From 366ff2e7f5ecd44aab1cddfd0a7b73ab7b213e85 Mon Sep 17 00:00:00 2001
From: elijah <elijah@riseup.net>
Date: Tue, 3 Jun 2014 01:12:17 -0700
Subject: tickets: fix bug that allow index of other users

---
 .../support/test/functional/tickets_controller_test.rb    | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

(limited to 'engines/support/test')

diff --git a/engines/support/test/functional/tickets_controller_test.rb b/engines/support/test/functional/tickets_controller_test.rb
index 1d074cc..ebaa3a4 100644
--- a/engines/support/test/functional/tickets_controller_test.rb
+++ b/engines/support/test/functional/tickets_controller_test.rb
@@ -45,8 +45,7 @@ class TicketsControllerTest < ActionController::TestCase
     user = find_record :user
     ticket = find_record :ticket, :created_by => user.id
     get :show, :id => ticket.id
-    assert_response :redirect
-    assert_redirected_to login_url
+    assert_login_required
   end
 
   test "user tickets are visible to creator" do
@@ -57,13 +56,19 @@ class TicketsControllerTest < ActionController::TestCase
     assert_response :success
   end
 
-  test "other users tickets are not visible" do
+  test "ticket of other user is not visible" do
     other_user = find_record :user
     ticket = find_record :ticket, :created_by => other_user.id
     login
     get :show, :id => ticket.id
-    assert_response :redirect
-    assert_redirected_to home_url
+    assert_access_denied
+  end
+
+  test "ticket list of other user is not visible" do
+    other_user = find_record :user
+    login
+    get :index, :user_id => other_user.id
+    assert_access_denied
   end
 
   test "should create unauthenticated ticket" do
-- 
cgit v1.2.3