diff --git a/app/controllers/v0/users_controller.rb b/app/controllers/v0/users_controller.rb index 056b1968..5f050192 100644 --- a/app/controllers/v0/users_controller.rb +++ b/app/controllers/v0/users_controller.rb @@ -55,14 +55,15 @@ def destroy private def user_params - params.permit( + params.permit(*[ :email, :username, :password, :city, :country_code, :url, - ) + (:role_mask if current_user&.is_admin?) + ].compact) end end diff --git a/spec/requests/v0/users_spec.rb b/spec/requests/v0/users_spec.rb index 8bc520f3..8e6b2820 100644 --- a/spec/requests/v0/users_spec.rb +++ b/spec/requests/v0/users_spec.rb @@ -378,6 +378,37 @@ expect(response.status).to eq(422) end + context "updating role" do + it "allows admins to update user roles" do + requesting_user = create :user, role_mask: 5 + requesting_token = create :access_token, + application: application, + resource_owner_id: requesting_user.id + j = api_put "users/#{[user.username,user.id].sample}", { + role_mask: 5, access_token: requesting_token.token + } + expect(response.status).to eq(200) + expect(user.reload.role_mask).to eq(5) + end + + it "does not allow users to update user roles" do + j = api_put "users/#{[user.username,user.id].sample}", { + role_mask: 5, access_token: token.token + } + expect(response.status).to eq(200) + expect(user.reload.role_mask).to eq(0) + end + + it "does not allow researchers to update user roles" do + user.role_mask = 4 + user.save! + j = api_put "users/#{[user.username,user.id].sample}", { + role_mask: 5, access_token: token.token + } + expect(response.status).to eq(200) + expect(user.reload.role_mask).to eq(4) + end + end end