diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 2a213f5..c7f9dcf 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -19,8 +19,8 @@ class UsersController < ApplicationController
layout 'admin'
before_filter :require_admin, :except => :show
- before_filter :find_user, :only => [:show, :edit, :update, :edit_membership, :destroy_membership]
- accept_key_auth :index, :show, :create, :update
+ before_filter :find_user, :only => [:show, :edit, :update, :destroy, :edit_membership, :destroy_membership]
+ accept_key_auth :index, :show, :create, :update, :destroy
helper :sort
include SortHelper
@@ -177,6 +177,15 @@ class UsersController < ApplicationController
redirect_to :controller => 'users', :action => 'edit', :id => @user
end
+ verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed }
+ def destroy
+ @user.destroy
+ respond_to do |format|
+ format.html { redirect_to(users_url) }
+ format.api { head :ok }
+ end
+ end
+
def edit_membership
@membership = Member.edit_membership(params[:membership_id], params[:membership], @user)
@membership.save if request.post?
diff --git a/app/views/users/edit.rhtml b/app/views/users/edit.rhtml
index 0d9cb01..0c5883e 100644
--- a/app/views/users/edit.rhtml
+++ b/app/views/users/edit.rhtml
@@ -1,6 +1,7 @@
<%= link_to l(:label_profile), user_path(@user), :class => 'icon icon-user' %>
<%= change_status_link(@user) %>
+<%= link_to(l(:button_delete), @user, :confirm => l(:text_are_you_sure), :method => :delete, :class => 'icon icon-del') if User.current != @user %>
<%= link_to l(:label_user_plural), :controller => 'users', :action => 'index' %> » <%=h @user.login %>
diff --git a/app/views/users/index.rhtml b/app/views/users/index.rhtml
index 69ad737..0730826 100644
--- a/app/views/users/index.rhtml
+++ b/app/views/users/index.rhtml
@@ -37,7 +37,10 @@
<%= checked_image user.admin? %> |
<%= format_time(user.created_on) %> |
<%= format_time(user.last_login_on) unless user.last_login_on.nil? %> |
- <%= change_status_link(user) %> |
+
+ <%= change_status_link(user) %>
+ <%= link_to(l(:button_delete), user, :confirm => l(:text_are_you_sure), :method => :delete, :class => 'icon icon-del') unless User.current == user %>
+ |
<% end -%>
diff --git a/config/routes.rb b/config/routes.rb
index 3b37b51..383d9cf 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -122,8 +122,7 @@ ActionController::Routing::Routes.draw do |map|
map.resources :users, :member => {
:edit_membership => :post,
:destroy_membership => :post
- },
- :except => [:destroy]
+ }
# For nice "roadmap" in the url for the index action
map.connect 'projects/:project_id/roadmap', :controller => 'versions', :action => 'index'
diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index 8aa311e..6837dea 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -264,6 +264,30 @@ class UsersControllerTest < ActionController::TestCase
assert u.check_password?('newpass')
end
+ def test_destroy
+ assert_difference 'User.count', -1 do
+ delete :destroy, :id => 2
+ end
+ assert_redirected_to '/users'
+ assert_nil User.find_by_id(2)
+ end
+
+ def test_destroy_should_not_accept_get_requests
+ assert_no_difference 'User.count' do
+ get :destroy, :id => 2
+ end
+ assert_response 405
+ end
+
+ def test_destroy_should_be_denied_for_non_admin_users
+ @request.session[:user_id] = 3
+
+ assert_no_difference 'User.count' do
+ get :destroy, :id => 2
+ end
+ assert_response 403
+ end
+
def test_edit_membership
post :edit_membership, :id => 2, :membership_id => 1,
:membership => { :role_ids => [2]}
diff --git a/test/integration/api_test/users_test.rb b/test/integration/api_test/users_test.rb
index e1eb7a2..00dc4cc 100644
--- a/test/integration/api_test/users_test.rb
+++ b/test/integration/api_test/users_test.rb
@@ -245,26 +245,36 @@ class ApiTest::UsersTest < ActionController::IntegrationTest
end
end
end
+ end
- context "DELETE /users/2" do
- context ".xml" do
- should "not be allowed" do
- assert_no_difference('User.count') do
- delete '/users/2.xml'
- end
-
- assert_response :method_not_allowed
+ context "DELETE /users/2" do
+ context ".xml" do
+ should_allow_api_authentication(:delete,
+ '/users/2.xml',
+ {},
+ {:success_code => :ok})
+
+ should "delete user" do
+ assert_difference('User.count', -1) do
+ delete '/users/2.xml', {}, :authorization => credentials('admin')
end
+
+ assert_response :ok
end
-
- context ".json" do
- should "not be allowed" do
- assert_no_difference('User.count') do
- delete '/users/2.json'
- end
+ end
+
+ context ".json" do
+ should_allow_api_authentication(:delete,
+ '/users/2.xml',
+ {},
+ {:success_code => :ok})
- assert_response :method_not_allowed
+ should "delete user" do
+ assert_difference('User.count', -1) do
+ delete '/users/2.json', {}, :authorization => credentials('admin')
end
+
+ assert_response :ok
end
end
end
diff --git a/test/integration/routing_test.rb b/test/integration/routing_test.rb
index 4b18e31..1198081 100644
--- a/test/integration/routing_test.rb
+++ b/test/integration/routing_test.rb
@@ -302,6 +302,9 @@ class RoutingTest < ActionController::IntegrationTest
should_route :put, "/users/444", :controller => 'users', :action => 'update', :id => '444'
should_route :put, "/users/444.xml", :controller => 'users', :action => 'update', :id => '444', :format => 'xml'
+
+ should_route :delete, "/users/44", :controller => 'users', :action => 'destroy', :id => '44'
+ should_route :delete, "/users/44.xml", :controller => 'users', :action => 'destroy', :id => '44', :format => 'xml'
end
# TODO: should they all be scoped under /projects/:project_id ?