Revision 7ffb50b9
Added by Marek Hulán about 8 years ago
app/controllers/api/v1/users_controller.rb | ||
---|---|---|
process_response @user.destroy
|
||
end
|
||
end
|
||
|
||
private
|
||
|
||
def find_resource
|
||
editing_self? ? @user = User.current : super
|
||
end
|
||
end
|
||
end
|
||
end
|
app/controllers/api/v2/users_controller.rb | ||
---|---|---|
|
||
private
|
||
|
||
def find_resource
|
||
editing_self? ? @user = User.current : super
|
||
end
|
||
|
||
def allowed_nested_id
|
||
%w(auth_source_ldap_id role_id location_id organization_id usergroup_id)
|
||
end
|
app/models/user.rb | ||
---|---|---|
def editing_self?(options = {})
|
||
options[:controller].to_s == 'users' &&
|
||
options[:action] =~ /edit|update/ &&
|
||
options[:id].to_i == self.id
|
||
options[:id].to_i == self.id ||
|
||
options[:controller].to_s =~ /\Aapi\/v\d+\/users\Z/ &&
|
||
options[:action] =~ /show|update/ &&
|
||
(options[:id].to_i == self.id || options[:id] == self.login)
|
||
end
|
||
|
||
def taxonomy_foreign_conditions
|
test/functional/api/v1/users_controller_test.rb | ||
---|---|---|
get :show, { :id => users(:anonymous).id }
|
||
assert_response :not_found
|
||
end
|
||
|
||
test "#show should not allow displaying other users without proper permission" do
|
||
as_user :two do
|
||
get :show, { :id => users(:one).id }
|
||
end
|
||
assert_response :forbidden
|
||
end
|
||
|
||
test "#show should allow displaying myself without any special permissions" do
|
||
as_user :two do
|
||
get :show, { :id => users(:two).id }
|
||
end
|
||
assert_response :success
|
||
end
|
||
|
||
test "#update should not update other users without proper permission" do
|
||
user = User.create :login => "foo", :mail => "foo@bar.com", :auth_source => auth_sources(:one)
|
||
as_user :two do
|
||
put :update, { :id => user.id, :user => valid_attrs }
|
||
end
|
||
assert_response :forbidden
|
||
end
|
||
|
||
test "#update should allow updating mysel without any special permissions" do
|
||
user = User.create :login => "foo", :mail => "foo@bar.com", :auth_source => auth_sources(:one)
|
||
as_user user do
|
||
put :update, { :id => user.id, :user => valid_attrs }
|
||
end
|
||
assert_response :success
|
||
end
|
||
end
|
test/functional/api/v2/users_controller_test.rb | ||
---|---|---|
get :show, { :id => users(:anonymous).id }
|
||
assert_response :not_found
|
||
end
|
||
|
||
test "#show should not allow displaying other users without proper permission" do
|
||
as_user :two do
|
||
get :show, { :id => users(:one).id }
|
||
end
|
||
assert_response :forbidden
|
||
end
|
||
|
||
test "#show should allow displaying myself without any special permissions" do
|
||
as_user :two do
|
||
get :show, { :id => users(:two).id }
|
||
end
|
||
assert_response :success
|
||
end
|
||
|
||
test "#update should not update other users without proper permission" do
|
||
user = User.create :login => "foo", :mail => "foo@bar.com", :auth_source => auth_sources(:one)
|
||
as_user :two do
|
||
put :update, { :id => user.id, :user => valid_attrs }
|
||
end
|
||
assert_response :forbidden
|
||
end
|
||
|
||
test "#update should allow updating mysel without any special permissions" do
|
||
user = User.create :login => "foo", :mail => "foo@bar.com", :auth_source => auth_sources(:one)
|
||
as_user user do
|
||
put :update, { :id => user.id, :user => valid_attrs }
|
||
end
|
||
assert_response :success
|
||
end
|
||
end
|
Also available in: Unified diff
Fixes #5816 - allow editing and displaying self via API