summaryrefslogtreecommitdiffstats
path: root/test/functional
diff options
context:
space:
mode:
authorGo MAEDA <maeda@farend.jp>2021-03-13 07:20:57 +0000
committerGo MAEDA <maeda@farend.jp>2021-03-13 07:20:57 +0000
commit5063d3faf0057e9cdb24556b6908aa6fc2bec77b (patch)
tree45953588da70cb406641243a6f49c2baea5806dc /test/functional
parente5d13152bea6c4737f90d99d3b2df54fcd1544d3 (diff)
downloadredmine-5063d3faf0057e9cdb24556b6908aa6fc2bec77b.tar.gz
redmine-5063d3faf0057e9cdb24556b6908aa6fc2bec77b.zip
Fix that users can delete their own accounts unconditionally via REST API (#11870).
Patch by Mizuki ISHIKAWA and Kevin Fischer. git-svn-id: http://svn.redmine.org/redmine/trunk@20782 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test/functional')
-rw-r--r--test/functional/users_controller_test.rb23
1 files changed, 23 insertions, 0 deletions
diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index 5883f344b..700a3a842 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -915,4 +915,27 @@ class UsersControllerTest < Redmine::ControllerTest
)
end
end
+
+ def test_destroy_without_unsubscribe_is_denied
+ user = User.find(2)
+ user.update(admin: true) # Create other admin so self can be deleted
+ @request.session[:user_id] = user.id
+ with_settings unsubscribe: 0 do
+ assert_no_difference 'User.count' do
+ delete :destroy, params: {id: user.id}
+ end
+ assert_response 422
+ end
+ end
+
+ def test_destroy_last_admin_is_denied
+ user = User.find(1)
+ @request.session[:user_id] = user.id
+ with_settings unsubscribe: 1 do
+ assert_no_difference 'User.count' do
+ delete :destroy, params: {id: user.id}
+ end
+ assert_response 422
+ end
+ end
end