Revoking administrator role on current user should fail

Fixes #1697 Closes #1701
2017-12-19 17:31:34 +00:00 · 2017-12-19 17:31:34 +00:00 · e21c967fdd
commit e21c967fdd
parent 965123372d
3 changed files with 12 additions and 1 deletions
--- a/app/controllers/user_roles_controller.rb
+++ b/app/controllers/user_roles_controller.rb
@ -15,7 +15,12 @@ class UserRolesController < ApplicationController
  end

  def revoke
-    UserRole.where(:user_id => @this_user.id, :role => @role).delete_all
+    # checks that administrator role is not revoked from current user
+    if current_user == @this_user && @role == "administrator"
+      flash[:error] = t("user_role.filter.not_revoke_admin_current_user")
+    else
+      UserRole.where(:user_id => @this_user.id, :role => @role).delete_all
+    end
    redirect_to :controller => "user", :action => "view", :display_name => @this_user.display_name
  end

--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -2036,6 +2036,7 @@ en:
      not_a_role: "The string `%{role}' is not a valid role."
      already_has_role: "The user already has role %{role}."
      doesnt_have_role: "The user does not have role %{role}."
+      not_revoke_admin_current_user: "Cannot revoke administrator role from current user."
    grant:
      title: Confirm role granting
      heading: Confirm role granting
--- a/test/controllers/user_roles_controller_test.rb
+++ b/test/controllers/user_roles_controller_test.rb
@ -134,5 +134,10 @@ class UserRolesControllerTest < ActionController::TestCase
    end
    assert_redirected_to user_path(target_user.display_name)
    assert_equal "The string `no_such_role' is not a valid role.", flash[:error]
+
+    # Revoking administrator role from current user should fail
+    post :revoke, :params => { :display_name => administrator_user.display_name, :role => "administrator" }
+    assert_redirected_to user_path(administrator_user.display_name)
+    assert_equal "Cannot revoke administrator role from current user.", flash[:error]
  end
 end