From daca985a6e75d6f43c5cc5b487a0942d5bf93f68 Mon Sep 17 00:00:00 2001
From: Andrew Tomaka <atomaka@gmail.com>
Date: Tue, 1 Dec 2015 23:40:24 -0500
Subject: [PATCH] Prevent impersonation if blocked

---
 .../admin/impersonation_controller.rb         | 16 +++++++++++-----
 app/views/admin/users/_head.html.haml         |  2 +-
 .../admin/impersonation_controller_spec.rb    | 19 +++++++++++++++++++
 spec/features/admin/admin_users_spec.rb       | 10 ++++++++++
 4 files changed, 41 insertions(+), 6 deletions(-)
 create mode 100644 spec/controllers/admin/impersonation_controller_spec.rb

diff --git a/app/controllers/admin/impersonation_controller.rb b/app/controllers/admin/impersonation_controller.rb
index 0382402afa6..102dd437402 100644
--- a/app/controllers/admin/impersonation_controller.rb
+++ b/app/controllers/admin/impersonation_controller.rb
@@ -5,14 +5,20 @@ class Admin::ImpersonationController < Admin::ApplicationController
   before_action :authorize_impersonator!
 
   def create
-    session[:impersonator_id] = current_user.username
-    session[:impersonator_return_to] = request.env['HTTP_REFERER']
+    if @user.blocked?
+      flash[:alert] = "You cannot impersonate a blocked user"
 
-    warden.set_user(user, scope: 'user')
+      redirect_to admin_user_path(@user)
+    else
+      session[:impersonator_id] = current_user.username
+      session[:impersonator_return_to] = request.env['HTTP_REFERER']
 
-    flash[:alert] = "You are impersonating #{user.username}."
+      warden.set_user(user, scope: 'user')
 
-    redirect_to root_path
+      flash[:alert] = "You are impersonating #{user.username}."
+
+      redirect_to root_path
+    end
   end
 
   def destroy
diff --git a/app/views/admin/users/_head.html.haml b/app/views/admin/users/_head.html.haml
index 8d1cab4137c..5e17b018163 100644
--- a/app/views/admin/users/_head.html.haml
+++ b/app/views/admin/users/_head.html.haml
@@ -6,7 +6,7 @@
     %span.cred (Admin)
 
   .pull-right
-    - unless @user == current_user
+    - unless @user == current_user || @user.blocked?
       = link_to 'Impersonate', impersonate_admin_user_path(@user), method: :post, class: "btn btn-grouped btn-info"
     = link_to edit_admin_user_path(@user), class: "btn btn-grouped" do
       %i.fa.fa-pencil-square-o
diff --git a/spec/controllers/admin/impersonation_controller_spec.rb b/spec/controllers/admin/impersonation_controller_spec.rb
new file mode 100644
index 00000000000..d7a7ba1c5b6
--- /dev/null
+++ b/spec/controllers/admin/impersonation_controller_spec.rb
@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+describe Admin::ImpersonationController do
+  let(:admin) { create(:admin) }
+
+  before do
+    sign_in(admin)
+  end
+
+  describe 'CREATE #impersonation when blocked' do
+    let(:blocked_user) { create(:user, state: :blocked) }
+
+    it 'does not allow impersonation' do
+      post :create, id: blocked_user.username
+
+      expect(flash[:alert]).to eq 'You cannot impersonate a blocked user'
+    end
+  end
+end
diff --git a/spec/features/admin/admin_users_spec.rb b/spec/features/admin/admin_users_spec.rb
index 86f01faffb4..4570e409128 100644
--- a/spec/features/admin/admin_users_spec.rb
+++ b/spec/features/admin/admin_users_spec.rb
@@ -128,6 +128,16 @@ describe "Admin::Users", feature: true  do
 
           expect(page).not_to have_content('Impersonate')
         end
+
+        it 'should not show impersonate button for blocked user' do
+          another_user.block
+
+          visit admin_user_path(another_user)
+
+          expect(page).not_to have_content('Impersonate')
+
+          another_user.activate
+        end
       end
 
       context 'when impersonating' do