Skip to content

Commit

Permalink
admin users can update user role mask
Browse files Browse the repository at this point in the history
  • Loading branch information
timcowlishaw committed Sep 6, 2024
1 parent 2445e07 commit fcf6084
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 2 deletions.
5 changes: 3 additions & 2 deletions app/controllers/v0/users_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -55,14 +55,15 @@ def destroy
private

def user_params
params.permit(
params.permit(*[
:email,
:username,
:password,
:city,
:country_code,
:url,
)
(:role_mask if current_user&.is_admin?)
].compact)
end

end
Expand Down
31 changes: 31 additions & 0 deletions spec/requests/v0/users_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -378,6 +378,37 @@
expect(response.status).to eq(422)
end

context "updating role" do
it "allows admins to update user roles" do
requesting_user = create :user, role_mask: 5
requesting_token = create :access_token,
application: application,
resource_owner_id: requesting_user.id
j = api_put "users/#{[user.username,user.id].sample}", {
role_mask: 5, access_token: requesting_token.token
}
expect(response.status).to eq(200)
expect(user.reload.role_mask).to eq(5)
end

it "does not allow users to update user roles" do
j = api_put "users/#{[user.username,user.id].sample}", {
role_mask: 5, access_token: token.token
}
expect(response.status).to eq(200)
expect(user.reload.role_mask).to eq(0)
end

it "does not allow researchers to update user roles" do
user.role_mask = 4
user.save!
j = api_put "users/#{[user.username,user.id].sample}", {
role_mask: 5, access_token: token.token
}
expect(response.status).to eq(200)
expect(user.reload.role_mask).to eq(4)
end
end
end


Expand Down

0 comments on commit fcf6084

Please sign in to comment.