FIX: can grant titles to regular users. Guardian initializer needs current_user, not the target user.

2025-03-31 21:06:09 +08:00 · 2013-12-10 12:46:35 -05:00 · 2013-12-10 12:46:35 -05:00 · 561961eff6
commit 561961eff6
parent b0e6475b07
3 changed files with 15 additions and 12 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -44,7 +44,7 @@ class UsersController < ApplicationController
    user = fetch_user_from_params
    guardian.ensure_can_edit!(user)
    json_result(user, serializer: UserSerializer) do |u|
-      updater = UserUpdater.new(user)
+      updater = UserUpdater.new(current_user, user)
      updater.update(params)
    end
  end
--- a/app/services/user_updater.rb
+++ b/app/services/user_updater.rb
@ -1,7 +1,7 @@
 class UserUpdater
-  def initialize(user)
+  def initialize(actor, user)
    @user = user
-    @guardian = Guardian.new(user)
+    @guardian = Guardian.new(actor)
  end
  def update(attributes = {})
--- a/spec/services/user_updater_spec.rb
+++ b/spec/services/user_updater_spec.rb
@ -1,10 +1,13 @@
 require 'spec_helper'
 describe UserUpdater do
  let(:acting_user) { Fabricate.build(:user) }
  describe '#update' do
    it 'saves user' do
      user = Fabricate(:user, name: 'Billy Bob')
-      updater = UserUpdater.new(user)
+      updater = described_class.new(acting_user, user)
      updater.update(name: 'Jim Tom')
@ -14,7 +17,7 @@ describe UserUpdater do
    context 'when update succeeds' do
      it 'returns true' do
        user = Fabricate(:user)
-        updater = UserUpdater.new(user)
+        updater = described_class.new(acting_user, user)
        expect(updater.update).to be_true
      end
@ -24,7 +27,7 @@ describe UserUpdater do
      it 'returns false' do
        user = Fabricate(:user)
        user.stubs(save: false)
-        updater = UserUpdater.new(user)
+        updater = described_class.new(acting_user, user)
        expect(updater.update).to be_false
      end
@ -35,8 +38,8 @@ describe UserUpdater do
        user = Fabricate(:user, title: 'Emperor')
        guardian = stub
        guardian.stubs(:can_grant_title?).with(user).returns(true)
-        Guardian.stubs(:new).with(user).returns(guardian)
+        Guardian.stubs(:new).with(acting_user).returns(guardian)
-        updater = UserUpdater.new(user)
+        updater = described_class.new(acting_user, user)
        updater.update(title: 'Minion')
@ -49,8 +52,8 @@ describe UserUpdater do
        user = Fabricate(:user, title: 'Emperor')
        guardian = stub
        guardian.stubs(:can_grant_title?).with(user).returns(false)
-        Guardian.stubs(:new).with(user).returns(guardian)
+        Guardian.stubs(:new).with(acting_user).returns(guardian)
-        updater = UserUpdater.new(user)
+        updater = described_class.new(acting_user, user)
        updater.update(title: 'Minion')
@ -61,7 +64,7 @@ describe UserUpdater do
    context 'when website includes http' do
      it 'does not add http before updating' do
        user = Fabricate(:user)
-        updater = UserUpdater.new(user)
+        updater = described_class.new(acting_user, user)
        updater.update(website: 'http://example.com')
@ -72,7 +75,7 @@ describe UserUpdater do
    context 'when website does not include http' do
      it 'adds http before updating' do
        user = Fabricate(:user)
-        updater = UserUpdater.new(user)
+        updater = described_class.new(acting_user, user)
        updater.update(website: 'example.com')