From a9aab612b6590c268fdb21e4b0d0eabcfbace24f Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Thu, 18 Aug 2022 21:26:48 +0200
Subject: [PATCH] Extract updating the user role from params

---
 app/controllers/internal_users_controller.rb       | 9 ++++++++-
 spec/controllers/internal_users_controller_spec.rb | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/app/controllers/internal_users_controller.rb b/app/controllers/internal_users_controller.rb
index 27bcf79d..94e556dc 100644
--- a/app/controllers/internal_users_controller.rb
+++ b/app/controllers/internal_users_controller.rb
@@ -32,6 +32,7 @@ class InternalUsersController < ApplicationController
 
   def create
     @user = InternalUser.new(internal_user_params)
+    @user.role = role_param if current_user.admin?
     authorize!
     @user.send(:setup_activation)
     create_and_respond(object: @user) do
@@ -72,10 +73,15 @@ class InternalUsersController < ApplicationController
   end
 
   def internal_user_params
-    params[:internal_user].permit(:consumer_id, :email, :name, :role) if params[:internal_user].present?
+    params.require(:internal_user).permit(:consumer_id, :email, :name)
   end
   private :internal_user_params
 
+  def role_param
+    params.require(:internal_user).permit(:role)[:role]
+  end
+  private :role_param
+
   def new
     @user = InternalUser.new
     authorize!
@@ -133,6 +139,7 @@ class InternalUsersController < ApplicationController
     # the form by another user. Otherwise, the update might fail if an
     # activation_token or password_reset_token is present
     @user.validate_password = current_user == @user
+    @user.role = role_param if current_user.admin?
 
     update_and_respond(object: @user, params: internal_user_params)
   end
diff --git a/spec/controllers/internal_users_controller_spec.rb b/spec/controllers/internal_users_controller_spec.rb
index cde7e530..27122894 100644
--- a/spec/controllers/internal_users_controller_spec.rb
+++ b/spec/controllers/internal_users_controller_spec.rb
@@ -135,7 +135,7 @@ describe InternalUsersController do
     end
 
     context 'with an invalid internal user' do
-      before { post :create, params: {internal_user: {}} }
+      before { post :create, params: {internal_user: {invalid_attribute: 'a string'}} }
 
       expect_assigns(user: InternalUser)
       expect_http_status(:ok)