diff --git a/plugins/sub_organizations/controllers/sub_organizations_plugin_myprofile_controller.rb b/plugins/sub_organizations/controllers/sub_organizations_plugin_myprofile_controller.rb index 75d1a9a..9d5100f 100644 --- a/plugins/sub_organizations/controllers/sub_organizations_plugin_myprofile_controller.rb +++ b/plugins/sub_organizations/controllers/sub_organizations_plugin_myprofile_controller.rb @@ -2,6 +2,7 @@ class SubOrganizationsPluginMyprofileController < MyProfileController append_view_path File.join(File.dirname(__FILE__) + '/../views') before_filter :organizations_only + protect 'edit_profile', :profile def index @children = SubOrganizationsPlugin::Relation.children(profile) diff --git a/plugins/sub_organizations/test/functional/sub_organizations_plugin_myprofile_controller_test.rb b/plugins/sub_organizations/test/functional/sub_organizations_plugin_myprofile_controller_test.rb index 0b7bfdd..46bb609 100644 --- a/plugins/sub_organizations/test/functional/sub_organizations_plugin_myprofile_controller_test.rb +++ b/plugins/sub_organizations/test/functional/sub_organizations_plugin_myprofile_controller_test.rb @@ -86,4 +86,28 @@ class SubOrganizationsPluginMyprofileControllerTest < ActionController::TestCase assert_includes SubOrganizationsPlugin::Relation.children(organization), org2 end + should 'not access index if dont have permission' do + member = create_user('member').person + organization.add_member(member) + + login_as(member.identifier) + get :index, :profile => organization.identifier + + assert_response 403 + assert_template 'access_denied.rhtml' + end + + should 'not search organizations if dont have permission' do + member = create_user('member').person + organization.add_member(member) + + login_as(member.identifier) + + org1 = fast_create(Organization, :name => 'sample organization 1') + get :search_organization, :profile => organization.identifier, :q => 'sampl' + + assert_response 403 + assert_template 'access_denied.rhtml' + end + end -- libgit2 0.21.2