Revision af9edf10
Added by Marek Hulán about 7 years ago
| test/models/taxonomix_test.rb | ||
|---|---|---|
|
end
|
||
|
end
|
||
|
|
||
|
test 'list only users from the organization and myself but not global admins' do
|
||
|
loc = FactoryGirl.create(:location)
|
||
|
org = FactoryGirl.create(:organization)
|
||
|
user1 = FactoryGirl.create(:user, :organizations => [org], :locations => [loc])
|
||
|
user2 = FactoryGirl.create(:user, :organizations => [org], :locations => [loc])
|
||
|
admin = FactoryGirl.create(:user, :admin)
|
||
|
|
||
|
as_user(user1) do
|
||
|
found_ids = User.taxable_ids(loc, org)
|
||
|
assert_includes found_ids, user1.id
|
||
|
assert_includes found_ids, user2.id
|
||
|
refute_includes found_ids, admin.id
|
||
|
end
|
||
|
end
|
||
|
|
||
|
test "can work with array of taxonomies" do
|
||
|
loc1 = FactoryGirl.create(:location)
|
||
|
loc2 = FactoryGirl.create(:location, :parent_id => loc1.id)
|
||
| ... | ... | |
|
as_user(:one) do
|
||
|
scoped_users = User.with_taxonomy_scope([],[])
|
||
|
assert_include scoped_users, User.current
|
||
|
assert_include scoped_users, users(:admin)
|
||
|
end
|
||
|
end
|
||
|
|
||
Also available in: Unified diff
Fixes #19612 - CVE-2017-7505 don't expose admin to taxed users