Project

General

Profile

« Previous | Next » 

Revision 5f606e11

Added by Daniel Lobato Garcia over 7 years ago

Fixes #16982 - Scope properly when no taxonomies are set

The default scope for hosts and other objects did not restrict
properly by taxonomies. An user without organizations or
locations, could do anything it's permissions allow to.
The list of hosts was unrestricted and showed hosts in
any location or organization.

This is fixed to work so that:

Users without taxonomies, when set to 'any context' cannot see
anything (at all)

Users with taxonomies, when set to 'any context' can see
everything within all of their taxonomies context (including
children taxonomies).

Admins set to 'any context' can see everything - regardless
of whether it has a taxonomy or not.

Users or admins set to some organization/location scope
can only see stuff within scope.

View differences:

test/controllers/users_controller_test.rb
}
}, set_session_user
assert_redirected_to users_path
refute User.find_by_login('foo').admin
refute User.unscoped.find_by_login('foo').admin
end
test 'should create admin user' do
......
}
}, set_session_user
assert_redirected_to users_path
assert User.find_by_login('foo').admin
assert User.unscoped.find_by_login('foo').admin
end
test "should update user" do
user = User.create :login => "foo", :mail => "foo@bar.com", :auth_source => auth_sources(:one)
put :update, { :id => user.id, :user => {:login => "johnsmith"} }, set_session_user
mod_user = User.find_by_id(user.id)
mod_user = User.unscoped.find_by_id(user.id)
assert mod_user.login == "johnsmith"
assert_redirected_to users_path
......
user = FactoryGirl.create(:user, :with_mail)
notification = FactoryGirl.create(:mail_notification)
put :update, { :id => user.id, :user => {:user_mail_notifications_attributes => {'0' => {:mail_notification_id => notification.id, :interval => 'Subscribe'}}}}, set_session_user
user = User.find_by_id(user.id)
user = User.unscoped.find_by_id(user.id)
assert user.mail_notifications.include? notification
end
......
assert user.roles =([roles(:default_role)])
put :update, { :id => user.id, :user => {:login => "johnsmith"} }, set_session_user
mod_user = User.find_by_id(user.id)
mod_user = User.unscoped.find_by_id(user.id)
assert mod_user.roles =([roles(:default_role)])
end
......
:login => "johnsmith", :password => "dummy", :password_confirmation => "dummy"
}
}, set_session_user
mod_user = User.find_by_id(user.id)
mod_user = User.unscoped.find_by_id(user.id)
assert mod_user.matching_password?("dummy")
assert_redirected_to users_path
......
:login => "johnsmith", :password => "dummy", :password_confirmation => "DUMMY"
}
}, set_session_user
user.reload
assert user.matching_password?("changeme")
assert_template :edit
......
user.update_attribute :admin, true
delete :destroy, {:id => user.id}, set_session_user.merge(:user => user.id)
assert_redirected_to users_url
assert User.exists?(user.id)
assert User.unscoped.exists?(user.id)
assert @request.flash[:notice] == "You cannot delete this user while logged in as this user."
end
......
"id" => user.id}
put :update, update_hash, set_session_user.merge(:user => user.id)
assert !User.find_by_login(user.login).mail.blank?
assert !User.unscoped.find_by_login(user.login).mail.blank?
end
test "should login external user" do
......
@request.session.clear
@request.env['REMOTE_USER'] = 'ares'
get :extlogin, {}, {}
assert_redirected_to edit_user_path(User.find_by_login('ares'))
assert_redirected_to edit_user_path(User.unscoped.find_by_login('ares'))
end
test "should use intercept if available" do
......
test 'user with edit permission should be able to edit another user' do
setup_user 'edit', 'users'
get :edit, { :id => users(:two) }
get :edit, { :id => users(:two) }, set_session_user
assert_response :success
end
......
test 'user with update permission should be able to update another user' do
setup_user 'edit', 'users'
put :update, { :id => users(:two).id, :user => { :firstname => 'test' } }
put :update, { :id => users(:two).id, :user => { :firstname => 'test' } },
set_session_user
assert_response :redirect
end
......
attrs = {:firstname=>"foo", :mail=>"foo#bar", :login=>"ldap-user", :auth_source_id=>auth_sources(:one).id}
AuthSourceLdap.any_instance.stubs(:authenticate).returns(attrs)
AuthSourceLdap.any_instance.stubs(:update_usergroups).returns(true)
AuthSourceLdap.any_instance.stubs(:organizations).returns([taxonomies(:organization1)])
AuthSourceLdap.any_instance.stubs(:locations).returns([taxonomies(:location1)])
post :login, {:login => {'login' => 'ldap-user', 'password' => 'password'}}
assert_redirected_to hosts_path
assert_match /mail.*invalid/i, flash[:warning]
# Subsequent redirects to the user edit page should preserve the warning
user = User.find_by_login('ldap-user')
user = User.unscoped.find_by_login('ldap-user')
get :index, {}, set_session_user.merge(:user => user.id)
assert_redirected_to edit_user_path(user)
......
:default_organization_id => taxonomies(:organization1).id } }
assert_redirected_to users_path
updated_user = User.find(users(:one).id)
updated_user = User.unscoped.find(users(:one).id)
assert_equal taxonomies(:location1), updated_user.default_location
assert_equal taxonomies(:organization1), updated_user.default_organization
end

Also available in: Unified diff