Prevent impersonation if blocked

daca985a · Andrew Tomaka · 09e712c0 · daca985a · daca985a · daca985a
Commit daca985a authored Dec 01, 2015 by Andrew Tomaka
4 changed files
--- a/app/controllers/admin/impersonation_controller.rb
+++ b/app/controllers/admin/impersonation_controller.rb
@@ -5,14 +5,20 @@ class Admin::ImpersonationController < Admin::ApplicationController
  before_action :authorize_impersonator!

  def create
-    session[:impersonator_id] = current_user.username
-    session[:impersonator_return_to] = request.env['HTTP_REFERER']
+    if @user.blocked?
+      flash[:alert] = "You cannot impersonate a blocked user"

-    warden.set_user(user, scope: 'user')
+      redirect_to admin_user_path(@user)
+    else
+      session[:impersonator_id] = current_user.username
+      session[:impersonator_return_to] = request.env['HTTP_REFERER']
+
+      warden.set_user(user, scope: 'user')

-    flash[:alert] = "You are impersonating #{user.username}."
+      flash[:alert] = "You are impersonating #{user.username}."

-    redirect_to root_path
+      redirect_to root_path
+    end
  end

  def destroy

--- a/app/views/admin/users/_head.html.haml
+++ b/app/views/admin/users/_head.html.haml
@@ -6,7 +6,7 @@
    %span.cred (Admin)

  .pull-right
-    - unless @user == current_user
+    - unless @user == current_user || @user.blocked?
      = link_to 'Impersonate', impersonate_admin_user_path(@user), method: :post, class: "btn btn-grouped btn-info"
    = link_to edit_admin_user_path(@user), class: "btn btn-grouped" do
      %i.fa.fa-pencil-square-o

--- a/spec/controllers/admin/impersonation_controller_spec.rb
+++ b/spec/controllers/admin/impersonation_controller_spec.rb
+require 'spec_helper'
+
+describe Admin::ImpersonationController do
+  let(:admin) { create(:admin) }
+
+  before do
+    sign_in(admin)
+  end
+
+  describe 'CREATE #impersonation when blocked' do
+    let(:blocked_user) { create(:user, state: :blocked) }
+
+    it 'does not allow impersonation' do
+      post :create, id: blocked_user.username
+
+      expect(flash[:alert]).to eq 'You cannot impersonate a blocked user'
+    end
+  end
+end
--- a/spec/features/admin/admin_users_spec.rb
+++ b/spec/features/admin/admin_users_spec.rb
@@ -128,6 +128,16 @@ describe "Admin::Users", feature: true  do

          expect(page).not_to have_content('Impersonate')
        end
+
+        it 'should not show impersonate button for blocked user' do
+          another_user.block
+
+          visit admin_user_path(another_user)
+
+          expect(page).not_to have_content('Impersonate')
+
+          another_user.activate
+        end
      end

      context 'when impersonating' do