From e21c967fdd2999ebb81308cd08e3b5f99c94833b Mon Sep 17 00:00:00 2001 From: mmd-osm Date: Tue, 19 Dec 2017 17:31:34 +0000 Subject: [PATCH] Revoking administrator role on current user should fail Fixes #1697 Closes #1701 --- app/controllers/user_roles_controller.rb | 7 ++++++- config/locales/en.yml | 1 + test/controllers/user_roles_controller_test.rb | 5 +++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/app/controllers/user_roles_controller.rb b/app/controllers/user_roles_controller.rb index 536790dc5..5ef68216b 100644 --- a/app/controllers/user_roles_controller.rb +++ b/app/controllers/user_roles_controller.rb @@ -15,7 +15,12 @@ class UserRolesController < ApplicationController end def revoke - UserRole.where(:user_id => @this_user.id, :role => @role).delete_all + # checks that administrator role is not revoked from current user + if current_user == @this_user && @role == "administrator" + flash[:error] = t("user_role.filter.not_revoke_admin_current_user") + else + UserRole.where(:user_id => @this_user.id, :role => @role).delete_all + end redirect_to :controller => "user", :action => "view", :display_name => @this_user.display_name end diff --git a/config/locales/en.yml b/config/locales/en.yml index 5737e690a..317dee88e 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -2036,6 +2036,7 @@ en: not_a_role: "The string `%{role}' is not a valid role." already_has_role: "The user already has role %{role}." doesnt_have_role: "The user does not have role %{role}." + not_revoke_admin_current_user: "Cannot revoke administrator role from current user." grant: title: Confirm role granting heading: Confirm role granting diff --git a/test/controllers/user_roles_controller_test.rb b/test/controllers/user_roles_controller_test.rb index f73fc9056..f9e321406 100644 --- a/test/controllers/user_roles_controller_test.rb +++ b/test/controllers/user_roles_controller_test.rb @@ -134,5 +134,10 @@ class UserRolesControllerTest < ActionController::TestCase end assert_redirected_to user_path(target_user.display_name) assert_equal "The string `no_such_role' is not a valid role.", flash[:error] + + # Revoking administrator role from current user should fail + post :revoke, :params => { :display_name => administrator_user.display_name, :role => "administrator" } + assert_redirected_to user_path(administrator_user.display_name) + assert_equal "Cannot revoke administrator role from current user.", flash[:error] end end -- 2.43.2