users: don't allow gifting upgrades to demote privileged users.

Don't allow gifting Gold or Platinum upgrades to users above Platinum level. Fixes an exploit where you could demote Builders and above by gifting them an upgrade.
2020-12-13 18:43:34 -06:00
parent 2144f45fa4
commit d8b51e3f02
2 changed files with 12 additions and 0 deletions
--- a/app/logical/user_promotion.rb
+++ b/app/logical/user_promotion.rb
@@ -54,6 +54,8 @@ class UserPromotion
      raise User::PrivilegeError, "You can't promote other users to your rank or above"
    elsif user.level >= promoter.level
      raise User::PrivilegeError, "You can't promote or demote other users at your rank or above"
+    elsif is_upgrade && user.is_builder?
+      raise User::PrivilegeError, "You can't upgrade a user that is above Platinum level"
    end
  end

--- a/test/functional/user_upgrades_controller_test.rb
+++ b/test/functional/user_upgrades_controller_test.rb
@@ -77,6 +77,16 @@ class UserUpgradesControllerTest < ActionDispatch::IntegrationTest
        end
      end

+      context "an upgrade for a user above Platinum level" do
+        should "not demote the user" do
+          @builder = create(:builder_user)
+          post_auth user_upgrade_path, @user, params: { stripeToken: @token, desc: "Upgrade to Gold", user_id: @builder.id }
+
+          assert_response 403
+          assert_equal(true, @builder.reload.is_builder?)
+        end
+      end
+
      context "an upgrade with a missing Stripe token" do
        should "not upgrade the user" do
          post_auth user_upgrade_path, @user, params: { desc: "Upgrade to Gold" }