Commit daca985a authored by Andrew Tomaka's avatar Andrew Tomaka

Prevent impersonation if blocked

parent 09e712c0
......@@ -5,6 +5,11 @@ class Admin::ImpersonationController < Admin::ApplicationController
before_action :authorize_impersonator!
def create
if @user.blocked?
flash[:alert] = "You cannot impersonate a blocked user"
redirect_to admin_user_path(@user)
else
session[:impersonator_id] = current_user.username
session[:impersonator_return_to] = request.env['HTTP_REFERER']
......@@ -14,6 +19,7 @@ class Admin::ImpersonationController < Admin::ApplicationController
redirect_to root_path
end
end
def destroy
redirect = session[:impersonator_return_to]
......
......@@ -6,7 +6,7 @@
%span.cred (Admin)
.pull-right
- unless @user == current_user
- unless @user == current_user || @user.blocked?
= link_to 'Impersonate', impersonate_admin_user_path(@user), method: :post, class: "btn btn-grouped btn-info"
= link_to edit_admin_user_path(@user), class: "btn btn-grouped" do
%i.fa.fa-pencil-square-o
......
require 'spec_helper'
describe Admin::ImpersonationController do
let(:admin) { create(:admin) }
before do
sign_in(admin)
end
describe 'CREATE #impersonation when blocked' do
let(:blocked_user) { create(:user, state: :blocked) }
it 'does not allow impersonation' do
post :create, id: blocked_user.username
expect(flash[:alert]).to eq 'You cannot impersonate a blocked user'
end
end
end
......@@ -128,6 +128,16 @@ describe "Admin::Users", feature: true do
expect(page).not_to have_content('Impersonate')
end
it 'should not show impersonate button for blocked user' do
another_user.block
visit admin_user_path(another_user)
expect(page).not_to have_content('Impersonate')
another_user.activate
end
end
context 'when impersonating' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment