summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNavaL <ayoyo@thoughtworks.com>2016-07-14 15:06:20 +0200
committerNavaL <ayoyo@thoughtworks.com>2016-07-14 15:45:09 +0200
commitab1917c5fe0f03e7719863a5598ad575d9fef302 (patch)
tree1aba29d7cfa25489d7f53528e022ff14ecb24961
parente3c2cb91dfef5c39c608b967e702e9de977d1bd2 (diff)
[feature] restrict is_admin in the user api, to only allow querying
for him/herself So that it we do not expose the is_admin property to anyone else including other admins.
-rw-r--r--app/controllers/api/users_controller.rb10
-rw-r--r--app/models/user.rb7
-rw-r--r--test/functional/api/users_controller_test.rb12
-rw-r--r--test/integration/api/signup_test.rb2
-rw-r--r--test/unit/user_test.rb13
5 files changed, 31 insertions, 13 deletions
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index c79a729..709e076 100644
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -28,12 +28,20 @@ module Api
@user = User.find(params[:id])
end
if @user
- respond_with @user
+ respond_with user_response
else
not_found
end
end
+ def user_response
+ @user.to_hash.tap do |user_hash|
+ if @user == current_user
+ user_hash['is_admin'] = @user.is_admin?
+ end
+ end
+ end
+
def create
if current_user.is_monitor?
create_test_account
diff --git a/app/models/user.rb b/app/models/user.rb
index 6541305..93830cc 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -74,13 +74,16 @@ class User < CouchRest::Model::Base
end
def to_json(options={})
+ to_hash.to_json(options)
+ end
+
+ def to_hash()
{
:login => self.login,
:ok => self.valid?,
:id => self.id,
:enabled => self.enabled?,
- :is_admin => self.is_admin?
- }.to_json(options)
+ }
end
def salt
diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb
index 32afd0a..b69770d 100644
--- a/test/functional/api/users_controller_test.rb
+++ b/test/functional/api/users_controller_test.rb
@@ -86,14 +86,22 @@ class Api::UsersControllerTest < ApiControllerTest
login :is_admin? => true
api_get :show, :id => 0, :login => user.login, :format => :json
assert_response :success
- assert_json_response user
+ assert_json_response user.to_hash
api_get :show, :id => user.id, :format => :json
assert_response :success
- assert_json_response user
+ assert_json_response user.to_hash
api_get :show, :id => "0", :format => :json
assert_response :not_found
end
+ test "admin can show is_admin property" do
+ user = FactoryGirl.create :user, login: "admin2"
+ login user
+ api_get :show, :id => user.id, :format => :json
+ assert_response :success
+ assert_json_response user.to_hash.merge(:is_admin => true)
+ end
+
test "normal users cannot show user" do
user = find_record :user
login
diff --git a/test/integration/api/signup_test.rb b/test/integration/api/signup_test.rb
index 2e515c1..dc24420 100644
--- a/test/integration/api/signup_test.rb
+++ b/test/integration/api/signup_test.rb
@@ -8,7 +8,7 @@ class SignupTest < SrpTest
end
test "signup response" do
- assert_json_response :login => @login, :ok => true, :is_admin => false, :id => @user.id, :enabled => true
+ assert_json_response :login => @login, :ok => true, :id => @user.id, :enabled => true
assert last_response.successful?
end
diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
index 55d0648..02e94df 100644
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -71,13 +71,12 @@ class UserTest < ActiveSupport::TestCase
assert_equal key, @user.public_key
end
- test "user to json includes id, login, valid, is_admin and enabled" do
- json_content = JSON.parse @user.to_json
- assert_equal @user.id, json_content["id"]
- assert_equal @user.valid?, json_content["ok"]
- assert_equal @user.login, json_content["login"]
- assert_equal @user.enabled?, json_content["enabled"]
- assert_equal @user.is_admin?, json_content["is_admin"]
+ test "user to hash includes id, login, valid and enabled" do
+ hash = @user.to_hash
+ assert_equal @user.id, hash[:id]
+ assert_equal @user.valid?, hash[:ok]
+ assert_equal @user.login, hash[:login]
+ assert_equal @user.enabled?, hash[:enabled]
end