if session[:user]
@user = User.where(:id => session[:user]).where("status IN ('active', 'confirmed', 'suspended')").first
- if @user.display_name != cookies["_osm_username"]
- logger.info "Session user '#{@user.display_name}' does not match cookie user '#{cookies['_osm_username']}'"
- reset_session
- @user = nil
- elsif @user.status == "suspended"
+ if @user.status == "suspended"
session.delete(:user)
session_expires_automatically
before_filter :authorize_web, :except => [:api_read, :api_details, :api_gpx_files]
before_filter :set_locale, :except => [:api_read, :api_details, :api_gpx_files]
before_filter :require_user, :only => [:account, :go_public, :make_friend, :remove_friend]
+ before_filter :require_self, :only => [:account]
before_filter :check_database_readable, :except => [:login, :api_read, :api_details, :api_gpx_files]
before_filter :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public, :make_friend, :remove_friend]
before_filter :check_api_readable, :only => [:api_read, :api_details, :api_gpx_files]
token.destroy
session[:user] = user.id
- cookies.permanent["_osm_username"] = user.display_name
redirect_to referer || welcome_path
end
end
token.destroy
session[:user] = @user.id
- cookies.permanent["_osm_username"] = @user.display_name
redirect_to :action => 'account', :display_name => @user.display_name
else
flash[:error] = t 'user.confirm_email.failure'
##
# process a successful login
def successful_login(user)
- cookies.permanent["_osm_username"] = user.display_name
-
session[:user] = user.id
session_expires_after 28.days if session[:remember_me]
if user.save
set_locale
- cookies.permanent["_osm_username"] = user.display_name
-
if user.new_email.blank? or user.new_email == user.email
flash.now[:notice] = t 'user.account.flash update success'
else
end
end
+ ##
+ # require that the user in the URL is the logged in user
+ def require_self
+ if params[:display_name] != @user.display_name
+ render :text => "", :status => :forbidden
+ end
+ end
+
##
# ensure that there is a "this_user" instance variable
def lookup_user_by_id
end
def test_showing_new_diary_entry
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
get :new
assert_response :redirect
assert_redirected_to :controller => :user, :action => "login", :referer => "/diary/new"
end
def test_editing_diary_entry
- @request.cookies["_osm_username"] = users(:normal_user).display_name
entry = diary_entries(:normal_user_entry_1)
# Make sure that you are redirected to the login page when you are
end
end
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# and when not logged in as the user who wrote the entry
get :view, {:display_name => entry.user.display_name, :id => entry.id}, {'user' => entry.user.id}
assert_response :success
end
def test_edit_diary_entry_i18n
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
get :edit, {:display_name => users(:normal_user).display_name, :id => diary_entries(:normal_user_entry_1).id}, {'user' => users(:normal_user).id}
assert_response :success
assert_select "span[class=translation_missing]", false, "Missing translation in edit diary entry"
end
def test_create_diary_entry
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Make sure that you are redirected to the login page when you
# are not logged in
get :new
end
def test_creating_diary_comment
- @request.cookies["_osm_username"] = users(:public_user).display_name
entry = diary_entries(:normal_user_entry_1)
# Make sure that you are denied when you are not logged in
assert_response :forbidden
assert_equal true, DiaryEntry.find(diary_entries(:normal_user_entry_1).id).visible
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Now try as a normal user
post :hide, {:display_name => users(:normal_user).display_name, :id => diary_entries(:normal_user_entry_1).id}, {:user => users(:normal_user).id}
assert_response :redirect
assert_redirected_to :action => :view, :display_name => users(:normal_user).display_name, :id => diary_entries(:normal_user_entry_1).id
assert_equal true, DiaryEntry.find(diary_entries(:normal_user_entry_1).id).visible
- @request.cookies["_osm_username"] = users(:administrator_user).display_name
-
# Finally try as an administrator
post :hide, {:display_name => users(:normal_user).display_name, :id => diary_entries(:normal_user_entry_1).id}, {:user => users(:administrator_user).id}
assert_response :redirect
assert_response :forbidden
assert_equal true, DiaryComment.find(diary_comments(:comment_for_geo_post).id).visible
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Now try as a normal user
post :hidecomment, {:display_name => users(:normal_user).display_name, :id => diary_entries(:normal_user_geo_entry).id, :comment => diary_comments(:comment_for_geo_post).id}, {:user => users(:normal_user).id}
assert_response :redirect
assert_redirected_to :action => :view, :display_name => users(:normal_user).display_name, :id => diary_entries(:normal_user_geo_entry).id
assert_equal true, DiaryComment.find(diary_comments(:comment_for_geo_post).id).visible
