summaryrefslogtreecommitdiff
path: root/test/functional/api
diff options
context:
space:
mode:
authorNavaL <ayoyo@thoughtworks.com>2016-07-14 15:06:20 +0200
committerNavaL <ayoyo@thoughtworks.com>2016-07-14 15:45:09 +0200
commitab1917c5fe0f03e7719863a5598ad575d9fef302 (patch)
tree1aba29d7cfa25489d7f53528e022ff14ecb24961 /test/functional/api
parente3c2cb91dfef5c39c608b967e702e9de977d1bd2 (diff)
[feature] restrict is_admin in the user api, to only allow querying
for him/herself So that it we do not expose the is_admin property to anyone else including other admins.
Diffstat (limited to 'test/functional/api')
-rw-r--r--test/functional/api/users_controller_test.rb12
1 files changed, 10 insertions, 2 deletions
diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb
index 32afd0a..b69770d 100644
--- a/test/functional/api/users_controller_test.rb
+++ b/test/functional/api/users_controller_test.rb
@@ -86,14 +86,22 @@ class Api::UsersControllerTest < ApiControllerTest
login :is_admin? => true
api_get :show, :id => 0, :login => user.login, :format => :json
assert_response :success
- assert_json_response user
+ assert_json_response user.to_hash
api_get :show, :id => user.id, :format => :json
assert_response :success
- assert_json_response user
+ assert_json_response user.to_hash
api_get :show, :id => "0", :format => :json
assert_response :not_found
end
+ test "admin can show is_admin property" do
+ user = FactoryGirl.create :user, login: "admin2"
+ login user
+ api_get :show, :id => user.id, :format => :json
+ assert_response :success
+ assert_json_response user.to_hash.merge(:is_admin => true)
+ end
+
test "normal users cannot show user" do
user = find_record :user
login