diff --git a/app/controllers/suspensions_controller.rb b/app/controllers/suspensions_controller.rb index e46a96233..1d570a798 100644 --- a/app/controllers/suspensions_controller.rb +++ b/app/controllers/suspensions_controller.rb @@ -28,7 +28,9 @@ def update private def load_and_authorize_user - @user = User.find(params[:id]) + @user = ApiUser.find_by(id: params[:id]) || User.find_by(id: params[:id]) + raise ActiveRecord::RecordNotFound if @user.blank? + authorize @user, :suspension? end end diff --git a/app/policies/api_user_policy.rb b/app/policies/api_user_policy.rb index d004dc7a8..5bf2a47ec 100644 --- a/app/policies/api_user_policy.rb +++ b/app/policies/api_user_policy.rb @@ -9,4 +9,5 @@ def new? alias_method :revoke?, :new? alias_method :manage_permissions?, :new? alias_method :manage_tokens?, :new? + alias_method :suspension?, :new? end diff --git a/app/views/api_users/edit.html.erb b/app/views/api_users/edit.html.erb index fafa9cf0f..4824464b6 100644 --- a/app/views/api_users/edit.html.erb +++ b/app/views/api_users/edit.html.erb @@ -12,7 +12,9 @@ User <%= @api_user.status %> • Created <%= time_ago_in_words(@api_user.created_at) %> ago • <%= link_to "Account access log", event_logs_user_path(@api_user) %> • - <%= link_to "#{@api_user.suspended? ? "Uns" : "S"}uspend user", edit_suspension_path(@api_user) %> + <% if policy(@api_user).suspension? %> + <%= link_to "#{@api_user.suspended? ? "Uns" : "S"}uspend user", edit_suspension_path(@api_user) %> + <% end %>

<% if @api_user.suspended? and @api_user.reason_for_suspension.present? %> diff --git a/test/controllers/suspensions_controller_test.rb b/test/controllers/suspensions_controller_test.rb index c94a679c0..e612b4978 100644 --- a/test/controllers/suspensions_controller_test.rb +++ b/test/controllers/suspensions_controller_test.rb @@ -74,6 +74,14 @@ class SuspensionsControllerTest < ActionController::TestCase assert_equal "Negligence", another_user.reason_for_suspension end + should "not be able to control suspension of an API user" do + api_user = create(:api_user) + put :update, params: { id: api_user.id, user: { suspended: "1", reason_for_suspension: "Negligence" } } + + assert_not_authorised + assert_not api_user.reload.suspended? + end + should "redisplay the form if the reason is blank" do another_user = create(:user) put :update, params: { id: another_user.id, user: { suspended: "1", reason_for_suspension: "" } } diff --git a/test/policies/api_user_policy_test.rb b/test/policies/api_user_policy_test.rb index e13e67672..10b0070b0 100644 --- a/test/policies/api_user_policy_test.rb +++ b/test/policies/api_user_policy_test.rb @@ -4,7 +4,7 @@ class ApiUserPolicyTest < ActiveSupport::TestCase include PolicyHelpers - %i[new create index edit update revoke].each do |permission_name| + %i[new create index edit update revoke manage_permissions manage_tokens suspension].each do |permission_name| context permission_name do should "allow only for superadmins" do assert permit?(create(:superadmin_user), User, permission_name)