0001-Deny-edit-update-delete-for-anonymous-user.patch - Redmine

Patch #25483 » 0001-Deny-edit-update-delete-for-anonymous-user.patch

Holger Just, 2017-03-30 15:15

       self.main_menu = false
       before_action :require_admin, :except => :show
       before_action :find_user, :only => [:show, :edit, :update, :destroy]
       before_action ->{ find_user(false) }, :only => :show
       before_action :find_user, :only => [:edit, :update, :destroy]
       accept_api_auth :index, :show, :create, :update, :destroy
       helper :sort
-...
       private
       def find_user
       def find_user(logged = true)
         if params[:id] == 'current'
           require_login || return
           @user = User.current
         elsif logged
           @user = User.logged.find(params[:id])
         else
           @user = User.find(params[:id])
         end

app/views/users/show.html.erb
1	1	<div class="contextual">
2		<%= link_to(l(:button_edit), edit_user_path(@user), :class => 'icon icon-edit') if User.current.admin? %>
	2	<%= link_to(l(:button_edit), edit_user_path(@user), :class => 'icon icon-edit') if User.current.admin? && @user.logged? %>
3	3	</div>
4	4
5	5	<h2><%= avatar @user, :size => "50" %> <%= @user.name %></h2>

         assert_select 'a', :text => 'Activate'
       end
       def test_edit_should_be_denied_for_anonymous
         assert User.find(6).anonymous?
         get :edit, :params => {:id => 6}
         assert_response 404
       end
       def test_update
         ActionMailer::Base.deliveries.clear
         put :update, :params => {
-...
         assert_nil ActionMailer::Base.deliveries.last
       end
       def test_update_should_be_denied_for_anonymous
         assert User.find(6).anonymous?
         put :update, :params => {:id => 6}
         assert_response 404
       end
       def test_destroy
         assert_difference 'User.count', -1 do
           delete :destroy, :params => {:id => 2}
-...
         assert_response 403
       end
       def test_destroy_should_be_denied_for_anonymous
         assert User.find(6).anonymous?
         assert_no_difference 'User.count' do
           put :destroy, :params => {:id => 6}
         end
         assert_response 404
       end
       def test_destroy_should_redirect_to_back_url_param
         assert_difference 'User.count', -1 do
           delete :destroy, :params => {:id => 2, :back_url => '/users?name=foo'}

(1-1/1)