- @request.cookies["_osm_username"] = users(:administrator_user).display_name
-
# Finally try as an administrator
post :hidecomment, {:display_name => users(:normal_user).display_name, :id => diary_entries(:normal_user_geo_entry).id, :comment => diary_comments(:comment_for_geo_post).id}, {:user => users(:administrator_user).id}
assert_response :redirect
# Login as a normal user
session[:user] = users(:normal_user).id
- cookies["_osm_username"] = users(:normal_user).display_name
# Check that the new message page loads
get :new, :display_name => users(:public_user).display_name
# Login as the wrong user
session[:user] = users(:second_public_user).id
- cookies["_osm_username"] = users(:second_public_user).display_name
# Check that we can't reply to somebody else's message
get :reply, :message_id => messages(:unread_message).id
# Login as the right user
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
# Check that the message reply page loads
get :reply, :message_id => messages(:unread_message).id
# Login as the wrong user
session[:user] = users(:second_public_user).id
- cookies["_osm_username"] = users(:second_public_user).display_name
# Check that we can't read the message
get :read, :message_id => messages(:unread_message).id
# Login as the message sender
session[:user] = users(:normal_user).id
- cookies["_osm_username"] = users(:normal_user).display_name
# Check that the message sender can read the message
get :read, :message_id => messages(:unread_message).id
# Login as the message recipient
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
# Check that the message recipient can read the message
get :read, :message_id => messages(:unread_message).id
# Login
session[:user] = users(:normal_user).id
- cookies["_osm_username"] = users(:normal_user).display_name
# Check that we can view our inbox when logged in
get :inbox, :display_name => users(:normal_user).display_name
# Login
session[:user] = users(:normal_user).id
- cookies["_osm_username"] = users(:normal_user).display_name
# Check that we can view our outbox when logged in
get :outbox, :display_name => users(:normal_user).display_name
# Login as a user with no messages
session[:user] = users(:second_public_user).id
- cookies["_osm_username"] = users(:second_public_user).display_name
# Check that marking a message we didn't send or receive fails
post :mark, :message_id => messages(:read_message).id
# Login as the message recipient
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
# Check that the marking a message read works
post :mark, :message_id => messages(:unread_message).id, :mark => "read"
# Login as a user with no messages
session[:user] = users(:second_public_user).id
- cookies["_osm_username"] = users(:second_public_user).display_name
# Check that deleting a message we didn't send or receive fails
post :delete, :message_id => messages(:read_message).id
# Login as the message recipient
session[:user] = users(:normal_user).id
- cookies["_osm_username"] = users(:normal_user).display_name
# Check that the deleting a received message works
post :delete, :message_id => messages(:read_message).id
def test_moderators_can_create
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
post :create, :redaction => { :title => "Foo", :description => "Description here." }
assert_response :redirect
def test_non_moderators_cant_create
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
post :create, :redaction => { :title => "Foo", :description => "Description here." }
assert_response :forbidden
def test_moderators_can_delete_empty
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
# remove all elements from the redaction
redaction = redactions(:example)
def test_moderators_cant_delete_nonempty
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
# leave elements in the redaction
redaction = redactions(:example)
def test_non_moderators_cant_delete
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
delete :destroy, :id => redactions(:example).id
assert_response :forbidden
def test_moderators_can_edit
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
get :edit, :id => redactions(:example).id
assert_response :success
def test_non_moderators_cant_edit
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
get :edit, :id => redactions(:example).id
assert_response :redirect
def test_moderators_can_update
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
redaction = redactions(:example)
def test_non_moderators_cant_update
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
redaction = redactions(:example)
# test the right editor gets used when the user hasn't set a preference
def test_edit_without_preference
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
get(:edit, nil, { 'user' => users(:public_user).id })
assert_response :success
assert_template :partial => "_#{DEFAULT_EDITOR}", :count => 1
# and when they have...
def test_edit_with_preference
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
user = users(:public_user)
user.preferred_editor = "potlatch"
user.save!
