Commit 8566b218 authored by jplang's avatar jplang

Deny edit/update/delete for anonymous user (#25483).

Patch by Holger Just.

git-svn-id: https://svn.redmine.org/redmine/trunk@16464 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent 2535949f
......@@ -20,7 +20,8 @@ class UsersController < ApplicationController
self.main_menu = false
before_action :require_admin, :except => :show
before_action :find_user, :only => [:show, :edit, :update, :destroy]
before_action ->{ find_user(false) }, :only => :show
before_action :find_user, :only => [:edit, :update, :destroy]
accept_api_auth :index, :show, :create, :update, :destroy
helper :sort
......@@ -174,10 +175,12 @@ class UsersController < ApplicationController
private
def find_user
def find_user(logged = true)
if params[:id] == 'current'
require_login || return
@user = User.current
elsif logged
@user = User.logged.find(params[:id])
else
@user = User.find(params[:id])
end
......
<div class="contextual">
<%= link_to(l(:button_edit), edit_user_path(@user), :class => 'icon icon-edit') if User.current.admin? %>
<%= link_to(l(:button_edit), edit_user_path(@user), :class => 'icon icon-edit') if User.current.admin? && @user.logged? %>
</div>
<h2><%= avatar @user, :size => "50" %> <%= @user.name %></h2>
......
......@@ -342,6 +342,12 @@ class UsersControllerTest < Redmine::ControllerTest
assert_select 'a', :text => 'Activate'
end
def test_edit_should_be_denied_for_anonymous
assert User.find(6).anonymous?
get :edit, :params => {:id => 6}
assert_response 404
end
def test_update
ActionMailer::Base.deliveries.clear
put :update, :params => {
......@@ -593,6 +599,12 @@ class UsersControllerTest < Redmine::ControllerTest
assert_nil ActionMailer::Base.deliveries.last
end
def test_update_should_be_denied_for_anonymous
assert User.find(6).anonymous?
put :update, :params => {:id => 6}
assert_response 404
end
def test_destroy
assert_difference 'User.count', -1 do
delete :destroy, :params => {:id => 2}
......@@ -610,6 +622,14 @@ class UsersControllerTest < Redmine::ControllerTest
assert_response 403
end
def test_destroy_should_be_denied_for_anonymous
assert User.find(6).anonymous?
assert_no_difference 'User.count' do
put :destroy, :params => {:id => 6}
end
assert_response 404
end
def test_destroy_should_redirect_to_back_url_param
assert_difference 'User.count', -1 do
delete :destroy, :params => {:id => 2, :back_url => '/users?name=foo'}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment