From c0608b6f5073d87e6d3be00577e7e324e0847027 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@student.hpi.de>
Date: Wed, 19 Dec 2018 00:58:04 +0100
Subject: [PATCH] Don't set admin privileges through LTI

---
 app/controllers/concerns/lti.rb | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/controllers/concerns/lti.rb b/app/controllers/concerns/lti.rb
index 2e193167..a2374c70 100644
--- a/app/controllers/concerns/lti.rb
+++ b/app/controllers/concerns/lti.rb
@@ -58,7 +58,8 @@ module Lti
     provider.roles.each do |role|
       case role.downcase!
       when 'administrator'
-        result = 'admin'
+        # We don't want anyone to get admin privileges through LTI
+        result = 'teacher' if result == 'learner'
       when 'instructor'
         result = 'teacher' if result == 'learner'
       else # 'learner'
@@ -145,7 +146,11 @@ module Lti
 
   def set_current_user
     @current_user = ExternalUser.find_or_create_by(consumer_id: @consumer.id, external_id: @provider.user_id)
-    @current_user.update(email: external_user_email(@provider), name: external_user_name(@provider), role: external_user_role(@provider))
+    external_role = external_user_role(@provider)
+    internal_role = @current_user.role
+    internal_role != 'admin' ? desired_role = external_role : desired_role = internal_role
+    # Update user with new information but change the role only if he is no admin user
+    @current_user.update(email: external_user_email(@provider), name: external_user_name(@provider), role: desired_role)
   end
   private :set_current_user