Commit a3f46c1e85203cfb8cdf8f630bf0bcabc767e4d6
Exists in
master
and in
29 other branches
Merge branch 'fix_plugin_admin' into 'master'
Fix access to plugin administration pages Users can access plugin administration pages (e.g. /admin/plugin/vote) even if they aren't environment administrators. This MR create a new base controller for plugins that protects by default against improper access for these pages. See merge request !417
Showing
8 changed files
with
36 additions
and
6 deletions
Show diff stats
plugins/anti_spam/controllers/anti_spam_plugin_admin_controller.rb
plugins/foo/controllers/admin/foo_plugin_admin_bar_controller.rb
plugins/ldap/controllers/ldap_plugin_admin_controller.rb
plugins/piwik/controllers/piwik_plugin_admin_controller.rb
plugins/vote/controllers/vote_plugin_admin_controller.rb
plugins/vote/test/functional/vote_plugin_admin_controller_test.rb
... | ... | @@ -8,7 +8,7 @@ class VotePluginAdminControllerTest < ActionController::TestCase |
8 | 8 | |
9 | 9 | def setup |
10 | 10 | @environment = Environment.default |
11 | - @profile = create_user('profile').person | |
11 | + @profile = create_user_with_permission('profile', 'edit_environment_features', Environment.default) | |
12 | 12 | login_as(@profile.identifier) |
13 | 13 | end |
14 | 14 | ... | ... |
... | ... | @@ -0,0 +1,25 @@ |
1 | +require File.dirname(__FILE__) + '/../test_helper' | |
2 | + | |
3 | +class PluginAdminController | |
4 | + def index | |
5 | + render :text => 'ok' | |
6 | + end | |
7 | +end | |
8 | + | |
9 | +class PluginAdminControllerTest < ActionController::TestCase | |
10 | + | |
11 | + should 'allow user with the required permission to access plugin administration page' do | |
12 | + create_user_with_permission('testuser', 'edit_environment_features', Environment.default) | |
13 | + login_as('testuser') | |
14 | + get :index | |
15 | + assert_response :success | |
16 | + end | |
17 | + | |
18 | + should 'forbid access to users that did not have the required permission' do | |
19 | + create_user('testuser') | |
20 | + login_as('testuser') | |
21 | + get :index | |
22 | + assert_response :forbidden | |
23 | + end | |
24 | + | |
25 | +end | ... | ... |