diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index 6661d71a91..09c860e4ed 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -169,11 +169,7 @@ def create_user_params end def update_user_params - @update_user_params ||= if external_auth? - params.require(:user).permit(:password, :avatar, :language, :role_id, :invite_token) - else - params.require(:user).permit(:name, :password, :avatar, :language, :role_id, :invite_token) - end + @update_user_params ||= params.require(:user).permit(permitted_params) end def change_password_params @@ -198,6 +194,14 @@ def valid_domain? end false end + + def permitted_params + is_admin = PermissionsChecker.new(current_user:, permission_names: 'ManageUsers', current_provider:).call + + return %i[password avatar language role_id invite_token] if external_auth? && !is_admin + + %i[name password avatar language role_id invite_token] + end end end end diff --git a/app/javascript/components/users/user/forms/UpdateUserForm.jsx b/app/javascript/components/users/user/forms/UpdateUserForm.jsx index 740f8d420f..d1db18bd43 100644 --- a/app/javascript/components/users/user/forms/UpdateUserForm.jsx +++ b/app/javascript/components/users/user/forms/UpdateUserForm.jsx @@ -70,7 +70,7 @@ export default function UpdateUserForm({ user }) { return (
- + { @@ -102,6 +102,7 @@ UpdateUserForm.propTypes = { name: PropTypes.string.isRequired, email: PropTypes.string.isRequired, provider: PropTypes.string.isRequired, + external_account: PropTypes.bool.isRequired, role: PropTypes.shape({ id: PropTypes.string.isRequired, name: PropTypes.string.isRequired, diff --git a/app/serializers/current_user_serializer.rb b/app/serializers/current_user_serializer.rb index c29c5c16e4..e3d3c59241 100644 --- a/app/serializers/current_user_serializer.rb +++ b/app/serializers/current_user_serializer.rb @@ -17,16 +17,12 @@ # frozen_string_literal: true class CurrentUserSerializer < UserSerializer - attributes :signed_in, :permissions, :status, :external_account, :super_admin + attributes :signed_in, :permissions, :status, :super_admin def signed_in true end - def external_account - object.external_id? - end - def permissions RolePermission.joins(:permission) .where(role_id: object.role_id) diff --git a/app/serializers/user_serializer.rb b/app/serializers/user_serializer.rb index ff2d2c7339..4fbeb92c8e 100644 --- a/app/serializers/user_serializer.rb +++ b/app/serializers/user_serializer.rb @@ -19,7 +19,7 @@ class UserSerializer < ApplicationSerializer include Avatarable - attributes :id, :name, :email, :provider, :language, :avatar, :verified, :created_at + attributes :id, :name, :email, :provider, :language, :avatar, :verified, :created_at, :external_account belongs_to :role @@ -27,6 +27,10 @@ def language object.language.tr('_', '-') end + def external_account + object.external_id? + end + def avatar user_avatar(object) end diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index d24017fc3b..61d94a428f 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -463,6 +463,21 @@ expect(user.role_id).to eq(updated_params[:role_id]) end + + it 'allows a user with ManageUser permissions to edit an external users name' do + sign_in_user(user_with_manage_users_permission) + + external_user = create(:user, external_id: 'external-id') + updated_params = { + name: 'New External Name' + } + + patch :update, params: { id: external_user.id, user: updated_params } + + external_user.reload + + expect(external_user.name).to eq(updated_params[:name]) + end end describe '#destroy' do