From 18bb57aa9986873c5a6c6e93cf8a59c1e6507d64 Mon Sep 17 00:00:00 2001
From: DocuSeal <dev@docuseal.co>
Date: Sat, 7 Oct 2023 15:03:53 +0300
Subject: [PATCH] ensure user role is in the list

---
 app/controllers/users_controller.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 7cb672ce..c84efe0c 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -27,7 +27,10 @@ class UsersController < ApplicationController
   def update
     return redirect_to settings_users_path, notice: 'Unable to update user.' if Docuseal.demo?
 
-    if @user.update(user_params.compact_blank.except(current_user == @user ? :role : nil))
+    attrs = user_params.compact_blank
+    attrs.delete(:role) if User::ROLES.exclude?(attrs[:role])
+
+    if @user.update(attrs.except(current_user == @user ? :role : nil))
       redirect_to settings_users_path, notice: 'User has been updated'
     else
       render turbo_stream: turbo_stream.replace(:modal, template: 'users/edit'), status: :unprocessable_entity