From 277b9f98bfbe2ef0217dfd17c8d9d6597369b903 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Wed, 28 Nov 2012 15:13:47 +0100
Subject: admins can destroy users

I changed the permissions a little to be more consistent.

Now:
* admins can edit users
* users can destroy themselves.

There's no ui for either of them but theoretically they could. Not sure this is what we want though.
---
 users/test/functional/users_controller_test.rb | 45 ++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

(limited to 'users/test/functional/users_controller_test.rb')

diff --git a/users/test/functional/users_controller_test.rb b/users/test/functional/users_controller_test.rb
index ced8ee9..ab29845 100644
--- a/users/test/functional/users_controller_test.rb
+++ b/users/test/functional/users_controller_test.rb
@@ -47,4 +47,49 @@ class UsersControllerTest < ActionController::TestCase
     assert_equal " ", @response.body
     assert_response 204
   end
+
+  test "admin can destroy user" do
+    login :is_admin? => true
+    user = stub_record User
+    user.expects(:destroy)
+    User.expects(:find_by_param).with(user.id.to_s).returns(user)
+    delete :destroy, :id => user.id
+    assert_response :redirect
+    # assert_redirected_to users_path
+  end
+
+  test "non-admin can't destroy user" do
+    login
+    user = stub_record User
+    delete :destroy, :id => user.id
+    assert_access_denied
+  end
+
+  test "admin can list users" do
+    login :is_admin? => true
+    get :index
+    assert_response :success
+    assert assigns(:users)
+  end
+
+  test "non-admin can't list users" do
+    login
+    get :index
+    assert_access_denied
+  end
+
+  test "admin can autocomplete users" do
+    login :is_admin? => true
+    get :index, :format => :json
+    assert_response :success
+    assert assigns(:users)
+  end
+
+  test "admin can search users" do
+    login :is_admin? => true
+    get :index, :query => "a"
+    assert_response :success
+    assert assigns(:users)
+  end
+
 end
-- 
cgit v1.2.3