* Add validation check so admins can't upgrade to superadmin

* Add unit test of above validation check
refs ushahidi#73

application/i18n/en_US/auth.php

@@ -26,6 +26,9 @@
 		'invalid' => 'Sorry, we don\'t have your email address',
 		'required' => 'The email field is required.',
 	),
+	'role' => array(
+		'superadmin_modify' => 'Only a superadmin may modify a superadmin or upgrade a user to admin.',
+	),
 	'roles' => array(
 		'alpha_numeric' => 'Invalid role format.',
 		'length' => 'The role field must be at least 5 and no more than 30 characters long.',

application/models/user.php

@@ -52,14 +52,20 @@ public static function get_public_users()
 	/**
 	 * Custom validation for this model - complements the default validate()
 	 *
+	 * @param   array  array to validate
+	 * @param   Auth   instance of Auth class; used for testing purposes
 	 * @return bool TRUE if validation succeeds, FALSE otherwise
 	 */
-	public static function custom_validate(array & $post)
+	public static function custom_validate(array & $post, Auth $auth = null)
 	{
 		// Initalize validation
 		$post = Validation::factory($post)
 				->pre_filter('trim', TRUE);
-
+
+		if ($auth === null) {
+			$auth = new Auth;
+		}
+
 		$post->add_rules('username','required','length[3,16]', 'alpha_numeric');
 		$post->add_rules('name','required','length[3,100]');
         $post->add_rules('email','required','email','length[4,64]');
@@ -85,7 +91,12 @@ public static function custom_validate(array & $post)
 
 		$post->add_rules('role','required','length[3,30]', 'alpha_numeric');
 		$post->add_rules('notify','between[0,1]');
-
+
+		if ( ! $auth->logged_in('superadmin'))
+		{
+			$post->add_callbacks('role', array('User_Model', 'prevent_superadmin_modification'));
+		}
+
 		// Additional validation checks
 		Event::run('ushahidi_action.user_submit_admin', $post);
 
@@ -105,5 +116,17 @@ public static function unique_value_exists(Validation $post, $field)
 			$post->add_error($field, 'exists');
 		}
 	}
-
+
+	/**
+	 * Ensures that only a superadmin can modify superadmin users, or upgrade a user to superadmin
+	 * @note this assumes the currently logged-in user isn't a superadmin
+	 */
+	public static function prevent_superadmin_modification(Validation $post, $field)
+	{
+		if ($post[$field] == 'superadmin')
+		{
+			$post->add_error($field, 'superadmin_modify');
+		}
+	}
+
 } // End User_Model

tests/phpunit/classes/models/User_Model_Test.php

@@ -24,7 +24,7 @@ public function provider_custom_validate()
 				'password' => 'abc123tbhh', 
 				'password_again'=>'abc123tbhh',
 				'notify' => '0',
-				'role' => 'admin'
+				'role' => 'superadmin'
 			),
 			array(
 				'username' => 'admin',
@@ -46,16 +46,40 @@ public function provider_custom_validate()
 	 */
 	public function test_custom_validate($valid, $invalid)
 	{
+		// set up mock, for prevent_superadmin_modification
+		$auth = $this->getMock('Auth', array('logged_in'));
+		$auth->expects($this->exactly(2))
+			 ->method('logged_in')
+			 ->with($this->equalTo('superadmin'))
+			 ->will($this->returnValue(True));
+
+		// Save initial data
+		$initial_valid = $valid;
+		$initial_invalid = $invalid;
+
 		// Test with valid data
-		$response = User_Model::custom_validate($valid);
+		$response = User_Model::custom_validate($valid, $auth);
 		$this->assertEquals(TRUE, $valid instanceof Validation);
 		$this->assertTrue($response, Kohana::debug($valid->errors()));
 
 		// Test with invalid data
-		$response = User_Model::custom_validate($invalid);
+		$response = User_Model::custom_validate($invalid, $auth);
 		$this->assertEquals(TRUE, $invalid instanceof Validation);
 		$this->assertFalse($response);
-
+
+		// restore valid, invalid
+		$valid = $initial_valid;
+		$invalid = $initial_invalid;
+
+		// Test modification to superadmin as admin
+		$auth = $this->getMock('Auth', array('logged_in'));
+		$auth->expects($this->once())
+			 ->method('logged_in')
+			 ->with($this->equalTo('superadmin'))
+			 ->will($this->returnValue(False));
+		$response = User_Model::custom_validate($valid, $auth);
+		$this->assertTrue($valid instanceof Validation);
+		$this->assertFalse($response, Kohana::debug($valid->errors()));
 	}
 }
 ?>