halorgium / mephisto fork watch download tarball
public
Description: A mirror of the mephisto code-base
Homepage: http://mephistoblog.com/
Clone URL: git://github.com/halorgium/mephisto.git 
fix user permission issues with site admins being able to modify mephisto 
admins
technoweenie (author)
Sat Feb 02 16:41:33 -0800 2008
commit  e48d1c412ec53cee3f57f84b048d386f25c5d148
tree    0d98be3b7e71bd0fc634eda51eb4333bb07c74f4
parent  9a46c5783ec1fa239ef87cc5b0eac7ed143569ae
0
app/controllers/admin/users_controller.rb 
...
34
35
36
37
38
 
 
 
39
40
41
42
43
 
44
45
46
 
 
47
48
49
 
50
51
52
 
...
34
35
36
 
 
37
38
39
40
41
42
 
 
43
44
45
46
47
48
49
 
 
50
51
52
53
 
0
@@ -34,19 +34,20 @@ class Admin::UsersController < Admin::BaseController
0
   end
0
 
0
   def destroy
0
-    @user.deleted_at = Time.now.utc
0
-    @user.save!
0
+    if @user == current_user then return @error = "Cannot delete yourself." end
0
+    if @user.admin?          then return @error = "Cannot delete a Mephisto administrator." end
0
+    @allowed = @user.update_attribute :deleted_at, Time.now.utc
0
   end
0
 
0
   def enable
0
-    @user.deleted_at = nil
0
-    @user.save!
0
+    @allowed = @user.update_attribute :deleted_at, nil
0
   end
0
   
0
   def admin
0
+    if @user == current_user then return @error = "Cannot toggle admin permissions for yourself." end
0
+    if @user.admin?          then return @error = "Cannot toggle admin permissions for a Mephisto administrator." end
0
     @membership = Membership.find_or_initialize_by_site_id_and_user_id(site.id, @user.id)
0
-    @membership.admin = !@membership.admin?
0
-    @membership.save!
0
+    @allowed    = @membership.update_attribute :admin, !@membership.admin?
0
   end
0
   
0
   protected
0
app/views/admin/users/_user.rhtml 
...
2
3
4
5
 
6
7
8
9
 
10
11
12
 
...
2
3
4
 
5
6
7
8
 
9
10
11
12
 
0
@@ -2,11 +2,11 @@
0
     <%= avatar_for user %>
0
     <h3><%= link_to user.login, :action => 'show', :id => user %></h3>
0
     <%= user.email %>
0
-  <% unless user == current_user -%>
0
+  <% unless user.admin? || user == current_user -%>
0
     <p>
0
       <%= check_box_tag user.dom_id(:user_toggle), user.id,  user.deleted_at.nil?, :onclick => "UserForm.toggle(this);" %>
0
       <strong><label for="<%= user.dom_id(:user_toggle) %>">Allow this user to login</label></strong>
0
-    <% if !user.admin? && admin? -%> |
0
+    <% if admin? -%> |
0
       <%= check_box_tag user.dom_id(:user_toggle_admin), user.id,  user.site_admin?, :onclick => "UserForm.toggleAdmin(this);" %>
0
       <strong><label for="<%= user.dom_id(:user_toggle_admin) %>">Site admin?</label></strong>
0
     <% end -%>
0
app/views/admin/users/admin.rjs 
...
1
2
3
 
 
 
 
 
 
4
 
...
 
 
1
2
3
4
5
6
7
8
 
0
@@ -1,2 +1,6 @@
0
-page.call 'Flash.notice', @membership.admin? ? "#{@user.login} is now an admin." : "#{@user.login}'s admin rights were revoked."
0
-page["#{@user.dom_id}-progress"].hide
0
\ No newline at end of file
0
+if @allowed
0
+  page.call 'Flash.notice', @membership.admin? ? "#{@user.login} is now an admin." : "#{@user.login}'s admin rights were revoked."
0
+  page["#{@user.dom_id}-progress"].hide
0
+else
0
+  page.call 'Flash.errors', @error || "Had problems saving the record."
0
+end
0
\ No newline at end of file
0
app/views/admin/users/destroy.rjs 
...
1
2
3
4
5
6
7
8
9
 
 
 
 
 
 
 
 
 
 
 
