prevent editing deactivated user

3 years ago · bb896c5034
3 changed files with 25 additions and 8 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -30,6 +30,10 @@ class UsersController < ApplicationController

  def show; end

+  def edit
+    redirect_to user_path(@user) unless @user.active?
+  end
+
  def update
    if @user.update(user_params)
      if @user == current_user
--- a/app/helpers/user_helper.rb
+++ b/app/helpers/user_helper.rb
@ -8,27 +8,27 @@ module UserHelper
  end

  def can_edit_names?(user, current_user)
-    current_user == user || current_user.data_coordinator? || current_user.support?
+    (current_user == user || current_user.data_coordinator? || current_user.support?) && user.active?
  end

  def can_edit_emails?(user, current_user)
-    current_user == user || current_user.data_coordinator? || current_user.support?
+    (current_user == user || current_user.data_coordinator? || current_user.support?) && user.active?
  end

  def can_edit_password?(user, current_user)
    current_user == user
  end

-  def can_edit_roles?(_user, current_user)
-    current_user.data_coordinator? || current_user.support?
+  def can_edit_roles?(user, current_user)
+    (current_user.data_coordinator? || current_user.support?) && user.active?
  end

-  def can_edit_dpo?(_user, current_user)
-    current_user.data_coordinator? || current_user.support?
+  def can_edit_dpo?(user, current_user)
+    (current_user.data_coordinator? || current_user.support?) && user.active?
  end

-  def can_edit_key_contact?(_user, current_user)
-    current_user.data_coordinator? || current_user.support?
+  def can_edit_key_contact?(user, current_user)
+    (current_user.data_coordinator? || current_user.support?) && user.active?
  end

  def can_edit_org?(current_user)
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -1258,6 +1258,19 @@ RSpec.describe UsersController, type: :request do
            expect(page).to have_field("user[is_key_contact]")
          end
        end
+
+        context "when trying to edit deactivated user" do
+          before do
+            other_user.update!(active: false)
+            get "/users/#{other_user.id}/edit", headers:, params: {}
+          end
+
+          it "redirects to user details page" do
+            expect(response).to redirect_to("/users/#{other_user.id}")
+            follow_redirect!
+            expect(page).not_to have_link("Change")
+          end
+        end
      end
    end