diff options
| author | Marius Balteanu <marius.balteanu@zitec.com> | 2025-03-09 23:22:46 +0000 |
|---|---|---|
| committer | Marius Balteanu <marius.balteanu@zitec.com> | 2025-03-09 23:22:46 +0000 |
| commit | 3c5f0af44d711c356b4143cfe37f9b7091df0c67 (patch) | |
| tree | 73a1ea3c20bd084ffd8b425e849c7777f945170c /test | |
| parent | 10971361fae0b81af2e8e37fdf4d0066d2417ae2 (diff) | |
| download | redmine-3c5f0af44d711c356b4143cfe37f9b7091df0c67.tar.gz redmine-3c5f0af44d711c356b4143cfe37f9b7091df0c67.zip | |
Ensure that a UserQuery can only be viewed or edited by admins (#42352).
Patch by Holger Just (user:hjust).
git-svn-id: https://svn.redmine.org/redmine/trunk@23530 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test')
| -rw-r--r-- | test/unit/user_query_test.rb | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/test/unit/user_query_test.rb b/test/unit/user_query_test.rb index 1f8ce3464..ef31ba2c2 100644 --- a/test/unit/user_query_test.rb +++ b/test/unit/user_query_test.rb @@ -209,6 +209,30 @@ class UserQueryTest < ActiveSupport::TestCase assert_equal [2, 1], users.pluck(:id) end + def test_user_query_is_only_visible_to_admins + q = UserQuery.new(name: '_') + assert q.save + + admin = User.admin(true).first + user = User.admin(false).first + + assert q.visible?(admin) + assert_include q, UserQuery.visible(admin).to_a + + assert_not q.visible?(user) + assert_not_include q, UserQuery.visible(user) + end + + def test_user_query_is_only_editable_by_admins + q = UserQuery.new(name: '_') + + admin = User.admin(true).first + user = User.admin(false).first + + assert q.editable_by?(admin) + assert_not q.editable_by?(user) + end + def find_users_with_query(query) User.where(query.statement).to_a end |