end
def test_edit_with_node
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
user = users(:public_user)
node = current_nodes(:visible_node)
end
def test_edit_with_way
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
user = users(:public_user)
way = current_ways(:visible_way)
end
def test_edit_with_gpx
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
user = users(:public_user)
gpx = gpx_files(:public_trace_file)
# Check that I can get mine
def test_list_mine
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# First try to get it when not logged in
get :mine
assert_redirected_to :controller => 'user', :action => 'login', :referer => '/traces/mine'
get :list, :display_name => users(:public_user).display_name
check_trace_list users(:public_user).traces.public
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Should still see only public ones when authenticated as another user
get :list, {:display_name => users(:public_user).display_name}, {:user => users(:normal_user).id}
check_trace_list users(:public_user).traces.public
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# Should see all traces when authenticated as the target user
get :list, {:display_name => users(:public_user).display_name}, {:user => users(:public_user).id}
check_trace_list users(:public_user).traces
get :view, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id}
check_trace_view gpx_files(:public_trace_file)
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# Now with some other user, which should work since the trace is public
get :view, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id}, {:user => users(:public_user).id}
check_trace_view gpx_files(:public_trace_file)
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# And finally we should be able to do it with the owner of the trace
get :view, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id}, {:user => users(:normal_user).id}
check_trace_view gpx_files(:public_trace_file)
assert_response :redirect
assert_redirected_to :action => :list
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Now with some other user, which should work since the trace is anon
get :view, {:display_name => users(:public_user).display_name, :id => gpx_files(:anon_trace_file).id}, {:user => users(:normal_user).id}
assert_response :redirect
assert_redirected_to :action => :list
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# And finally we should be able to do it with the owner of the trace
get :view, {:display_name => users(:public_user).display_name, :id => gpx_files(:anon_trace_file).id}, {:user => users(:public_user).id}
check_trace_view gpx_files(:anon_trace_file)
assert_response :redirect
assert_redirected_to :action => :list
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# Now with some other user, which should work since the trace is public
get :view, {:display_name => users(:public_user).display_name, :id => 0}, {:user => users(:public_user).id}
assert_response :redirect
get :data, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id}
check_trace_data gpx_files(:public_trace_file)
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# Now with some other user, which should work since the trace is public
get :data, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id}, {:user => users(:public_user).id}
check_trace_data gpx_files(:public_trace_file)
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# And finally we should be able to do it with the owner of the trace
get :data, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id}, {:user => users(:normal_user).id}
check_trace_data gpx_files(:public_trace_file)
get :data, {:display_name => users(:public_user).display_name, :id => gpx_files(:anon_trace_file).id}
assert_response :not_found
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Now with some other user, which should work since the trace is anon
get :data, {:display_name => users(:public_user).display_name, :id => gpx_files(:anon_trace_file).id}, {:user => users(:normal_user).id}
assert_response :not_found
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# And finally we should be able to do it with the owner of the trace
get :data, {:display_name => users(:public_user).display_name, :id => gpx_files(:anon_trace_file).id}, {:user => users(:public_user).id}
check_trace_data gpx_files(:anon_trace_file)
get :data, {:display_name => users(:public_user).display_name, :id => 0}
assert_response :not_found
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# Now with some other user, which should work since the trace is public
get :data, {:display_name => users(:public_user).display_name, :id => 0}, {:user => users(:public_user).id}
assert_response :not_found
assert_response :redirect
assert_redirected_to :controller => :user, :action => :login, :referer => trace_edit_path(:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id)
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# Now with some other user, which should fail
get :edit, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id}, {:user => users(:public_user).id}
assert_response :forbidden
get :edit, {:display_name => users(:public_user).display_name, :id => gpx_files(:deleted_trace_file).id}, {:user => users(:public_user).id}
assert_response :not_found
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Finally with a trace that we are allowed to edit
get :edit, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id}, {:user => users(:normal_user).id}
assert_response :success
post :edit, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id, :trace => new_details}
