From d8b51e3f022b28bf1bcc594fcd1c5f1aca79724d Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 13 Dec 2020 18:43:34 -0600 Subject: [PATCH] users: don't allow gifting upgrades to demote privileged users. Don't allow gifting Gold or Platinum upgrades to users above Platinum level. Fixes an exploit where you could demote Builders and above by gifting them an upgrade. --- app/logical/user_promotion.rb | 2 ++ test/functional/user_upgrades_controller_test.rb | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/app/logical/user_promotion.rb b/app/logical/user_promotion.rb index 457c67cce..e9653bb2d 100644 --- a/app/logical/user_promotion.rb +++ b/app/logical/user_promotion.rb @@ -54,6 +54,8 @@ class UserPromotion raise User::PrivilegeError, "You can't promote other users to your rank or above" elsif user.level >= promoter.level raise User::PrivilegeError, "You can't promote or demote other users at your rank or above" + elsif is_upgrade && user.is_builder? + raise User::PrivilegeError, "You can't upgrade a user that is above Platinum level" end end diff --git a/test/functional/user_upgrades_controller_test.rb b/test/functional/user_upgrades_controller_test.rb index 8fbd64d34..db88aa327 100644 --- a/test/functional/user_upgrades_controller_test.rb +++ b/test/functional/user_upgrades_controller_test.rb @@ -77,6 +77,16 @@ class UserUpgradesControllerTest < ActionDispatch::IntegrationTest end end + context "an upgrade for a user above Platinum level" do + should "not demote the user" do + @builder = create(:builder_user) + post_auth user_upgrade_path, @user, params: { stripeToken: @token, desc: "Upgrade to Gold", user_id: @builder.id } + + assert_response 403 + assert_equal(true, @builder.reload.is_builder?) + end + end + context "an upgrade with a missing Stripe token" do should "not upgrade the user" do post_auth user_upgrade_path, @user, params: { desc: "Upgrade to Gold" }