Don’t allow the current user to downgrade their own role

rubygems · Aug 2, 2024 · dfb390c · dfb390c
1 parent b7709ef
commit dfb390c
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 0 deletions.
diff --git a/app/controllers/api/v1/owners_controller.rb b/app/controllers/api/v1/owners_controller.rb
@@ -15,6 +15,7 @@ def show
   def update
     authorize @rubygem, :update_owner?
     ownership = @rubygem.ownerships.find_by!(user: User.find_by_name!(email_param))
+
     if ownership.present?
       ownership.update!(ownership_update_params)
       render plain: response_with_mfa_warning("Owner updated successfully.")

diff --git a/app/controllers/owners_controller.rb b/app/controllers/owners_controller.rb
@@ -33,6 +33,8 @@ def index
   end
 
   def edit
+    authorize @rubygem, :update_owner?
+    @ownership = @rubygem.ownerships_including_unconfirmed.find_by_owner_handle!(handle_params)
   end
 
   def create
@@ -51,6 +53,10 @@ def update
     authorize @rubygem, :update_owner?
     owner = User.find_by_name(handle_params)
     ownership = @rubygem.ownerships_including_unconfirmed.find_by_owner_handle!(handle_params)
+
+    # Don't allow the owner to change the access level of their own ownership
+    return redirect_to rubygem_owners_path(@rubygem.slug), alert: "You can't update your own access level" if ownership.user == current_user
+
     if ownership.update(update_params)
       redirect_to rubygem_owners_path(ownership.rubygem.slug), notice: t(".success_notice", handle: ownership.user.name)
     else

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -530,6 +530,8 @@ en:
       title: Error - Verification Failed
       close_browser: Please close this browser and try again.
   owners:
+    edit:
+      title: Edit Owner
     confirm:
       confirmed_email: You were added as an owner to %{gem} gem
       token_expired: The confirmation token has expired. Please try resending the token from the gem page.

diff --git a/test/functional/owners_controller_test.rb b/test/functional/owners_controller_test.rb
@@ -345,6 +345,21 @@ class OwnersControllerTest < ActionController::TestCase
       end
     end
 
+    context "on GET edit ownership" do
+      setup do
+        @owner = create(:user)
+        @maintainer = create(:user)
+        @rubygem = create(:rubygem, owners: [@owner, @maintainer])
+
+        verified_sign_in_as(@owner)
+
+        get :edit, params: { rubygem_id: @rubygem.name, handle: @maintainer.display_id }
+      end
+
+      should respond_with :success
+      should render_template :edit
+    end
+
     context "on PATCH to update ownership" do
       setup do
         @owner = create(:user)
@@ -361,6 +376,26 @@ class OwnersControllerTest < ActionController::TestCase
 
         assert_equal success_flash, flash[:notice]
       end
+
+      should "downgrade the maintainer" do
+        owner = @rubygem.ownerships.find_by(user_id: @owner.id)
+        assert_equal Access::OWNER, owner.access_level
+      end
+
+      context "when updating the current user" do
+        setup do
+          patch :update, params: { rubygem_id: @rubygem.name, handle: @owner.display_id, access_level: Access::OWNER }
+        end
+
+        should "not update the ownership of the current user" do
+          owner = @rubygem.ownerships.find_by(user_id: @owner.id)
+          assert_equal Access::OWNER, owner.access_level
+        end
+
+        should "set notice flash message" do
+          assert_equal "You can't update your own access level.", flash[:notice]
+        end
+      end
     end
   end