From ab1917c5fe0f03e7719863a5598ad575d9fef302 Mon Sep 17 00:00:00 2001 From: NavaL Date: Thu, 14 Jul 2016 15:06:20 +0200 Subject: [feature] restrict is_admin in the user api, to only allow querying for him/herself So that it we do not expose the is_admin property to anyone else including other admins. --- test/functional/api/users_controller_test.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'test/functional') diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb index 32afd0a..b69770d 100644 --- a/test/functional/api/users_controller_test.rb +++ b/test/functional/api/users_controller_test.rb @@ -86,14 +86,22 @@ class Api::UsersControllerTest < ApiControllerTest login :is_admin? => true api_get :show, :id => 0, :login => user.login, :format => :json assert_response :success - assert_json_response user + assert_json_response user.to_hash api_get :show, :id => user.id, :format => :json assert_response :success - assert_json_response user + assert_json_response user.to_hash api_get :show, :id => "0", :format => :json assert_response :not_found end + test "admin can show is_admin property" do + user = FactoryGirl.create :user, login: "admin2" + login user + api_get :show, :id => user.id, :format => :json + assert_response :success + assert_json_response user.to_hash.merge(:is_admin => true) + end + test "normal users cannot show user" do user = find_record :user login -- cgit v1.2.3