enforce the security of admin user creation

controllers/users_controller.rb

@@ -81,6 +81,7 @@ class UsersController < ApplicationController
     # Update an existing submission of an user
     patch '/:username' do
       user = User.find(params[:username]).include(User.attributes).first
+      params.delete("role") unless current_user.admin?
       populate_from_params(user, params)
       if user.valid?
         user.save
@@ -109,6 +110,7 @@ def create_user
       params ||= @params
       user = User.find(params["username"]).first
       error 409, "User with username `#{params["username"]}` already exists" unless user.nil?
+      params.delete("role") unless current_user.admin?
       user = instance_from_params(User, params)
       if user.valid?
         user.save

test/controllers/test_users_controller.rb

@@ -23,13 +23,13 @@ def self._delete_users
 
   def test_admin_creation
     existent_user = @@users.first #no admin
+
     refute _create_admin_user(apikey: existent_user.apikey), "A no admin user can't create an admin user or update it to an admin"
-    delete "/users/#{@@username}"
 
     existent_user = self.class.make_admin(existent_user)
     assert _create_admin_user(apikey: existent_user.apikey), "Admin can create an admin user or update it to be an admin"
-    delete "/users/#{@@username}"
     self.class.reset_to_not_admin(existent_user)
+    delete "/users/#{@@username}"
   end
 
   def test_all_users
@@ -115,6 +115,7 @@ def test_authentication
   private
   def _create_admin_user(apikey: nil)
     user = {email: "#{@@username}@example.org", password: "pass_the_word", role: ['ADMINISTRATOR']}
+    LinkedData::Models::User.find(@@username).first&.delete
 
     put "/users/#{@@username}", MultiJson.dump(user), "CONTENT_TYPE" => "application/json", "Authorization" => "apikey token=#{apikey}"
     assert last_response.status == 201