[openstreetmap/openstreetmap-website] Granting / revoking roles for own user (#1697)

mmd notifications at github.com
Wed Dec 6 21:01:59 UTC 2017

I wonder if we really want to allow a user to grant and revoke roles on his/her own user. My suggesting would be to disallow such an operation. Maybe this should be further restricted to the administrator role?

diff --git a/app/controllers/user_roles_controller.rb b/app/controllers/user_roles_controller.rb
index 536790d..015259c 100644
--- a/app/controllers/user_roles_controller.rb
+++ b/app/controllers/user_roles_controller.rb
@@ -8,6 +8,7 @@ class UserRolesController < ApplicationController
   before_action :require_valid_role
   before_action :not_in_role, :only => [:grant]
   before_action :in_role, :only => [:revoke]
+  before_action :not_own_user
   def grant
     @this_user.roles.create(:role => @role, :granter => current_user)
@@ -59,4 +60,12 @@ class UserRolesController < ApplicationController
       redirect_to :controller => "user", :action => "view", :display_name => @this_user.display_name
+  ##
+  # checks that roles are not granted/revoked on own user
+  def not_own_user
+    if current_user == @this_user
+      flash[:error] = t("user_role.filter.not_own_user")
+      redirect_to :controller => "user", :action => "view", :display_name => @this_user.display_name
+    end
+  end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 8c9a403..2b46344 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -2056,6 +2056,7 @@ en:
       not_a_role: "The string `%{role}' is not a valid role."
       already_has_role: "The user already has role %{role}."
       doesnt_have_role: "The user does not have role %{role}."
+      not_own_user: "Cannot grant or revoke roles for own user."
       title: Confirm role granting
       heading: Confirm role granting

(test cases not yet included).

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20171206/7b03628d/attachment-0001.html>

More information about the rails-dev mailing list