admins to bypass promotion restrictions by manually updating
user levels with a `PUT /users/:id` API call. Level changes have to go
through the /admin/users/:id/edit page.
This commit is contained in:
evazion
2020-12-13 19:09:49 -06:00
parent 86bba56eda
commit 9f09c495e4
2 changed files with 3 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/policies/user_policy.rb
View File

@@ -47,7 +47,6 @@ class UserPolicy < ApplicationPolicy
:disable_tagged_filenames, :disable_cropped_thumbnails, :disable_tagged_filenames, :disable_cropped_thumbnails,
:disable_mobile_gestures, :enable_safe_mode, :enable_desktop_mode, :disable_mobile_gestures, :enable_safe_mode, :enable_desktop_mode,
:disable_post_tooltips, :disable_post_tooltips,
(:level if CurrentUser.is_admin?)
].compact ].compact
end end

6
test/functional/users_controller_test.rb
View File

@@ -335,11 +335,11 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
context "changing the level" do context "changing the level" do
should "not work" do should "not work" do
@cuser = create(:user) @owner = create(:owner_user)
put_auth user_path(@user), @cuser, params: {:user => {:level => 40}} put_auth user_path(@user), @owner, params: { user: { level: User::Levels::BUILDER }}
assert_response 403 assert_response 403
assert_equal(20, @user.reload.level) assert_equal(User::Levels::MEMBER, @user.reload.level)
end end
end end