Revision 7ffb50b9
Added by Marek Hulán about 8 years ago
| app/controllers/api/v1/users_controller.rb | ||
|---|---|---|
|
process_response @user.destroy
|
||
|
end
|
||
|
end
|
||
|
|
||
|
private
|
||
|
|
||
|
def find_resource
|
||
|
editing_self? ? @user = User.current : super
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
end
|
||
| app/controllers/api/v2/users_controller.rb | ||
|---|---|---|
|
|
||
|
private
|
||
|
|
||
|
def find_resource
|
||
|
editing_self? ? @user = User.current : super
|
||
|
end
|
||
|
|
||
|
def allowed_nested_id
|
||
|
%w(auth_source_ldap_id role_id location_id organization_id usergroup_id)
|
||
|
end
|
||
| app/models/user.rb | ||
|---|---|---|
|
def editing_self?(options = {})
|
||
|
options[:controller].to_s == 'users' &&
|
||
|
options[:action] =~ /edit|update/ &&
|
||
|
options[:id].to_i == self.id
|
||
|
options[:id].to_i == self.id ||
|
||
|
options[:controller].to_s =~ /\Aapi\/v\d+\/users\Z/ &&
|
||
|
options[:action] =~ /show|update/ &&
|
||
|
(options[:id].to_i == self.id || options[:id] == self.login)
|
||
|
end
|
||
|
|
||
|
def taxonomy_foreign_conditions
|
||
| test/functional/api/v1/users_controller_test.rb | ||
|---|---|---|
|
get :show, { :id => users(:anonymous).id }
|
||
|
assert_response :not_found
|
||
|
end
|
||
|
|
||
|
test "#show should not allow displaying other users without proper permission" do
|
||
|
as_user :two do
|
||
|
get :show, { :id => users(:one).id }
|
||
|
end
|
||
|
assert_response :forbidden
|
||
|
end
|
||
|
|
||
|
test "#show should allow displaying myself without any special permissions" do
|
||
|
as_user :two do
|
||
|
get :show, { :id => users(:two).id }
|
||
|
end
|
||
|
assert_response :success
|
||
|
end
|
||
|
|
||
|
test "#update should not update other users without proper permission" do
|
||
|
user = User.create :login => "foo", :mail => "foo@bar.com", :auth_source => auth_sources(:one)
|
||
|
as_user :two do
|
||
|
put :update, { :id => user.id, :user => valid_attrs }
|
||
|
end
|
||
|
assert_response :forbidden
|
||
|
end
|
||
|
|
||
|
test "#update should allow updating mysel without any special permissions" do
|
||
|
user = User.create :login => "foo", :mail => "foo@bar.com", :auth_source => auth_sources(:one)
|
||
|
as_user user do
|
||
|
put :update, { :id => user.id, :user => valid_attrs }
|
||
|
end
|
||
|
assert_response :success
|
||
|
end
|
||
|
end
|
||
| test/functional/api/v2/users_controller_test.rb | ||
|---|---|---|
|
get :show, { :id => users(:anonymous).id }
|
||
|
assert_response :not_found
|
||
|
end
|
||
|
|
||
|
test "#show should not allow displaying other users without proper permission" do
|
||
|
as_user :two do
|
||
|
get :show, { :id => users(:one).id }
|
||
|
end
|
||
|
assert_response :forbidden
|
||
|
end
|
||
|
|
||
|
test "#show should allow displaying myself without any special permissions" do
|
||
|
as_user :two do
|
||
|
get :show, { :id => users(:two).id }
|
||
|
end
|
||
|
assert_response :success
|
||
|
end
|
||
|
|
||
|
test "#update should not update other users without proper permission" do
|
||
|
user = User.create :login => "foo", :mail => "foo@bar.com", :auth_source => auth_sources(:one)
|
||
|
as_user :two do
|
||
|
put :update, { :id => user.id, :user => valid_attrs }
|
||
|
end
|
||
|
assert_response :forbidden
|
||
|
end
|
||
|
|
||
|
test "#update should allow updating mysel without any special permissions" do
|
||
|
user = User.create :login => "foo", :mail => "foo@bar.com", :auth_source => auth_sources(:one)
|
||
|
as_user user do
|
||
|
put :update, { :id => user.id, :user => valid_attrs }
|
||
|
end
|
||
|
assert_response :success
|
||
|
end
|
||
|
end
|
||
Also available in: Unified diff
Fixes #5816 - allow editing and displaying self via API