FIX: allow impersonation of system accounts

mozilla · Apr 11, 2019 · c4221c5 · c4221c5
1 parent 652d284
commit c4221c5
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/lib/mozilla_iam/application_extensions.rb b/lib/mozilla_iam/application_extensions.rb
@@ -3,6 +3,7 @@ module ApplicationExtensions
     def check_iam_session
       begin
         return unless current_user
+        return if current_user.id < 0
 
         last_refresh = session[:mozilla_iam].try(:[], :last_refresh)
         no_refresh = session[:mozilla_iam].try(:[], :no_refresh)

diff --git a/plugin.rb b/plugin.rb
@@ -1,6 +1,6 @@
 # name: mozilla-iam
 # about: A plugin to integrate Discourse with Mozilla's Identity and Access Management (IAM) system
-# version: 1.1.3
+# version: 1.1.4
 # authors: Leo McArdle
 # url: https://github.com/mozilla/discourse-mozilla-iam
 

diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb
@@ -167,5 +167,20 @@
         expect(session['current_user_id']).to be_nil
       end
     end
+
+    context "with system user" do
+      let(:user) { User.find(-1) }
+      before do
+        authenticate_user(user)
+        log_in_user(user)
+      end
+
+      it "does nothing" do
+        MozillaIAM::Profile.expects(:for).never
+        MozillaIAM::Profile.expects(:refresh).never
+
+        get :show, params: { id: 666 }, format: :json
+      end
+    end
   end
 end