From 3e787f7e7d0a013376735dbe2b60054166a61499 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Mon, 3 Apr 2017 12:59:55 +0000 Subject: Deny edit/update/delete for anonymous user (#25483). Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@16464 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- test/functional/users_controller_test.rb | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'test/functional/users_controller_test.rb') diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb index 0dbd12a81..49d69f84a 100644 --- a/test/functional/users_controller_test.rb +++ b/test/functional/users_controller_test.rb @@ -342,6 +342,12 @@ class UsersControllerTest < Redmine::ControllerTest assert_select 'a', :text => 'Activate' end + def test_edit_should_be_denied_for_anonymous + assert User.find(6).anonymous? + get :edit, :params => {:id => 6} + assert_response 404 + end + def test_update ActionMailer::Base.deliveries.clear put :update, :params => { @@ -593,6 +599,12 @@ class UsersControllerTest < Redmine::ControllerTest assert_nil ActionMailer::Base.deliveries.last end + def test_update_should_be_denied_for_anonymous + assert User.find(6).anonymous? + put :update, :params => {:id => 6} + assert_response 404 + end + def test_destroy assert_difference 'User.count', -1 do delete :destroy, :params => {:id => 2} @@ -610,6 +622,14 @@ class UsersControllerTest < Redmine::ControllerTest assert_response 403 end + def test_destroy_should_be_denied_for_anonymous + assert User.find(6).anonymous? + assert_no_difference 'User.count' do + put :destroy, :params => {:id => 6} + end + assert_response 404 + end + def test_destroy_should_redirect_to_back_url_param assert_difference 'User.count', -1 do delete :destroy, :params => {:id => 2, :back_url => '/users?name=foo'} -- cgit v1.2.3