diff options
author | elijah <elijah@riseup.net> | 2014-06-03 01:12:17 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2014-06-03 01:12:17 -0700 |
commit | 366ff2e7f5ecd44aab1cddfd0a7b73ab7b213e85 (patch) | |
tree | 90e0a5297565a84689760167c5891fde6c615d23 /engines/support/test/functional | |
parent | 9f04e4c8e50f1dc5a7ff6f2e58974254731a6bc4 (diff) |
tickets: fix bug that allow index of other users
Diffstat (limited to 'engines/support/test/functional')
-rw-r--r-- | engines/support/test/functional/tickets_controller_test.rb | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/engines/support/test/functional/tickets_controller_test.rb b/engines/support/test/functional/tickets_controller_test.rb index 1d074cc..ebaa3a4 100644 --- a/engines/support/test/functional/tickets_controller_test.rb +++ b/engines/support/test/functional/tickets_controller_test.rb @@ -45,8 +45,7 @@ class TicketsControllerTest < ActionController::TestCase user = find_record :user ticket = find_record :ticket, :created_by => user.id get :show, :id => ticket.id - assert_response :redirect - assert_redirected_to login_url + assert_login_required end test "user tickets are visible to creator" do @@ -57,13 +56,19 @@ class TicketsControllerTest < ActionController::TestCase assert_response :success end - test "other users tickets are not visible" do + test "ticket of other user is not visible" do other_user = find_record :user ticket = find_record :ticket, :created_by => other_user.id login get :show, :id => ticket.id - assert_response :redirect - assert_redirected_to home_url + assert_access_denied + end + + test "ticket list of other user is not visible" do + other_user = find_record :user + login + get :index, :user_id => other_user.id + assert_access_denied end test "should create unauthenticated ticket" do |