Admins cannot update a user. Eventually we will want to allow admins to update some user fields.

5 files changed, 35 insertions, 22 deletions

diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb
index 9325bc0..dff1ed5 100644
--- a/users/app/controllers/users_controller.rb
+++ b/users/app/controllers/users_controller.rb
@@ -1,7 +1,8 @@
 class UsersController < ApplicationController
 
-  before_filter :authorize, :only => [:show, :edit, :update, :destroy]
+  before_filter :authorize, :only => [:show, :edit, :destroy, :update]
   before_filter :fetch_user, :only => [:show, :edit, :update, :destroy]
+  before_filter :authorize_self, :only => [:update]
   before_filter :set_anchor, :only => [:edit, :update]
   before_filter :authorize_admin, :only => [:index]
 
@@ -57,6 +58,11 @@ class UsersController < ApplicationController
     access_denied unless admin? or (@user == current_user)
   end
 
+  def authorize_self
+    # have already checked that authorized
+    access_denied unless (@user == current_user)
+  end
+
   def set_anchor
     @anchor = email_settings? ? :email : :account
   end
diff --git a/users/app/views/users/_cancel_account.html.haml b/users/app/views/users/_cancel_account.html.haml
index 41580b0..756170b 100644
--- a/users/app/views/users/_cancel_account.html.haml
+++ b/users/app/views/users/_cancel_account.html.haml
@@ -1,6 +1,9 @@
 %legend
-  =t :cancel_account
-  %small You will not be able to login anymore.
+  - if @user == current_user
+    =t :cancel_account
+    %small You will not be able to login anymore.
+  - else
+    =t :admin_cancel_account, :username => @user.login
 = link_to user_path(@user), :method => :delete, :class => "btn btn-danger" do
   %i.icon-remove.icon-white
-  Remove my Account
+  =t :remove_account
diff --git a/users/app/views/users/edit.html.haml b/users/app/views/users/edit.html.haml
index 0dcd474..4de72f6 100644
--- a/users/app/views/users/edit.html.haml
+++ b/users/app/views/users/edit.html.haml
@@ -1,13 +1,17 @@
 .span8.offset2
   %h2=t :settings
+  - tabs = []
   - content_for :account do
-    = user_form_with 'login_and_password_fields', :legend => :change_login_and_password
-    = render 'cancel_account' if @user == current_user
-  - content_for :email do
-    %legend=t :email_address
-    The associated email address is
-    = render @user.email_address, :as => :span
-    = user_form_with 'public_key_field', :legend => :public_key
-    = user_form_with 'email_forward_field', :legend => :forward_email
-    = user_form_with 'email_aliases', :legend => :add_email_alias
-  = render 'tabs/tabs', :tabs => [:account, :email]
+    = user_form_with 'login_and_password_fields', :legend => :change_login_and_password if @user == current_user
+    = render 'cancel_account'
+    - tabs << :account
+  - if @user == current_user
+    - content_for :email do
+      %legend=t :email_address
+      =t :associated_email
+      = render @user.email_address, :as => :span
+      = user_form_with 'public_key_field', :legend => :public_key
+      = user_form_with 'email_forward_field', :legend => :forward_email
+      = user_form_with 'email_aliases', :legend => :add_email_alias
+      - tabs << :email
+  = render 'tabs/tabs', :tabs => tabs
diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml
index 2a5e6af..bda38fe 100644
--- a/users/config/locales/en.yml
+++ b/users/config/locales/en.yml
@@ -11,6 +11,8 @@ en:
   change_login_and_password: "Change Login and Password"
   change_password: "Change Password"
   cancel_account: "Cancel your account"
+  remove_account: "Remove Account"
+  admin_cancel_account: "Cancel the account %{username}"
   set_email_address: "Set email address"
   forward_email: "Forward email"
   email_aliases: "Email aliases"
@@ -21,6 +23,7 @@ en:
   email_alias_destroyed_successfully: "Successfully removed the alias '%{alias}'."
   use_ascii_key: "Use ASCII-armored PGP key"
   can_retype_old_password: "Retype your old password if you would like to keep that"
+  associated_email: "The associated email address is"
 
   activemodel:
     models:
diff --git a/users/test/functional/users_controller_test.rb b/users/test/functional/users_controller_test.rb
index 9fb06c9..fd8869a 100644
--- a/users/test/functional/users_controller_test.rb
+++ b/users/test/functional/users_controller_test.rb
@@ -130,20 +130,17 @@ class UsersControllerTest < ActionController::TestCase
     assert_equal " ", @response.body
   end
 
-  test "admin can update user" do
+  # Eventually, admin will be able to update some user fields
+  test "admin cannot update user" do
     user = find_record :user
     changed_attribs = record_attributes_for :user_with_settings
-    user.expects(:attributes=).with(changed_attribs.stringify_keys)
-    user.expects(:changed?).returns(true)
-    user.expects(:save).returns(true)
-    user.stubs(:email_aliases).returns([])
 
     login :is_admin? => true
     put :update, :user => changed_attribs, :id => user.id, :format => :json
 
-    assert_equal user, assigns[:user]
-    assert_response 204
-    assert_equal " ", @response.body
+    assert_response :redirect
+    assert_access_denied
+
   end
 
   test "admin can destroy user" do