FIX: Suspend API to require `suspend_until` and `reason` params

These fields are required when using the UI and if `suspend_until` params isn't used the user never is actually suspended so we should require these fields when suspending a user.
2020-08-26 19:05:33 -06:00 · 2020-08-26 19:05:33 -06:00 · 02833e133c
parent 95179a5ab6
commit 02833e133c
2 changed files with 18 additions and 0 deletions
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@ -92,6 +92,8 @@ class Admin::UsersController < Admin::AdminController

  def suspend
    guardian.ensure_can_suspend!(@user)
+    params.require([:suspend_until, :reason])
+
    @user.suspended_till = params[:suspend_until]
    @user.suspended_at = DateTime.now

--- a/spec/requests/admin/users_controller_spec.rb
+++ b/spec/requests/admin/users_controller_spec.rb
@ -149,6 +149,22 @@ RSpec.describe Admin::UsersController do
      expect(log.details).to match(/because I said so/)
    end

+    it "requires suspend_until and reason" do
+      expect(user).not_to be_suspended
+      put "/admin/users/#{user.id}/suspend.json", params: {}
+      expect(response.status).to eq(400)
+      user.reload
+      expect(user).not_to be_suspended
+
+      expect(user).not_to be_suspended
+      put "/admin/users/#{user.id}/suspend.json", params: {
+        suspend_until: 5.hours.from_now
+      }
+      expect(response.status).to eq(400)
+      user.reload
+      expect(user).not_to be_suspended
+    end
+
    context "with an associated post" do
      it "can have an associated post" do
        put "/admin/users/#{user.id}/suspend.json", params: suspend_params