
<p>I wonder if we really want to allow a user to grant and revoke roles on his/her own user. My suggesting would be to disallow such an operation. Maybe this should be further restricted to the administrator role?</p>

<div class="highlight highlight-source-ruby"><pre>diff <span class="pl-k">--</span>git a<span class="pl-k">/</span>app<span class="pl-k">/</span>controllers<span class="pl-k">/</span>user_roles_controller.rb b<span class="pl-k">/</span>app<span class="pl-k">/</span>controllers<span class="pl-k">/</span>user_roles_controller.rb

index 536790d..015259c <span class="pl-c1">100644</span>

<span class="pl-k">---</span> a<span class="pl-k">/</span>app<span class="pl-k">/</span>controllers<span class="pl-k">/</span>user_roles_controller.rb

<span class="pl-k">+++</span> b<span class="pl-k">/</span>app<span class="pl-k">/</span>controllers<span class="pl-k">/</span>user_roles_controller.rb

@@ <span class="pl-k">-</span><span class="pl-c1">8</span>,<span class="pl-c1">6</span> <span class="pl-k">+</span><span class="pl-c1">8</span>,<span class="pl-c1">7</span> @@ <span class="pl-k">class</span> <span class="pl-c1">UserRolesController</span> <span class="pl-k"><</span> <span class="pl-c1">ApplicationController</span>

   before_action <span class="pl-c1">:require_valid_role</span>

   before_action <span class="pl-c1">:not_in_role</span>, <span class="pl-c1">:only</span> => [<span class="pl-c1">:grant</span>]

   before_action <span class="pl-c1">:in_role</span>, <span class="pl-c1">:only</span> => [<span class="pl-c1">:revoke</span>]

<span class="pl-k">+</span>  before_action <span class="pl-c1">:not_own_user</span>

 
   <span class="pl-k">def</span> <span class="pl-en">grant</span>

     <span class="pl-smi">@this_user</span>.roles.create(<span class="pl-c1">:role</span> => <span class="pl-smi">@role</span>, <span class="pl-c1">:granter</span> => current_user)

@@ <span class="pl-k">-</span><span class="pl-c1">59</span>,<span class="pl-c1">4</span> <span class="pl-k">+</span><span class="pl-c1">60</span>,<span class="pl-c1">12</span> @@ <span class="pl-k">class</span> <span class="pl-c1">UserRolesController</span> <span class="pl-k"><</span> <span class="pl-c1">ApplicationController</span>

       redirect_to <span class="pl-c1">:controller</span> => <span class="pl-s"><span class="pl-pds">"</span>user<span class="pl-pds">"</span></span>, <span class="pl-c1">:action</span> => <span class="pl-s"><span class="pl-pds">"</span>view<span class="pl-pds">"</span></span>, <span class="pl-c1">:display_name</span> => <span class="pl-smi">@this_user</span>.display_name

     <span class="pl-k">end</span>

   <span class="pl-k">end</span>

<span class="pl-k">+</span>  <span class="pl-c"><span class="pl-c">#</span>#</span>

<span class="pl-k">+</span>  <span class="pl-c"><span class="pl-c">#</span> checks that roles are not granted/revoked on own user</span>

<span class="pl-k">+</span>  <span class="pl-k">def</span> <span class="pl-en">not_own_user</span>

<span class="pl-k">+</span>    <span class="pl-k">if</span> current_user <span class="pl-k">==</span> <span class="pl-smi">@this_user</span>

<span class="pl-k">+</span>      flash[<span class="pl-c1">:error</span>] <span class="pl-k">=</span> t(<span class="pl-s"><span class="pl-pds">"</span>user_role.filter.not_own_user<span class="pl-pds">"</span></span>)

<span class="pl-k">+</span>      redirect_to <span class="pl-c1">:controller</span> => <span class="pl-s"><span class="pl-pds">"</span>user<span class="pl-pds">"</span></span>, <span class="pl-c1">:action</span> => <span class="pl-s"><span class="pl-pds">"</span>view<span class="pl-pds">"</span></span>, <span class="pl-c1">:display_name</span> => <span class="pl-smi">@this_user</span>.display_name

<span class="pl-k">+</span>    <span class="pl-k">end</span>

<span class="pl-k">+</span>  <span class="pl-k">end</span>

 <span class="pl-k">end</span>

diff <span class="pl-k">--</span>git a<span class="pl-k">/</span>config<span class="pl-k">/</span>locales<span class="pl-k">/</span>en.yml b<span class="pl-k">/</span>config<span class="pl-k">/</span>locales<span class="pl-k">/</span>en.yml

index 8c9a403..2b46344 <span class="pl-c1">100644</span>

<span class="pl-k">---</span> a<span class="pl-k">/</span>config<span class="pl-k">/</span>locales<span class="pl-k">/</span>en.yml

<span class="pl-k">+++</span> b<span class="pl-k">/</span>config<span class="pl-k">/</span>locales<span class="pl-k">/</span>en.yml

@@ <span class="pl-k">-</span><span class="pl-c1">2056</span>,<span class="pl-c1">6</span> <span class="pl-k">+</span><span class="pl-c1">2056</span>,<span class="pl-c1">7</span> @@ <span class="pl-c1">en:</span>

       <span class="pl-c1">not_a_role:</span> <span class="pl-s"><span class="pl-pds">"</span>The string `%{role}' is not a valid role.<span class="pl-pds">"</span></span>

       <span class="pl-c1">already_has_role:</span> <span class="pl-s"><span class="pl-pds">"</span>The user already has role %{role}.<span class="pl-pds">"</span></span>

       <span class="pl-c1">doesnt_have_role:</span> <span class="pl-s"><span class="pl-pds">"</span>The user does not have role %{role}.<span class="pl-pds">"</span></span>

<span class="pl-k">+</span>      <span class="pl-c1">not_own_user:</span> <span class="pl-s"><span class="pl-pds">"</span>Cannot grant or revoke roles for own user.<span class="pl-pds">"</span></span>

     <span class="pl-c1">grant:</span>

       <span class="pl-c1">title:</span> <span class="pl-c1">Confirm</span> role granting

       <span class="pl-c1">heading:</span> <span class="pl-c1">Confirm</span> role granting</pre></div>

<p>(test cases not yet included).</p>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/1697">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLVSMD9fnHENE97CvJmdfnOmzWZrCks5s9wDHgaJpZM4Q4lPq">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ABWnLdsE2ELvXN5iRmhFdzfOAoweppLLks5s9wDHgaJpZM4Q4lPq.gif" width="1" /></p>

<div itemscope itemtype="http://schema.org/EmailMessage">

<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">

  <link itemprop="url" href="https://github.com/openstreetmap/openstreetmap-website/issues/1697"></link>

  <meta itemprop="name" content="View Issue"></meta>

</div>

<meta itemprop="description" content="View this Issue on GitHub"></meta>

</div>


<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Granting / revoking roles for own user (#1697)"}],"action":{"name":"View Issue","url":"https://github.com/openstreetmap/openstreetmap-website/issues/1697"}}}</script>