forked from fixin.me/fixin.me
Prevent sole admin from deleting their account
Without this guard, the last admin in the system could delete their own account, making the application unmanageable. This adds a model method `User#sole_admin?`, a controller guard in `RegistrationsController#destroy`, and disables the delete button in the profile edit view when the current user is the only remaining admin. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
18
test/controllers/registrations_controller_test.rb
Normal file
18
test/controllers/registrations_controller_test.rb
Normal file
@@ -0,0 +1,18 @@
|
||||
require "test_helper"
|
||||
|
||||
class RegistrationsControllerTest < ActionDispatch::IntegrationTest
|
||||
test "sole admin cannot delete account" do
|
||||
sign_in users(:admin)
|
||||
delete user_registration_path
|
||||
assert_redirected_to edit_user_registration_path
|
||||
assert_equal t("registrations.destroy.sole_admin"), flash[:alert]
|
||||
assert User.exists?(users(:admin).id)
|
||||
end
|
||||
|
||||
test "non-admin can delete account" do
|
||||
sign_in users(:alice)
|
||||
assert_difference ->{ User.count }, -1 do
|
||||
delete user_registration_path
|
||||
end
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user