assert_response :forbidden
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# Now with some other user, which should fail
post :edit, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id, :trace => new_details}, {:user => users(:public_user).id}
assert_response :forbidden
post :edit, {:display_name => users(:public_user).display_name, :id => gpx_files(:deleted_trace_file).id, :trace => new_details}, {:user => users(:public_user).id}
assert_response :not_found
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Finally with a trace that we are allowed to edit
post :edit, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id, :trace => new_details}, {:user => users(:normal_user).id}
assert_response :redirect
post :delete, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id,}
assert_response :forbidden
- @request.cookies["_osm_username"] = users(:public_user).display_name
-
# Now with some other user, which should fail
post :delete, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id}, {:user => users(:public_user).id}
assert_response :forbidden
post :delete, {:display_name => users(:public_user).display_name, :id => gpx_files(:deleted_trace_file).id}, {:user => users(:public_user).id}
assert_response :not_found
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Finally with a trace that we are allowed to delete
post :delete, {:display_name => users(:normal_user).display_name, :id => gpx_files(:public_trace_file).id}, {:user => users(:normal_user).id}
assert_response :redirect
# Login as the blocked user
session[:user] = users(:blocked_user).id
- cookies["_osm_username"] = users(:blocked_user).display_name
# Now viewing it should mark it as seen
get :show, :id => user_blocks(:active_block)
# Login as a normal user
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
# Check that normal users can't load the block creation page
get :new, :display_name => users(:normal_user).display_name
# Login as a moderator
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
# Check that the block creation page loads for moderators
get :new, :display_name => users(:normal_user).display_name
# Login as a normal user
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
# Check that normal users can't load the block edit page
get :edit, :id => user_blocks(:active_block).id
# Login as a moderator
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
# Check that the block edit page loads for moderators
get :edit, :id => user_blocks(:active_block).id
# Login as a normal user
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
# Check that normal users can't create blocks
post :create
# Login as a moderator
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
# A bogus block period should result in an error
assert_no_difference "UserBlock.count" do
# Login as a normal user
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
# Check that normal users can't update blocks
put :update, :id => user_blocks(:active_block).id
# Login as the wrong moderator
session[:user] = users(:second_moderator_user).id
- cookies["_osm_username"] = users(:second_moderator_user).display_name
# Check that only the person who created a block can update it
assert_no_difference "UserBlock.count" do
# Login as the correct moderator
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
# A bogus block period should result in an error
assert_no_difference "UserBlock.count" do
# Login as a normal user
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
# Check that normal users can't load the block revoke page
get :revoke, :id => user_blocks(:active_block).id
# Login as a moderator
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
# Check that the block revoke page loads for moderators
get :revoke, :id => user_blocks(:active_block).id
def test_user_terms_seen
user = users(:normal_user)
- # Set the username cookie
- @request.cookies["_osm_username"] = user.display_name
-
get :terms, {}, { "user" => user }
assert_response :redirect
assert_redirected_to :action => :account, :display_name => user.display_name
end
def test_user_go_public
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
post :go_public, {}, { :user => users(:normal_user) }
assert_response :redirect
assert_redirected_to :action => :account, :display_name => users(:normal_user).display_name
# validation errors being reported
user = users(:normal_user)
- # Set the username cookie
- @request.cookies["_osm_username"] = user.display_name
-
# Make sure that you are redirected to the login page when
# you are not logged in
get :account, { :display_name => user.display_name }
assert_response :redirect
assert_redirected_to :controller => :user, :action => "login", :referer => "/user/test/account"
- # Make sure that you are redirected to the login page when
- # you are not logged in as the right user
+ # Make sure that you are blocked when not logged in as the right user
get :account, { :display_name => user.display_name }, { "user" => users(:public_user).id }
- assert_response :redirect
- assert_redirected_to :controller => :user, :action => "login", :referer => "/user/test/account"
+ assert_response :forbidden
# Make sure we get the page when we are logged in as the right user
get :account, { :display_name => user.display_name }, { "user" => user }
assert_select "form#accountForm > fieldset > div.form-row > div#user_description_container > div#user_description_content > textarea#user_description", user.description
# Changing name to one that exists should fail
- user.display_name = users(:public_user).display_name
- post :account, { :display_name => user.display_name, :user => user.attributes }, { "user" => user.id }
