Enable ability for administrators to delete users (#7296).

User's personal data (eg. preferences, tokens, private queries...) are deleted, public data (eg. issues, wiki edits, attachments...) are reassigned to the anonymous user.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4729 e93f8b46-1217-0410-a6f0-8f06a7374b81

3 files changed, 52 insertions, 15 deletions

diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index 8aa311ebb..6837deab4 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -264,6 +264,30 @@ class UsersControllerTest < ActionController::TestCase
     assert u.check_password?('newpass')
   end
   
+  def test_destroy
+    assert_difference 'User.count', -1 do
+      delete :destroy, :id => 2
+    end
+    assert_redirected_to '/users'
+    assert_nil User.find_by_id(2)
+  end
+
+  def test_destroy_should_not_accept_get_requests
+    assert_no_difference 'User.count' do
+      get :destroy, :id => 2
+    end
+    assert_response 405
+  end
+
+  def test_destroy_should_be_denied_for_non_admin_users
+    @request.session[:user_id] = 3
+    
+    assert_no_difference 'User.count' do
+      get :destroy, :id => 2
+    end
+    assert_response 403
+  end
+  
   def test_edit_membership
     post :edit_membership, :id => 2, :membership_id => 1,
                            :membership => { :role_ids => [2]}
diff --git a/test/integration/api_test/users_test.rb b/test/integration/api_test/users_test.rb
index e1eb7a237..00dc4cc95 100644
--- a/test/integration/api_test/users_test.rb
+++ b/test/integration/api_test/users_test.rb
@@ -245,26 +245,36 @@ class ApiTest::UsersTest < ActionController::IntegrationTest
         end
       end
     end
+  end
     
-    context "DELETE /users/2" do
-      context ".xml" do
-        should "not be allowed" do
-          assert_no_difference('User.count') do
-            delete '/users/2.xml'
-          end
-          
-          assert_response :method_not_allowed
+  context "DELETE /users/2" do
+    context ".xml" do
+      should_allow_api_authentication(:delete,
+        '/users/2.xml',
+        {},
+        {:success_code => :ok})
+      
+      should "delete user" do
+        assert_difference('User.count', -1) do
+          delete '/users/2.xml', {}, :authorization => credentials('admin')
         end
+        
+        assert_response :ok
       end
-      
-      context ".json" do
-        should "not be allowed" do
-          assert_no_difference('User.count') do
-            delete '/users/2.json'
-          end
+    end
+    
+    context ".json" do
+      should_allow_api_authentication(:delete,
+        '/users/2.xml',
+        {},
+        {:success_code => :ok})
           
-          assert_response :method_not_allowed
+      should "delete user" do
+        assert_difference('User.count', -1) do
+          delete '/users/2.json', {}, :authorization => credentials('admin')
         end
+        
+        assert_response :ok
       end
     end
   end
diff --git a/test/integration/routing_test.rb b/test/integration/routing_test.rb
index 4b18e317a..1198081fc 100644
--- a/test/integration/routing_test.rb
+++ b/test/integration/routing_test.rb
@@ -302,6 +302,9 @@ class RoutingTest < ActionController::IntegrationTest
 
     should_route :put, "/users/444", :controller => 'users', :action => 'update', :id => '444'
     should_route :put, "/users/444.xml", :controller => 'users', :action => 'update', :id => '444', :format => 'xml'
+
+    should_route :delete, "/users/44", :controller => 'users', :action => 'destroy', :id => '44'
+    should_route :delete, "/users/44.xml", :controller => 'users', :action => 'destroy', :id => '44', :format => 'xml'
   end
 
   # TODO: should they all be scoped under /projects/:project_id ?