diff options
author | azul <azul@riseup.net> | 2013-01-17 22:42:47 -0800 |
---|---|---|
committer | azul <azul@riseup.net> | 2013-01-17 22:42:47 -0800 |
commit | 19d563e2e2db98ecc5143229f554df6a09bc457e (patch) | |
tree | 954e7c9a1865150a0cf4d08842d1365b75259d57 /users | |
parent | c172c91d8041fbf85ec6b0054c30f31d41a1008b (diff) | |
parent | 444dbca4054ccfb7a82bb4df2a6369959ef6c9b2 (diff) |
Merge pull request #17 from leapcode/feature/tickets_controllers_simplification
Refactoring of tickets controller to fetch the ticket in a before filter...
Diffstat (limited to 'users')
-rw-r--r-- | users/app/controllers/users_controller.rb | 7 | ||||
-rw-r--r-- | users/test/functional/users_controller_test.rb | 25 |
2 files changed, 30 insertions, 2 deletions
diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb index eb93fcb..c0fe243 100644 --- a/users/app/controllers/users_controller.rb +++ b/users/app/controllers/users_controller.rb @@ -2,6 +2,8 @@ class UsersController < ApplicationController skip_before_filter :verify_authenticity_token, :only => [:create] + + before_filter :authorize, :only => [:show, :edit, :update, :destroy] before_filter :fetch_user, :only => [:show, :edit, :update, :destroy] before_filter :set_anchor, :only => [:edit, :update] before_filter :authorize_admin, :only => [:index] @@ -48,7 +50,12 @@ class UsersController < ApplicationController protected def fetch_user + # authorize filter has been checked first, so won't get here unless authenticated @user = User.find_by_param(params[:id]) + if !@user and admin? + redirect_to users_path, :alert => t(:no_such_thing, :thing => 'user') + return + end access_denied unless admin? or (@user == current_user) end diff --git a/users/test/functional/users_controller_test.rb b/users/test/functional/users_controller_test.rb index 46db4d1..9fb06c9 100644 --- a/users/test/functional/users_controller_test.rb +++ b/users/test/functional/users_controller_test.rb @@ -10,10 +10,12 @@ class UsersControllerTest < ActionController::TestCase end test "failed show without login" do - user = find_record :user + user = FactoryGirl.build(:user) + user.save get :show, :id => user.id assert_response :redirect assert_redirected_to login_path + user.destroy end test "user can see user" do @@ -42,7 +44,7 @@ class UsersControllerTest < ActionController::TestCase assert_response :success end - + test "user cannot see other user" do user = find_record :user, :email => nil, @@ -57,6 +59,25 @@ class UsersControllerTest < ActionController::TestCase assert_access_denied end + test "show for non-existing user" do + nonid = 'thisisnotanexistinguserid' + + # when unauthenticated: + get :show, :id => nonid + assert_access_denied(true, false) + + # when authenticated but not admin: + login + get :show, :id => nonid + assert_access_denied + + # when authenticated as admin: + login :is_admin? => true + get :show, :id => nonid + assert_response :redirect + assert_equal({:alert => "No such user."}, flash.to_hash) + assert_redirected_to users_path + end test "should create new user" do user_attribs = record_attributes_for :user |