From ab1917c5fe0f03e7719863a5598ad575d9fef302 Mon Sep 17 00:00:00 2001
From: NavaL <ayoyo@thoughtworks.com>
Date: Thu, 14 Jul 2016 15:06:20 +0200
Subject: [feature] restrict is_admin in the user api, to only allow querying
 for him/herself

So that it we do not expose the is_admin property to anyone else
including other admins.
---
 test/functional/api/users_controller_test.rb | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'test/functional/api')

diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb
index 32afd0a..b69770d 100644
--- a/test/functional/api/users_controller_test.rb
+++ b/test/functional/api/users_controller_test.rb
@@ -86,14 +86,22 @@ class Api::UsersControllerTest < ApiControllerTest
     login :is_admin? => true
     api_get :show, :id => 0, :login => user.login, :format => :json
     assert_response :success
-    assert_json_response user
+    assert_json_response user.to_hash
     api_get :show, :id => user.id, :format => :json
     assert_response :success
-    assert_json_response user
+    assert_json_response user.to_hash
     api_get :show, :id => "0", :format => :json
     assert_response :not_found
   end
 
+  test "admin can show is_admin property" do
+    user = FactoryGirl.create :user, login: "admin2"
+    login user
+    api_get :show, :id => user.id, :format => :json
+    assert_response :success
+    assert_json_response user.to_hash.merge(:is_admin => true)
+  end
+
   test "normal users cannot show user" do
     user = find_record :user
     login
-- 
cgit v1.2.3