From 19084c49481edc6dd1fa50c46888e3e5cdec717a Mon Sep 17 00:00:00 2001 From: Ali Hadi Mazeh Date: Tue, 19 Nov 2024 15:42:23 -0500 Subject: [PATCH] admins can change an external user's name --- app/controllers/api/v1/users_controller.rb | 6 +++++- spec/controllers/users_controller_spec.rb | 15 +++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index 6661d71a91..b10d9e4125 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -169,7 +169,11 @@ def create_user_params end def update_user_params - @update_user_params ||= if external_auth? + is_admin = PermissionsChecker.new(current_user:, permission_names: 'ManageUsers', current_provider:).call + + @update_user_params ||= if external_auth? && is_admin + params.require(:user).permit(:name) + elsif external_auth? params.require(:user).permit(:password, :avatar, :language, :role_id, :invite_token) else params.require(:user).permit(:name, :password, :avatar, :language, :role_id, :invite_token) diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index d24017fc3b..61d94a428f 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -463,6 +463,21 @@ expect(user.role_id).to eq(updated_params[:role_id]) end + + it 'allows a user with ManageUser permissions to edit an external users name' do + sign_in_user(user_with_manage_users_permission) + + external_user = create(:user, external_id: 'external-id') + updated_params = { + name: 'New External Name' + } + + patch :update, params: { id: external_user.id, user: updated_params } + + external_user.reload + + expect(external_user.name).to eq(updated_params[:name]) + end end describe '#destroy' do