Skip to content

Commit

Permalink
Merge pull request #2592 from alphagov/fix-policies-for-user-suspension
Browse files Browse the repository at this point in the history
Prevent Admins from suspending/unsuspending API users
  • Loading branch information
floehopper authored Dec 12, 2023
2 parents 7765030 + d798dfb commit f6690d8
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 3 deletions.
4 changes: 3 additions & 1 deletion app/controllers/suspensions_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,9 @@ def update
private

def load_and_authorize_user
@user = User.find(params[:id])
@user = ApiUser.find_by(id: params[:id]) || User.find_by(id: params[:id])
raise ActiveRecord::RecordNotFound if @user.blank?

authorize @user, :suspension?
end
end
1 change: 1 addition & 0 deletions app/policies/api_user_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,5 @@ def new?
alias_method :revoke?, :new?
alias_method :manage_permissions?, :new?
alias_method :manage_tokens?, :new?
alias_method :suspension?, :new?
end
4 changes: 3 additions & 1 deletion app/views/api_users/edit.html.erb
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@
User <strong><%= @api_user.status %></strong> &bull;
Created <%= time_ago_in_words(@api_user.created_at) %> ago &bull;
<%= link_to "Account access log", event_logs_user_path(@api_user) %> &bull;
<%= link_to "#{@api_user.suspended? ? "Uns" : "S"}uspend user", edit_suspension_path(@api_user) %>
<% if policy(@api_user).suspension? %>
<%= link_to "#{@api_user.suspended? ? "Uns" : "S"}uspend user", edit_suspension_path(@api_user) %>
<% end %>
</p>

<% if @api_user.suspended? and @api_user.reason_for_suspension.present? %>
Expand Down
8 changes: 8 additions & 0 deletions test/controllers/suspensions_controller_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,14 @@ class SuspensionsControllerTest < ActionController::TestCase
assert_equal "Negligence", another_user.reason_for_suspension
end

should "not be able to control suspension of an API user" do
api_user = create(:api_user)
put :update, params: { id: api_user.id, user: { suspended: "1", reason_for_suspension: "Negligence" } }

assert_not_authorised
assert_not api_user.reload.suspended?
end

should "redisplay the form if the reason is blank" do
another_user = create(:user)
put :update, params: { id: another_user.id, user: { suspended: "1", reason_for_suspension: "" } }
Expand Down
2 changes: 1 addition & 1 deletion test/policies/api_user_policy_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
class ApiUserPolicyTest < ActiveSupport::TestCase
include PolicyHelpers

%i[new create index edit update revoke].each do |permission_name|
%i[new create index edit update revoke manage_permissions manage_tokens suspension].each do |permission_name|
context permission_name do
should "allow only for superadmins" do
assert permit?(create(:superadmin_user), User, permission_name)
Expand Down

0 comments on commit f6690d8

Please sign in to comment.