From f7c19ec9d0e8d5fa038e11c477105983749f246f Mon Sep 17 00:00:00 2001
From: Syphax bouazzouni <gs_bouazzouni@esi.dz>
Date: Tue, 28 Nov 2023 05:02:20 +0100
Subject: [PATCH] enforce the security of admin user creation

---
 controllers/users_controller.rb           | 2 ++
 test/controllers/test_users_controller.rb | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/controllers/users_controller.rb b/controllers/users_controller.rb
index 09a1835b..d647c9dc 100644
--- a/controllers/users_controller.rb
+++ b/controllers/users_controller.rb
@@ -80,6 +80,7 @@ class UsersController < ApplicationController
     # Update an existing submission of an user
     patch '/:username' do
       user = User.find(params[:username]).include(User.attributes).first
+      params.delete("role") unless current_user.admin?
       populate_from_params(user, params)
       if user.valid?
         user.save
@@ -102,6 +103,7 @@ def create_user
       params ||= @params
       user = User.find(params["username"]).first
       error 409, "User with username `#{params["username"]}` already exists" unless user.nil?
+      params.delete("role") unless current_user.admin?
       user = instance_from_params(User, params)
       if user.valid?
         user.save(send_notifications: false)
diff --git a/test/controllers/test_users_controller.rb b/test/controllers/test_users_controller.rb
index 1e52bd55..a165a5d7 100644
--- a/test/controllers/test_users_controller.rb
+++ b/test/controllers/test_users_controller.rb
@@ -23,13 +23,13 @@ def self._delete_users
 
   def test_admin_creation
     existent_user = @@users.first #no admin
+
     refute _create_admin_user(apikey: existent_user.apikey), "A no admin user can't create an admin user or update it to an admin"
-    delete "/users/#{@@username}"
 
     existent_user = self.class.make_admin(existent_user)
     assert _create_admin_user(apikey: existent_user.apikey), "Admin can create an admin user or update it to be an admin"
-    delete "/users/#{@@username}"
     self.class.reset_to_not_admin(existent_user)
+    delete "/users/#{@@username}"
   end
 
   def test_all_users
@@ -151,6 +151,7 @@ def test_oauth_authentication
   private
   def _create_admin_user(apikey: nil)
     user = {email: "#{@@username}@example.org", password: "pass_the_word", role: ['ADMINISTRATOR']}
+    LinkedData::Models::User.find(@@username).first&.delete
 
     put "/users/#{@@username}", MultiJson.dump(user), "CONTENT_TYPE" => "application/json", "Authorization" => "apikey token=#{apikey}"
     assert last_response.status == 201