• Timothy Andrew's avatar
    Don't allow deleting a ghost user. · d71973ad
    Timothy Andrew authored
    - Add a `destroy_user` ability. This didn't exist before, and was implicit in
      other abilities (only admins could access the admin area, so only they could
      destroy all users; a user can only access their own account page, and so can
      destroy only themselves).
    
    - Grant this ability to admins, and when the current user is trying to destroy
      themselves. Disallow destroying ghost users in all cases.
    
    - Modify the `Users::DestroyService` to check this ability. Also check it in
      views to decide whether or not to show the "Delete User" button.
    
    - Add a short summary of the Ghost User to the bio.
    d71973ad
user_policy.rb 437 Bytes