Commit daca985a authored by Andrew Tomaka's avatar Andrew Tomaka

Prevent impersonation if blocked

parent 09e712c0
...@@ -5,14 +5,20 @@ class Admin::ImpersonationController < Admin::ApplicationController ...@@ -5,14 +5,20 @@ class Admin::ImpersonationController < Admin::ApplicationController
before_action :authorize_impersonator! before_action :authorize_impersonator!
def create def create
session[:impersonator_id] = current_user.username if @user.blocked?
session[:impersonator_return_to] = request.env['HTTP_REFERER'] flash[:alert] = "You cannot impersonate a blocked user"
warden.set_user(user, scope: 'user') redirect_to admin_user_path(@user)
else
session[:impersonator_id] = current_user.username
session[:impersonator_return_to] = request.env['HTTP_REFERER']
warden.set_user(user, scope: 'user')
flash[:alert] = "You are impersonating #{user.username}." flash[:alert] = "You are impersonating #{user.username}."
redirect_to root_path redirect_to root_path
end
end end
def destroy def destroy
......
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
%span.cred (Admin) %span.cred (Admin)
.pull-right .pull-right
- unless @user == current_user - unless @user == current_user || @user.blocked?
= link_to 'Impersonate', impersonate_admin_user_path(@user), method: :post, class: "btn btn-grouped btn-info" = link_to 'Impersonate', impersonate_admin_user_path(@user), method: :post, class: "btn btn-grouped btn-info"
= link_to edit_admin_user_path(@user), class: "btn btn-grouped" do = link_to edit_admin_user_path(@user), class: "btn btn-grouped" do
%i.fa.fa-pencil-square-o %i.fa.fa-pencil-square-o
......
require 'spec_helper'
describe Admin::ImpersonationController do
let(:admin) { create(:admin) }
before do
sign_in(admin)
end
describe 'CREATE #impersonation when blocked' do
let(:blocked_user) { create(:user, state: :blocked) }
it 'does not allow impersonation' do
post :create, id: blocked_user.username
expect(flash[:alert]).to eq 'You cannot impersonate a blocked user'
end
end
end
...@@ -128,6 +128,16 @@ describe "Admin::Users", feature: true do ...@@ -128,6 +128,16 @@ describe "Admin::Users", feature: true do
expect(page).not_to have_content('Impersonate') expect(page).not_to have_content('Impersonate')
end end
it 'should not show impersonate button for blocked user' do
another_user.block
visit admin_user_path(another_user)
expect(page).not_to have_content('Impersonate')
another_user.activate
end
end end
context 'when impersonating' do context 'when impersonating' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment