[openstreetmap/openstreetmap-website] Granting / revoking roles for own user (#1697)
mmd
notifications at github.com
Wed Dec 6 21:01:59 UTC 2017
I wonder if we really want to allow a user to grant and revoke roles on his/her own user. My suggesting would be to disallow such an operation. Maybe this should be further restricted to the administrator role?
```ruby
diff --git a/app/controllers/user_roles_controller.rb b/app/controllers/user_roles_controller.rb
index 536790d..015259c 100644
--- a/app/controllers/user_roles_controller.rb
+++ b/app/controllers/user_roles_controller.rb
@@ -8,6 +8,7 @@ class UserRolesController < ApplicationController
before_action :require_valid_role
before_action :not_in_role, :only => [:grant]
before_action :in_role, :only => [:revoke]
+ before_action :not_own_user
def grant
@this_user.roles.create(:role => @role, :granter => current_user)
@@ -59,4 +60,12 @@ class UserRolesController < ApplicationController
redirect_to :controller => "user", :action => "view", :display_name => @this_user.display_name
end
end
+ ##
+ # checks that roles are not granted/revoked on own user
+ def not_own_user
+ if current_user == @this_user
+ flash[:error] = t("user_role.filter.not_own_user")
+ redirect_to :controller => "user", :action => "view", :display_name => @this_user.display_name
+ end
+ end
end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 8c9a403..2b46344 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -2056,6 +2056,7 @@ en:
not_a_role: "The string `%{role}' is not a valid role."
already_has_role: "The user already has role %{role}."
doesnt_have_role: "The user does not have role %{role}."
+ not_own_user: "Cannot grant or revoke roles for own user."
grant:
title: Confirm role granting
heading: Confirm role granting
```
(test cases not yet included).
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/1697
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20171206/7b03628d/attachment-0001.html>
More information about the rails-dev
mailing list