Deny edit/update/delete for anonymous user (#25483).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@16464 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 20 insertions, 0 deletions

diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index 0dbd12a81..49d69f84a 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -342,6 +342,12 @@ class UsersControllerTest < Redmine::ControllerTest
     assert_select 'a', :text => 'Activate'
   end
 
+  def test_edit_should_be_denied_for_anonymous
+    assert User.find(6).anonymous?
+    get :edit, :params => {:id => 6}
+    assert_response 404
+  end
+
   def test_update
     ActionMailer::Base.deliveries.clear
     put :update, :params => {
@@ -593,6 +599,12 @@ class UsersControllerTest < Redmine::ControllerTest
     assert_nil ActionMailer::Base.deliveries.last
   end
 
+  def test_update_should_be_denied_for_anonymous
+    assert User.find(6).anonymous?
+    put :update, :params => {:id => 6}
+    assert_response 404
+  end
+
   def test_destroy
     assert_difference 'User.count', -1 do
       delete :destroy, :params => {:id => 2}
@@ -610,6 +622,14 @@ class UsersControllerTest < Redmine::ControllerTest
     assert_response 403
   end
 
+  def test_destroy_should_be_denied_for_anonymous
+    assert User.find(6).anonymous?
+    assert_no_difference 'User.count' do
+      put :destroy, :params => {:id => 6}
+    end
+    assert_response 404
+  end
+
   def test_destroy_should_redirect_to_back_url_param
     assert_difference 'User.count', -1 do
       delete :destroy, :params => {:id => 2, :back_url => '/users?name=foo'}