admins can change an external user's name

alihadimazeh · Nov 19, 2024 · 19084c4 · 19084c4
1 parent 4be5646
commit 19084c4
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb
@@ -169,7 +169,11 @@ def create_user_params
       end
 
       def update_user_params
-        @update_user_params ||= if external_auth?
+        is_admin = PermissionsChecker.new(current_user:, permission_names: 'ManageUsers', current_provider:).call
+
+        @update_user_params ||= if external_auth? && is_admin
+                                  params.require(:user).permit(:name)
+                                elsif external_auth?
                                   params.require(:user).permit(:password, :avatar, :language, :role_id, :invite_token)
                                 else
                                   params.require(:user).permit(:name, :password, :avatar, :language, :role_id, :invite_token)

diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
@@ -463,6 +463,21 @@
 
       expect(user.role_id).to eq(updated_params[:role_id])
     end
+
+    it 'allows a user with ManageUser permissions to edit an external users name' do
+      sign_in_user(user_with_manage_users_permission)
+
+      external_user = create(:user, external_id: 'external-id')
+      updated_params = {
+        name: 'New External Name'
+      }
+
+      patch :update, params: { id: external_user.id, user: updated_params }
+
+      external_user.reload
+
+      expect(external_user.name).to eq(updated_params[:name])
+    end
   end
 
   describe '#destroy' do