+ new_attributes = user.attributes.dup.merge(:display_name => users(:public_user).display_name)
+ post :account, { :display_name => user.display_name, :user => new_attributes }, { "user" => user.id }
assert_response :success
assert_template :account
assert_select "div#notice", false
assert_select "form#accountForm > fieldset > div.form-row > div.field_with_errors > input#user_display_name"
# Changing name to one that exists should fail, regardless of case
- user.display_name = users(:public_user).display_name.upcase
- post :account, { :display_name => user.display_name, :user => user.attributes }, { "user" => user.id }
+ new_attributes = user.attributes.dup.merge(:display_name => users(:public_user).display_name.upcase)
+ post :account, { :display_name => user.display_name, :user => new_attributes }, { "user" => user.id }
assert_response :success
assert_template :account
assert_select "div#notice", false
assert_select "form#accountForm > fieldset > div.form-row > div.field_with_errors > input#user_display_name"
# Changing name to one that doesn't exist should work
- user.display_name = "new tester"
- post :account, { :display_name => user.display_name, :user => user.attributes }, { "user" => user.id }
+ new_attributes = user.attributes.dup.merge(:display_name => "new tester")
+ post :account, { :display_name => user.display_name, :user => new_attributes }, { "user" => user.id }
assert_response :success
assert_template :account
assert_select "div#errorExplanation", false
assert_select "div#notice", /^User information updated successfully/
- assert_select "form#accountForm > fieldset > div.form-row > input#user_display_name[value=?]", user.display_name
+ assert_select "form#accountForm > fieldset > div.form-row > input#user_display_name[value=?]", "new tester"
- # Need to update cookies now to stay valid
- @request.cookies["_osm_username"] = user.display_name
+ # Record the change of name
+ user.display_name = "new tester"
# Changing email to one that exists should fail
user.new_email = users(:public_user).email
# Login as a normal user
session[:user] = users(:normal_user).id
- cookies["_osm_username"] = users(:normal_user).display_name
# Test the normal user
get :view, {:display_name => "test"}
# Login as a moderator
session[:user] = users(:moderator_user).id
- cookies["_osm_username"] = users(:moderator_user).display_name
# Test the normal user
get :view, {:display_name => "test"}
# Check that the users aren't already friends
assert_nil Friend.where(:user_id => user.id, :friend_user_id => friend.id).first
- # Set the username cookie
- @request.cookies["_osm_username"] = user.display_name
-
# When not logged in a GET should ask us to login
get :make_friend, {:display_name => friend.display_name}
assert_redirected_to :controller => :user, :action => "login", :referer => make_friend_path(:display_name => friend.display_name)
# Check that the users are friends
assert Friend.where(:user_id => user.id, :friend_user_id => friend.id).first
- # Set the username cookie
- @request.cookies["_osm_username"] = user.display_name
-
# When not logged in a GET should ask us to login
get :remove_friend, {:display_name => friend.display_name}
assert_redirected_to :controller => :user, :action => "login", :referer => remove_friend_path(:display_name => friend.display_name)
assert_response :redirect
assert_redirected_to :action => :login, :referer => set_status_user_path(:status => "suspended")
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Now try as a normal user
get :set_status, {:display_name => users(:normal_user).display_name, :status => "suspended"}, {:user => users(:normal_user).id}
assert_response :redirect
assert_redirected_to :action => :view, :display_name => users(:normal_user).display_name
- @request.cookies["_osm_username"] = users(:administrator_user).display_name
-
# Finally try as an administrator
get :set_status, {:display_name => users(:normal_user).display_name, :status => "suspended"}, {:user => users(:administrator_user).id}
assert_response :redirect
assert_response :redirect
assert_redirected_to :action => :login, :referer => delete_user_path(:status => "suspended")
- @request.cookies["_osm_username"] = users(:normal_user).display_name
-
# Now try as a normal user
get :delete, {:display_name => users(:normal_user).display_name, :status => "suspended"}, {:user => users(:normal_user).id}
assert_response :redirect
assert_redirected_to :action => :view, :display_name => users(:normal_user).display_name
- @request.cookies["_osm_username"] = users(:administrator_user).display_name
-
# Finally try as an administrator
get :delete, {:display_name => users(:normal_user).display_name, :status => "suspended"}, {:user => users(:administrator_user).id}
assert_response :redirect
# Login as an unprivileged user
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
# Granting should still fail
post :grant, :display_name => users(:normal_user).display_name, :role => "moderator"
# Login as an administrator
session[:user] = users(:administrator_user).id
- cookies["_osm_username"] = users(:administrator_user).display_name
UserRole::ALL_ROLES.each do |role|
# Login as an unprivileged user
session[:user] = users(:public_user).id
- cookies["_osm_username"] = users(:public_user).display_name
# Revoking should still fail
post :revoke, :display_name => users(:normal_user).display_name, :role => "moderator"
# Login as an administrator
session[:user] = users(:administrator_user).id
- cookies["_osm_username"] = users(:administrator_user).display_name
UserRole::ALL_ROLES.each do |role|
projects / rails.git / commitdiff