Admins should not be able to deactivate their own accounts

2025-03-15 19:31:26 +00:00 · 2016-03-03 13:47:09 +01:00 · 2016-03-03 13:47:09 +01:00 · c0c74113bf
commit c0c74113bf
parent 8508928943
3 changed files with 13 additions and 6 deletions
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@ -6,7 +6,7 @@ class Admin::UsersController < ApplicationController
  helper_method :resource

  def index
-    @users = User.reorder(:created_at).page(params[:page])
+    @users = User.reorder('created_at DESC').page(params[:page])

    respond_to do |format|
      format.html
--- a/app/views/admin/users/index.html.erb
+++ b/app/views/admin/users/index.html.erb
@ -29,12 +29,14 @@
              <td title='<%= user.created_at %>'><%= time_ago_in_words user.created_at %> ago</td>
              <td>
                <div class="btn-group btn-group-xs">
-                  <% if user.active? %>
-                    <%= link_to 'Deactivate', deactivate_admin_user_path(user), method: :put, class: "btn btn-default" %>
-                  <% else %>
-                    <%= link_to 'Activate', activate_admin_user_path(user), method: :put, class: "btn btn-default" %>
+                  <% if user != current_user %>
+                    <% if user.active? %>
+                      <%= link_to 'Deactivate', deactivate_admin_user_path(user), method: :put, class: "btn btn-default" %>
+                    <% else %>
+                      <%= link_to 'Activate', activate_admin_user_path(user), method: :put, class: "btn btn-default" %>
+                    <% end %>
+                    <%= link_to 'Delete', admin_user_path(user), method: :delete, data: { confirm: 'Are you sure? This can not be undone.' }, class: "btn btn-default" %>
                  <% end %>
-                  <%= link_to 'Delete', admin_user_path(user), method: :delete, data: { confirm: 'Are you sure? This can not be undone.' }, class: "btn btn-default" %>
                </div>
              </td>
            </tr>
--- a/spec/features/admin_users_spec.rb
+++ b/spec/features/admin_users_spec.rb
@ -80,6 +80,11 @@ describe Admin::UsersController do
    end

    context "(de)activating users" do
+      it "does not show deactivation buttons for the current user" do
+        visit admin_users_path
+        expect(page).not_to have_css("a[href='/admin/users/#{users(:jane).id}/deactivate']")
+      end
+
      it "deactivates an existing user" do
        visit admin_users_path
        expect(page).not_to have_text('inactive')