Disallow changing roles of team members after role creation

Could also solve one of the bugs behind #205
rails-girls-summer-of-code · Mar 12, 2016 · a85416d · carpodaster · Mar 12, 2016 · a85416d
1 parent b7fc80c
commit a85416d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb
@@ -79,11 +79,21 @@ def team_params
         :checked, :'starts_on(1i)', :'starts_on(2i)', :'starts_on(3i)',
         :'finishes_on(1i)', :'finishes_on(2i)', :'finishes_on(3i)', :invisible,
         :project_name,
-        roles_attributes: [:id, :name, :github_handle, :_destroy],
+        roles_attributes: role_attributes_list,
         sources_attributes: [:id, :kind, :url, :_destroy]
       )
     end
 
+  def role_attributes_list
+    unless current_user.admin? ||
+      # If it contains an ID, the user is updating an existing role
+      params.fetch(:roles_attributes, {}).none? { |_, attributes| attributes.has_key? 'id' }
+      [:id, :github_handle, :_destroy] # do not allow to update the actual role
+    else
+      [:id, :name, :github_handle, :_destroy]
+    end
+  end
+
   def set_display_roles
     @display_roles = ['student']
     @display_roles.map!(&:pluralize)

diff --git a/app/views/teams/_form.html.slim b/app/views/teams/_form.html.slim
@@ -29,7 +29,7 @@
           - accessible_roles.each do |role|
             .radio
               label
-                = r.radio_button :name, role, required: true
+                = r.radio_button :name, role, required: true, disabled: (!current_user.admin? && r.object.persisted?)
                 = role.capitalize
           .help-block Note: Coaches will be informed via email and have to confirm their role.
           .form-btn-group