Removed ability for non-admin to make themselves admin

When non-admins are changing their role, instead of posting one of the role ids available on the page, they can post the role id of admin role - this assigns them an admin role. Added a check not to allow non-admins to assign admin roles.
adamtao · Oct 11, 2013 · 577e043 · 577e043
1 parent 9bdca41
commit 577e043
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
@@ -11,8 +11,13 @@ def new
 
   def update_plan
     @user = current_user
-    role = Role.find(params[:user][:role_ids]) unless params[:user][:role_ids].nil?
-    if @user.update_plan(role)
+
+    role_id = params[:user][:role_ids] unless params[:user].nil? || params[:user][:role_ids].nil?
+    role = Role.find_by_id role_id unless role_id.nil?
+
+    authorized = !role.nil? && (role.name != 'admin' || current_user.roles.first.name == 'admin')
+
+    if authorized && @user.update_plan(role)
       redirect_to edit_user_registration_path, :notice => 'Updated plan.'
     else
       flash.alert = 'Unable to update plan.'