summaryrefslogtreecommitdiff
path: root/engines/support/test/functional
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2014-06-03 01:12:17 -0700
committerelijah <elijah@riseup.net>2014-06-03 01:12:17 -0700
commit366ff2e7f5ecd44aab1cddfd0a7b73ab7b213e85 (patch)
tree90e0a5297565a84689760167c5891fde6c615d23 /engines/support/test/functional
parent9f04e4c8e50f1dc5a7ff6f2e58974254731a6bc4 (diff)
tickets: fix bug that allow index of other users
Diffstat (limited to 'engines/support/test/functional')
-rw-r--r--engines/support/test/functional/tickets_controller_test.rb15
1 files changed, 10 insertions, 5 deletions
diff --git a/engines/support/test/functional/tickets_controller_test.rb b/engines/support/test/functional/tickets_controller_test.rb
index 1d074cc..ebaa3a4 100644
--- a/engines/support/test/functional/tickets_controller_test.rb
+++ b/engines/support/test/functional/tickets_controller_test.rb
@@ -45,8 +45,7 @@ class TicketsControllerTest < ActionController::TestCase
user = find_record :user
ticket = find_record :ticket, :created_by => user.id
get :show, :id => ticket.id
- assert_response :redirect
- assert_redirected_to login_url
+ assert_login_required
end
test "user tickets are visible to creator" do
@@ -57,13 +56,19 @@ class TicketsControllerTest < ActionController::TestCase
assert_response :success
end
- test "other users tickets are not visible" do
+ test "ticket of other user is not visible" do
other_user = find_record :user
ticket = find_record :ticket, :created_by => other_user.id
login
get :show, :id => ticket.id
- assert_response :redirect
- assert_redirected_to home_url
+ assert_access_denied
+ end
+
+ test "ticket list of other user is not visible" do
+ other_user = find_record :user
+ login
+ get :index, :user_id => other_user.id
+ assert_access_denied
end
test "should create unauthenticated ticket" do