From 89a20ce8f4b8ac5c6555506e012928e3f2a3ee74 Mon Sep 17 00:00:00 2001
From: kellynvd <kellynvd@gmail.com>
Date: Thu, 9 Jan 2020 19:20:02 -0300
Subject: [PATCH] Fix user update when current user loses admin privileges

---
 app/controllers/ngo_area/users_controller.rb  | 10 ++++--
 .../ngo_area/users_controller_spec.rb         | 35 ++++++++++++++-----
 2 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/app/controllers/ngo_area/users_controller.rb b/app/controllers/ngo_area/users_controller.rb
index e3a3038b..bd54b4de 100644
--- a/app/controllers/ngo_area/users_controller.rb
+++ b/app/controllers/ngo_area/users_controller.rb
@@ -23,9 +23,13 @@ def edit
 
   def update
     @user = User.find(params[:id])
-    @user.update params_user
+    @user.update(params_user)
 
-    redirect_to ngo_area_users_path
+    if current_user == @user && !@user.admin?
+      redirect_to home_index_path
+    else
+      redirect_to ngo_area_users_path
+    end
   end
 
   private
@@ -37,4 +41,4 @@ def params_user
   def check_admin_privileges
     head :not_found unless current_user.admin?
   end
-end
\ No newline at end of file
+end
diff --git a/spec/controllers/ngo_area/users_controller_spec.rb b/spec/controllers/ngo_area/users_controller_spec.rb
index 66840e8b..51d30b1f 100644
--- a/spec/controllers/ngo_area/users_controller_spec.rb
+++ b/spec/controllers/ngo_area/users_controller_spec.rb
@@ -62,17 +62,36 @@
     end
   end
 
-  describe 'GET #update' do
-    before do
-      get :update, params: { id: subject.id, user: attributes_for(:user) }
-    end
+  describe 'PATCH #update' do
+    context 'when current user updates another user' do
+      before do
+        patch :update, params: { id: subject.id, user: attributes_for(:user) }
+      end
 
-    it 'returns 302 code status' do
-      expect(response).to have_http_status(:found)
+      it 'returns 302 code status' do
+        expect(response).to have_http_status(:found)
+      end
+
+      it 'redirects to index' do
+        expect(response).to redirect_to(action: :index)
+      end
     end
 
-    it 'redirects to index' do
-      expect(response).to redirect_to(action: :index)
+    context 'when current user loses admin privileges' do
+      before do
+        admin = create(:user, :admin_privileges)
+        allow(controller).to receive(:current_user) { admin }
+
+        patch :update, params: { id: admin.id, user: attributes_for(:user) }
+      end
+
+      it 'returns 302 code status' do
+        expect(response).to have_http_status(:found)
+      end
+
+      it 'redirects to Home' do
+        expect(response).to redirect_to(home_index_path)
+      end
     end
   end
 end