Prevent impersonation if blocked
This commit is contained in:
parent
09e712c0fb
commit
daca985a6e
|
@ -5,14 +5,20 @@ class Admin::ImpersonationController < Admin::ApplicationController
|
|||
before_action :authorize_impersonator!
|
||||
|
||||
def create
|
||||
session[:impersonator_id] = current_user.username
|
||||
session[:impersonator_return_to] = request.env['HTTP_REFERER']
|
||||
if @user.blocked?
|
||||
flash[:alert] = "You cannot impersonate a blocked user"
|
||||
|
||||
warden.set_user(user, scope: 'user')
|
||||
redirect_to admin_user_path(@user)
|
||||
else
|
||||
session[:impersonator_id] = current_user.username
|
||||
session[:impersonator_return_to] = request.env['HTTP_REFERER']
|
||||
|
||||
flash[:alert] = "You are impersonating #{user.username}."
|
||||
warden.set_user(user, scope: 'user')
|
||||
|
||||
redirect_to root_path
|
||||
flash[:alert] = "You are impersonating #{user.username}."
|
||||
|
||||
redirect_to root_path
|
||||
end
|
||||
end
|
||||
|
||||
def destroy
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
%span.cred (Admin)
|
||||
|
||||
.pull-right
|
||||
- unless @user == current_user
|
||||
- unless @user == current_user || @user.blocked?
|
||||
= link_to 'Impersonate', impersonate_admin_user_path(@user), method: :post, class: "btn btn-grouped btn-info"
|
||||
= link_to edit_admin_user_path(@user), class: "btn btn-grouped" do
|
||||
%i.fa.fa-pencil-square-o
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe Admin::ImpersonationController do
|
||||
let(:admin) { create(:admin) }
|
||||
|
||||
before do
|
||||
sign_in(admin)
|
||||
end
|
||||
|
||||
describe 'CREATE #impersonation when blocked' do
|
||||
let(:blocked_user) { create(:user, state: :blocked) }
|
||||
|
||||
it 'does not allow impersonation' do
|
||||
post :create, id: blocked_user.username
|
||||
|
||||
expect(flash[:alert]).to eq 'You cannot impersonate a blocked user'
|
||||
end
|
||||
end
|
||||
end
|
|
@ -128,6 +128,16 @@ describe "Admin::Users", feature: true do
|
|||
|
||||
expect(page).not_to have_content('Impersonate')
|
||||
end
|
||||
|
||||
it 'should not show impersonate button for blocked user' do
|
||||
another_user.block
|
||||
|
||||
visit admin_user_path(another_user)
|
||||
|
||||
expect(page).not_to have_content('Impersonate')
|
||||
|
||||
another_user.activate
|
||||
end
|
||||
end
|
||||
|
||||
context 'when impersonating' do
|
||||
|
|
Loading…
Reference in New Issue