 
10
 
...
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
 
0
@@ -1,8 +1,12 @@
0
-page.call 'Flash.notice', "#{@user.login} was disabled."
0
-page["#{@user.dom_id}-progress"].hide
0
-page << 'function foo() {'
0
-page[@user.dom_id].remove
0
-page[:disabled_users].show
0
-page.insert_html :bottom, :disabled_users, :partial => 'user'
0
-page << '}'
0
-page[@user.dom_id].visual_effect :drop_out, :afterFinish => ActiveSupport::JSON::Variable.new("foo")
0
\ No newline at end of file
0
+if @allowed
0
+  page.call 'Flash.notice', "#{@user.login} was disabled."
0
+  page["#{@user.dom_id}-progress"].hide
0
+  page << 'function foo() {'
0
+  page[@user.dom_id].remove
0
+  page[:disabled_users].show
0
+  page.insert_html :bottom, :disabled_users, :partial => 'user'
0
+  page << '}'
0
+  page[@user.dom_id].visual_effect :drop_out, :afterFinish => ActiveSupport::JSON::Variable.new("foo")
0
+else
0
+  page.call 'Flash.errors', @error || "Had problems saving the record."
0
+end
0
\ No newline at end of file
0
test/functional/admin/users_controller_test.rb 
...
5
6
7
8
 
9
10
11
...
167
168
169
170
 
171
172
173
174
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
175
176
177
...
186
187
188
189
 
190
 
191
192
193
194
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
195
196
197
 
...
5
6
7
 
8
9
10
11
...
167
168
169
 
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
...
211
212
213
 
214
215
216
217
218
219
 
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
 
0
@@ -5,7 +5,7 @@ require 'admin/users_controller'
0
 class Admin::UsersController; def rescue_action(e) raise e end; end
0
 
0
 class Admin::UsersControllerTest < Test::Unit::TestCase
0
-  fixtures :users, :sites, :memberships
0
+  fixtures :users, :sites, :memberships, :contents
0
   def setup
0
     @controller = Admin::UsersController.new
0
     @request    = ActionController::TestRequest.new
0
@@ -167,11 +167,36 @@ class Admin::UsersControllerTest < Test::Unit::TestCase
0
     end
0
   end
0
 
0
-  def test_should_disable_site_admin
0
+  def test_should_toggle_site_admin_as_admin
0
     login_as :quentin
0
     xhr :post, :admin, :id => users(:arthur).id
0
     assert_response :success
0
     assert !sites(:first).user(users(:arthur).id).site_admin?
0
+    assert_match /Flash\.notice/, @response.body
0
+  end
0
+
0
+  def test_should_toggle_site_admin_as_site_admin
0
+    login_as :arthur
0
+    assert !sites(:first).user(users(:ben).id).site_admin?
0
+    xhr :post, :admin, :id => users(:ben).id
0
+    assert_response :success
0
+    assert sites(:first).user(users(:ben).id).site_admin?
0
+    assert_match /Flash\.notice/, @response.body
0
+  end
0
+
0
+  def test_should_not_toggle_site_admin_for_admin
0
+    login_as :arthur
0
+    xhr :post, :admin, :id => users(:quentin).id
0
+    assert_response :success
0
+    assert_match /Flash\.errors/, @response.body
0
+  end
0
+
0
+  def test_should_not_toggle_site_admin_for_self
0
+    login_as :arthur
0
+    xhr :post, :admin, :id => users(:arthur).id
0
+    assert_response :success
0
+    assert sites(:first).user(users(:arthur).id).site_admin?
0
+    assert_match /Flash\.errors/, @response.body
0
   end
0
 
0
   def test_should_enable_site_admin
0
@@ -186,12 +211,35 @@ class Admin::UsersControllerTest < Test::Unit::TestCase
0
     login_as :quentin
0
     assert_no_difference User, :count_with_deleted do
0
       assert_difference User, :count, -1 do
0
-        xhr :post, :destroy, :id => users(:quentin).id
0
+        xhr :post, :destroy, :id => users(:arthur).id
0
         assert_response :success
0
+        assert_match /Flash\.notice/, @response.body
0
       end
0
     end
0
     
0
-    assert_equal users(:quentin), User.find_with_deleted(users(:quentin).id)
0
+    assert_equal users(:arthur), User.find_with_deleted(users(:arthur).id)
0
+  end
0
+
0
+  def test_should_not_disable_admin
0
+    login_as :arthur
0
+    assert_no_difference User, :count_with_deleted do
0
+      assert_no_difference User, :count do
0
+        xhr :post, :destroy, :id => users(:quentin).id
0
+        assert_response :success
0
+        assert_match /Flash\.errors/, @response.body
0
+      end
0
+    end
0
+  end
0
+  
0
+  def test_should_not_disable_self
0
+    login_as :arthur
0
+    assert_no_difference User, :count_with_deleted do
0
+      assert_no_difference User, :count do
0
+        xhr :post, :destroy, :id => users(:arthur).id
0
+        assert_response :success
0
+        assert_match /Flash\.errors/, @response.body
0
+      end
0
+    end
0
   end
0
 
0
   def test_should_enable_user

Comments

    No one has commented yet.