3 files changed, 59 insertions, 28 deletions
diff --git a/config/defaults.yml b/config/defaults.yml
index 4530d47..283f406 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -40,6 +40,10 @@ common: &common
   handle_blacklist: [certmaster, ssladmin, arin-admin, administrator, www-data, maildrop]
   # handles that will be allowed despite being in /etc/passwd or rfc2142
   handle_whitelist: []
+  # actions enabled in the account settings
+  # see /users/app/views/users/_edit.html.haml for a list.
+  user_actions: ['destroy_account']
+  admin_actions: ['change_pgp_key', 'change_service_level', 'destroy_account']
 
 service_levels: &service_levels
   service_levels:
diff --git a/users/app/views/users/_edit.html.haml b/users/app/views/users/_edit.html.haml
index b52da3d..1d2b68a 100644
--- a/users/app/views/users/_edit.html.haml
+++ b/users/app/views/users/_edit.html.haml
@@ -1,9 +1,14 @@
 -#
 -# edit user form, used by both show and edit actions.
 -#
-
-= render 'change_password'
-= render 'change_pgp_key'
-= render 'change_service_level'
-= render 'destroy_account'
-
+-# We render a bunch of forms here. Which we use depends upon config settings
+-# user_actions and admin_actions. They both include an array of actions 
+-# allowed to users and admins.
+-# Possible forms are:
+-#  'change_password'
+-#  'change_pgp_key'
+-#  'change_service_level'
+-#  'destroy_account'
+- actions = APP_CONFIG[admin? ? :admin_actions : :user_actions] || []
+- actions.each do |action|
+  = render action
diff --git a/users/test/integration/browser/account_test.rb b/users/test/integration/browser/account_test.rb
index 3d281ae..4cefe35 100644
--- a/users/test/integration/browser/account_test.rb
+++ b/users/test/integration/browser/account_test.rb
@@ -51,35 +51,57 @@ class AccountTest < BrowserIntegrationTest
     assert page.has_content?('has already been taken')
   end
 
-  test "change password" do
+  test "default user actions" do
     username, password = submit_signup
     click_on "Account Settings"
-    within('#update_login_and_password') do
-      fill_in 'Password', with: "other password"
-      fill_in 'Password confirmation', with: "other password"
-      click_on 'Save'
+    assert page.has_content? I18n.t('destroy_my_account')
+    assert page.has_no_css? '#update_login_and_password'
+    assert page.has_no_css? '#update_pgp_key'
+  end
+
+  test "default admin actions" do
+    username, password = submit_signup
+    with_config admins: [username] do
+      click_on "Account Settings"
+      assert page.has_content? I18n.t('destroy_my_account')
+      assert page.has_no_css? '#update_login_and_password'
+      assert page.has_css? '#update_pgp_key'
+    end
+  end
+
+  test "change password" do
+    with_config user_actions: ['change_password'] do
+      username, password = submit_signup
+      click_on "Account Settings"
+      within('#update_login_and_password') do
+        fill_in 'Password', with: "other password"
+        fill_in 'Password confirmation', with: "other password"
+        click_on 'Save'
+      end
+      click_on 'Logout'
+      attempt_login(username, "other password")
+      assert page.has_content?("Welcome #{username}")
+      User.find_by_login(username).account.destroy
     end
-    click_on 'Logout'
-    attempt_login(username, "other password")
-    assert page.has_content?("Welcome #{username}")
-    User.find_by_login(username).account.destroy
   end
 
   test "change pgp key" do
-    pgp_key = FactoryGirl.build :pgp_key
-    username, password = submit_signup
-    click_on "Account Settings"
-    within('#update_pgp_key') do
-      fill_in 'Public key', with: pgp_key
-      click_on 'Save'
+    with_config user_actions: ['change_pgp_key'] do
+      pgp_key = FactoryGirl.build :pgp_key
+      username, password = submit_signup
+      click_on "Account Settings"
+      within('#update_pgp_key') do
+        fill_in 'Public key', with: pgp_key
+        click_on 'Save'
+      end
+      page.assert_selector 'input[value="Saving..."]'
+      # at some point we're done:
+      page.assert_no_selector 'input[value="Saving..."]'
+      assert page.has_field? 'Public key', with: pgp_key.to_s
+      user = User.find_by_login(username)
+      assert_equal pgp_key, user.public_key
+      user.account.destroy
     end
-    page.assert_selector 'input[value="Saving..."]'
-    # at some point we're done:
-    page.assert_no_selector 'input[value="Saving..."]'
-    assert page.has_field? 'Public key', with: pgp_key.to_s
-    user = User.find_by_login(username)
-    assert_equal pgp_key, user.public_key
-    user.account.destroy
   end