Skip to content
This repository was archived by the owner on Sep 10, 2021. It is now read-only.

Commit fb39c40

Browse files
zachmullenzachmullen
committed
ENH: refs #340 #444. Add a test for admin setting fuctionality
1 parent b899bfd commit fb39c40

File tree

2 files changed

+100
-2
lines changed

2 files changed

+100
-2
lines changed

core/controllers/UserController.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -461,7 +461,8 @@ public function settingsAction()
461461
$userDao->setPrivacy($privacy);
462462
if($this->userSession->Dao->isAdmin() && $this->userSession->Dao->getKey() != $userDao->getKey())
463463
{
464-
$userDao->setAdmin((bool)$this->_getParam('adminStatus'));
464+
$adminStatus = (bool)$this->_getParam('adminStatus');
465+
$userDao->setAdmin($adminStatus ? 1 : 0);
465466
}
466467
$this->User->save($userDao);
467468
if(!isset($userId))

core/tests/controllers/UserControllerTest.php

Lines changed: 98 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -143,8 +143,17 @@ public function testSettingsAction()
143143

144144
$usersFile = $this->loadData('User', 'default');
145145
$userDao = $this->User->load($usersFile[0]->getKey());
146-
$this->dispatchUrI("/user/settings", $userDao);
146+
$user2Dao = $this->User->load($usersFile[1]->getKey());
147+
$adminDao = $this->User->load($usersFile[2]->getKey());
147148

149+
// Non admin user should not be able to edit other user's profiles
150+
$this->resetAll();
151+
$this->dispatchUrI('/user/settings?userId='.$adminDao->getKey(), $userDao, true);
152+
$this->resetAll();
153+
$this->dispatchUrI('/user/settings?userId='.$user2Dao->getKey(), $userDao, true);
154+
155+
$this->resetAll();
156+
$this->dispatchUrI("/user/settings", $userDao);
148157
$this->assertQuery("div#tabsSettings");
149158
$this->assertQuery("li.settingsCommunityList");
150159

@@ -393,4 +402,92 @@ public function testDeleteSelfAction()
393402
}
394403
$this->assertTrue($revisionNotDeleted, 'At least one revision should not have been deleted');
395404
}
405+
406+
/** Test setting the admin status of users */
407+
public function testSetAdminStatus()
408+
{
409+
$usersFile = $this->loadData('User', 'default');
410+
$user1 = $this->User->load($usersFile[0]->getKey());
411+
$adminUser = $this->User->load($usersFile[2]->getKey());
412+
413+
$this->assertFalse($user1->isAdmin());
414+
$this->assertTrue($adminUser->isAdmin());
415+
416+
// Admin checkbox should be visible for an admin on his own view, it should be checked and disabled
417+
$this->resetAll();
418+
$this->dispatchUrI('/user/settings', $adminUser);
419+
$this->assertQuery('input[type="checkbox"][name="adminStatus"][checked="checked"][disabled="disabled"]');
420+
421+
// Admin checkbox should be visible for an admin on user 1's view, it should be unchecked and enabled
422+
$this->resetAll();
423+
$this->dispatchUrI('/user/settings?userId='.$user1->getKey(), $adminUser);
424+
$this->assertQuery('input[type="checkbox"][name="adminStatus"]');
425+
$this->assertNotQuery('input[type="checkbox"][name="adminStatus"][checked="checked"]');
426+
$this->assertNotQuery('input[type="checkbox"][name="adminStatus"][disabled="disabled"]');
427+
428+
// Admin checkbox should not be visible on user 1's setting page at all
429+
$this->resetAll();
430+
$this->dispatchUrI('/user/settings?userId='.$user1->getKey(), $user1);
431+
$this->assertNotQuery('input[type="checkbox"][name="adminStatus"]');
432+
433+
// If non admin user attempts to maliciously become admin, make sure we ignore it.
434+
$this->resetAll();
435+
$this->params = array();
436+
$this->params['firstname'] = 'First Name';
437+
$this->params['lastname'] = 'Last Name';
438+
$this->params['company'] = 'Company';
439+
$this->params['privacy'] = MIDAS_USER_PRIVATE;
440+
$this->params['adminStatus'] = 'on';
441+
$this->params['modifyAccount'] = 'true';
442+
$this->request->setMethod('POST');
443+
$this->dispatchUrI('/user/settings', $user1);
444+
445+
$user1 = $this->User->load($user1->getKey());
446+
$this->assertFalse($user1->isAdmin());
447+
448+
// Admin user should be allowed to set user 1 as admin
449+
$this->resetAll();
450+
$this->params = array();
451+
$this->params['firstname'] = 'First Name';
452+
$this->params['lastname'] = 'Last Name';
453+
$this->params['company'] = 'Company';
454+
$this->params['privacy'] = MIDAS_USER_PRIVATE;
455+
$this->params['adminStatus'] = 'on';
456+
$this->params['modifyAccount'] = 'true';
457+
$this->request->setMethod('POST');
458+
$this->dispatchUrI('/user/settings?userId='.$user1->getKey(), $adminUser);
459+
460+
$user1 = $this->User->load($user1->getKey());
461+
$this->assertTrue($user1->isAdmin());
462+
463+
// Admin user should be able to unset another admin user's status
464+
$this->resetAll();
465+
$this->params = array();
466+
$this->params['firstname'] = 'First Name';
467+
$this->params['lastname'] = 'Last Name';
468+
$this->params['company'] = 'Company';
469+
$this->params['privacy'] = MIDAS_USER_PRIVATE;
470+
$this->params['adminStatus'] = '';
471+
$this->params['modifyAccount'] = 'true';
472+
$this->request->setMethod('POST');
473+
$this->dispatchUrI('/user/settings?userId='.$user1->getKey(), $adminUser);
474+
475+
$user1 = $this->User->load($user1->getKey());
476+
$this->assertFalse($user1->isAdmin());
477+
478+
// But an admin should not be able to remove their own admin status
479+
$this->resetAll();
480+
$this->params = array();
481+
$this->params['firstname'] = 'First Name';
482+
$this->params['lastname'] = 'Last Name';
483+
$this->params['company'] = 'Company';
484+
$this->params['privacy'] = MIDAS_USER_PRIVATE;
485+
$this->params['adminStatus'] = '';
486+
$this->params['modifyAccount'] = 'true';
487+
$this->request->setMethod('POST');
488+
$this->dispatchUrI('/user/settings?userId='.$adminUser->getKey(), $adminUser);
489+
490+
$adminUser = $this->User->load($adminUser->getKey());
491+
$this->assertTrue($adminUser->isAdmin());
492+
}
396493
}

0 commit comments

Comments
 (0)