0001-Deny-edit-update-delete-for-anonymous-user.patch

Holger Just, 2017-03-30 15:15

Download (3.35 KB)

View differences:

app/controllers/users_controller.rb
20 20
  self.main_menu = false
21 21

  
22 22
  before_action :require_admin, :except => :show
23
  before_action :find_user, :only => [:show, :edit, :update, :destroy]
23
  before_action ->{ find_user(false) }, :only => :show
24
  before_action :find_user, :only => [:edit, :update, :destroy]
24 25
  accept_api_auth :index, :show, :create, :update, :destroy
25 26

  
26 27
  helper :sort
......
174 175

  
175 176
  private
176 177

  
177
  def find_user
178
  def find_user(logged = true)
178 179
    if params[:id] == 'current'
179 180
      require_login || return
180 181
      @user = User.current
182
    elsif logged
183
      @user = User.logged.find(params[:id])
181 184
    else
182 185
      @user = User.find(params[:id])
183 186
    end
app/views/users/show.html.erb
1 1
<div class="contextual">
2
<%= link_to(l(:button_edit), edit_user_path(@user), :class => 'icon icon-edit') if User.current.admin? %>
2
<%= link_to(l(:button_edit), edit_user_path(@user), :class => 'icon icon-edit') if User.current.admin? && @user.logged? %>
3 3
</div>
4 4

  
5 5
<h2><%= avatar @user, :size => "50" %> <%= @user.name %></h2>
test/functional/users_controller_test.rb
342 342
    assert_select 'a', :text => 'Activate'
343 343
  end
344 344

  
345
  def test_edit_should_be_denied_for_anonymous
346
    assert User.find(6).anonymous?
347
    get :edit, :params => {:id => 6}
348
    assert_response 404
349
  end
350

  
345 351
  def test_update
346 352
    ActionMailer::Base.deliveries.clear
347 353
    put :update, :params => {
......
593 599
    assert_nil ActionMailer::Base.deliveries.last
594 600
  end
595 601

  
602
  def test_update_should_be_denied_for_anonymous
603
    assert User.find(6).anonymous?
604
    put :update, :params => {:id => 6}
605
    assert_response 404
606
  end
607

  
596 608
  def test_destroy
597 609
    assert_difference 'User.count', -1 do
598 610
      delete :destroy, :params => {:id => 2}
......
610 622
    assert_response 403
611 623
  end
612 624

  
625
  def test_destroy_should_be_denied_for_anonymous
626
    assert User.find(6).anonymous?
627
    assert_no_difference 'User.count' do
628
      put :destroy, :params => {:id => 6}
629
    end
630
    assert_response 404
631
  end
632

  
613 633
  def test_destroy_should_redirect_to_back_url_param
614 634
    assert_difference 'User.count', -1 do
615 635
      delete :destroy, :params => {:id => 2, :back_url => '/users?name=foo'}
616
-