api.user do
api.id @user.id
- api.login @user.login if User.current.admin?
+ api.login @user.login if User.current.admin? || (User.current == @user)
api.firstname @user.firstname
api.lastname @user.lastname
api.mail @user.mail if User.current.admin? || !@user.pref.hide_mail
end
end
+ test "GET /users/:id should not return login for other user" do
+ get '/users/3.xml', {}, credentials('jsmith')
+ assert_response :success
+ assert_no_tag 'user', :child => {:tag => 'login'}
+ end
+
+ test "GET /users/:id should return login for current user" do
+ get '/users/2.xml', {}, credentials('jsmith')
+ assert_response :success
+ assert_tag 'user', :child => {:tag => 'login', :content => 'jsmith'}
+ end
+
context "POST /users" do
context "with valid parameters" do
setup do
projects / redmine.git / commitdiff