Admins cannot update a user. Eventually we will want to allow admins to update some user fields.

3 files changed, 27 insertions, 14 deletions

diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb
index 9325bc0..dff1ed5 100644
--- a/users/app/controllers/users_controller.rb
+++ b/users/app/controllers/users_controller.rb
@@ -1,7 +1,8 @@
 class UsersController < ApplicationController
 
-  before_filter :authorize, :only => [:show, :edit, :update, :destroy]
+  before_filter :authorize, :only => [:show, :edit, :destroy, :update]
   before_filter :fetch_user, :only => [:show, :edit, :update, :destroy]
+  before_filter :authorize_self, :only => [:update]
   before_filter :set_anchor, :only => [:edit, :update]
   before_filter :authorize_admin, :only => [:index]
 
@@ -57,6 +58,11 @@ class UsersController < ApplicationController
     access_denied unless admin? or (@user == current_user)
   end
 
+  def authorize_self
+    # have already checked that authorized
+    access_denied unless (@user == current_user)
+  end
+
   def set_anchor
     @anchor = email_settings? ? :email : :account
   end
diff --git a/users/app/views/users/_cancel_account.html.haml b/users/app/views/users/_cancel_account.html.haml
index 41580b0..756170b 100644
--- a/users/app/views/users/_cancel_account.html.haml
+++ b/users/app/views/users/_cancel_account.html.haml
@@ -1,6 +1,9 @@
 %legend
-  =t :cancel_account
-  %small You will not be able to login anymore.
+  - if @user == current_user
+    =t :cancel_account
+    %small You will not be able to login anymore.
+  - else
+    =t :admin_cancel_account, :username => @user.login
 = link_to user_path(@user), :method => :delete, :class => "btn btn-danger" do
   %i.icon-remove.icon-white
-  Remove my Account
+  =t :remove_account
diff --git a/users/app/views/users/edit.html.haml b/users/app/views/users/edit.html.haml
index 0dcd474..4de72f6 100644
--- a/users/app/views/users/edit.html.haml
+++ b/users/app/views/users/edit.html.haml
@@ -1,13 +1,17 @@
 .span8.offset2
   %h2=t :settings
+  - tabs = []
   - content_for :account do
-    = user_form_with 'login_and_password_fields', :legend => :change_login_and_password
-    = render 'cancel_account' if @user == current_user
-  - content_for :email do
-    %legend=t :email_address
-    The associated email address is
-    = render @user.email_address, :as => :span
-    = user_form_with 'public_key_field', :legend => :public_key
-    = user_form_with 'email_forward_field', :legend => :forward_email
-    = user_form_with 'email_aliases', :legend => :add_email_alias
-  = render 'tabs/tabs', :tabs => [:account, :email]
+    = user_form_with 'login_and_password_fields', :legend => :change_login_and_password if @user == current_user
+    = render 'cancel_account'
+    - tabs << :account
+  - if @user == current_user
+    - content_for :email do
+      %legend=t :email_address
+      =t :associated_email
+      = render @user.email_address, :as => :span
+      = user_form_with 'public_key_field', :legend => :public_key
+      = user_form_with 'email_forward_field', :legend => :forward_email
+      = user_form_with 'email_aliases', :legend => :add_email_alias
+      - tabs << :email
+  = render 'tabs/tabs', :tabs => tabs