Extract updating the user role from params

app/controllers/internal_users_controller.rb

@@ -32,6 +32,7 @@ class InternalUsersController < ApplicationController
 
   def create
     @user = InternalUser.new(internal_user_params)
+    @user.role = role_param if current_user.admin?
     authorize!
     @user.send(:setup_activation)
     create_and_respond(object: @user) do
@@ -72,10 +73,15 @@ class InternalUsersController < ApplicationController
   end
 
   def internal_user_params
-    params[:internal_user].permit(:consumer_id, :email, :name, :role) if params[:internal_user].present?
+    params.require(:internal_user).permit(:consumer_id, :email, :name)
   end
   private :internal_user_params
 
+  def role_param
+    params.require(:internal_user).permit(:role)[:role]
+  end
+  private :role_param
+
   def new
     @user = InternalUser.new
     authorize!
@@ -133,6 +139,7 @@ class InternalUsersController < ApplicationController
     # the form by another user. Otherwise, the update might fail if an
     # activation_token or password_reset_token is present
     @user.validate_password = current_user == @user
+    @user.role = role_param if current_user.admin?
 
     update_and_respond(object: @user, params: internal_user_params)
   end

spec/controllers/internal_users_controller_spec.rb

@@ -135,7 +135,7 @@ describe InternalUsersController do
     end
 
     context 'with an invalid internal user' do
-      before { post :create, params: {internal_user: {}} }
+      before { post :create, params: {internal_user: {invalid_attribute: 'a string'}} }
 
       expect_assigns(user: InternalUser)
       expect_http_status(:ok)