From: mmd-osm <mmd.osm@gmail.com>
Date: Tue, 19 Dec 2017 17:31:34 +0000 (+0000)
Subject: Revoking administrator role on current user should fail
X-Git-Tag: live~3179
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/e21c967fdd2999ebb81308cd08e3b5f99c94833b

Revoking administrator role on current user should fail

Fixes #1697
Closes #1701
---

diff --git a/app/controllers/user_roles_controller.rb b/app/controllers/user_roles_controller.rb
index 536790dc5..5ef68216b 100644
--- a/app/controllers/user_roles_controller.rb
+++ b/app/controllers/user_roles_controller.rb
@@ -15,7 +15,12 @@ class UserRolesController < ApplicationController
   end
 
   def revoke
-    UserRole.where(:user_id => @this_user.id, :role => @role).delete_all
+    # checks that administrator role is not revoked from current user
+    if current_user == @this_user && @role == "administrator"
+      flash[:error] = t("user_role.filter.not_revoke_admin_current_user")
+    else
+      UserRole.where(:user_id => @this_user.id, :role => @role).delete_all
+    end
     redirect_to :controller => "user", :action => "view", :display_name => @this_user.display_name
   end
 
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 5737e690a..317dee88e 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -2036,6 +2036,7 @@ en:
       not_a_role: "The string `%{role}' is not a valid role."
       already_has_role: "The user already has role %{role}."
       doesnt_have_role: "The user does not have role %{role}."
+      not_revoke_admin_current_user: "Cannot revoke administrator role from current user."
     grant:
       title: Confirm role granting
       heading: Confirm role granting
diff --git a/test/controllers/user_roles_controller_test.rb b/test/controllers/user_roles_controller_test.rb
index f73fc9056..f9e321406 100644
--- a/test/controllers/user_roles_controller_test.rb
+++ b/test/controllers/user_roles_controller_test.rb
@@ -134,5 +134,10 @@ class UserRolesControllerTest < ActionController::TestCase
     end
     assert_redirected_to user_path(target_user.display_name)
     assert_equal "The string `no_such_role' is not a valid role.", flash[:error]
+
+    # Revoking administrator role from current user should fail
+    post :revoke, :params => { :display_name => administrator_user.display_name, :role => "administrator" }
+    assert_redirected_to user_path(administrator_user.display_name)
+    assert_equal "Cannot revoke administrator role from current user.", flash[:error]
   end
 end