Skip to content

Commit

Permalink
admin users can update user role mask
Browse files Browse the repository at this point in the history
  • Loading branch information
timcowlishaw committed Aug 12, 2024
1 parent eb4f3c4 commit eb85c4a
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 3 deletions.
7 changes: 4 additions & 3 deletions app/controllers/v0/users_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -55,16 +55,17 @@ def destroy
private

def user_params
params.permit(
params.permit(*[
:email,
:username,
:password,
:city,
:country_code,
:url,
:avatar,
:avatar_url
)
:avatar_url,
(:role_mask if current_user&.is_admin?)
].compact)
end

end
Expand Down
31 changes: 31 additions & 0 deletions spec/requests/v0/users_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -378,6 +378,37 @@
expect(response.status).to eq(422)
end

context "updating role" do
it "allows admins to update user roles" do
requesting_user = create :user, role_mask: 5
requesting_token = create :access_token,
application: application,
resource_owner_id: requesting_user.id
j = api_put "users/#{[user.username,user.id].sample}", {
role_mask: 5, access_token: requesting_token.token
}
expect(response.status).to eq(200)
expect(user.reload.role_mask).to eq(5)
end

it "does not allow users to update user roles" do
j = api_put "users/#{[user.username,user.id].sample}", {
role_mask: 5, access_token: token.token
}
expect(response.status).to eq(200)
expect(user.reload.role_mask).to eq(0)
end

it "does not allow researchers to update user roles" do
user.role_mask = 4
user.save!
j = api_put "users/#{[user.username,user.id].sample}", {
role_mask: 5, access_token: token.token
}
expect(response.status).to eq(200)
expect(user.reload.role_mask).to eq(4)
end
end
end


Expand Down

0 comments on commit eb85c4a

Please sign in to comment.