tickets: fix bug that allow index of other users

author: elijah <elijah@riseup.net> 2014-06-03 01:12:17 -0700
committer: elijah <elijah@riseup.net> 2014-06-03 01:12:17 -0700
commit: 366ff2e7f5ecd44aab1cddfd0a7b73ab7b213e85 (patch)
tree: 90e0a5297565a84689760167c5891fde6c615d23 /engines/support/test
parent: 9f04e4c8e50f1dc5a7ff6f2e58974254731a6bc4 (diff)
1 files changed, 10 insertions, 5 deletions
diff --git a/engines/support/test/functional/tickets_controller_test.rb b/engines/support/test/functional/tickets_controller_test.rb
index 1d074cc..ebaa3a4 100644
--- a/engines/support/test/functional/tickets_controller_test.rb
+++ b/engines/support/test/functional/tickets_controller_test.rb
@@ -45,8 +45,7 @@ class TicketsControllerTest < ActionController::TestCase
     user = find_record :user
     ticket = find_record :ticket, :created_by => user.id
     get :show, :id => ticket.id
-    assert_response :redirect
-    assert_redirected_to login_url
+    assert_login_required
   end
 
   test "user tickets are visible to creator" do
@@ -57,13 +56,19 @@ class TicketsControllerTest < ActionController::TestCase
     assert_response :success
   end
 
-  test "other users tickets are not visible" do
+  test "ticket of other user is not visible" do
     other_user = find_record :user
     ticket = find_record :ticket, :created_by => other_user.id
     login
     get :show, :id => ticket.id
-    assert_response :redirect
-    assert_redirected_to home_url
+    assert_access_denied
+  end
+
+  test "ticket list of other user is not visible" do
+    other_user = find_record :user
+    login
+    get :index, :user_id => other_user.id
+    assert_access_denied
   end
 
   test "should create unauthenticated ticket" do
author	elijah <elijah@riseup.net>	2014-06-03 01:12:17 -0700
committer	elijah <elijah@riseup.net>	2014-06-03 01:12:17 -0700
commit	366ff2e7f5ecd44aab1cddfd0a7b73ab7b213e85 (patch)
tree	90e0a5297565a84689760167c5891fde6c615d23 /engines/support/test
parent	9f04e4c8e50f1dc5a7ff6f2e58974254731a6bc4 (diff)