jro_apps/redmine Commit - r4119:e59c927ee52d

Fixed: User#allowed_to? returning true in any case if array of projects had only one item (#5332)...

Jean-Baptiste Barth -

r4119:e59c927ee52d

parent child

Context file:

r4119:e59c927ee52d

Collapse all files

app/models/user.rb +4 -2

             # Redmine - project management software
             # Copyright (C) 2006-2009  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require "digest/sha1"
             class User < Principal
               # Account statuses
               STATUS_ANONYMOUS  = 0
               STATUS_ACTIVE     = 1
               STATUS_REGISTERED = 2
               STATUS_LOCKED     = 3
               USER_FORMATS = {
                 :firstname_lastname => '#{firstname} #{lastname}',
                 :firstname => '#{firstname}',
                 :lastname_firstname => '#{lastname} #{firstname}',
                 :lastname_coma_firstname => '#{lastname}, #{firstname}',
                 :username => '#{login}'
               }
               MAIL_NOTIFICATION_OPTIONS = [
                                            [:all, :label_user_mail_option_all],
                                            [:selected, :label_user_mail_option_selected],
                                            [:none, :label_user_mail_option_none],
                                            [:only_my_events, :label_user_mail_option_only_my_events],
                                            [:only_assigned, :label_user_mail_option_only_assigned],
                                            [:only_owner, :label_user_mail_option_only_owner]
                                           ]
               has_and_belongs_to_many :groups, :after_add => Proc.new {|user, group| group.user_added(user)},
                                                :after_remove => Proc.new {|user, group| group.user_removed(user)}
               has_many :issue_categories, :foreign_key => 'assigned_to_id', :dependent => :nullify
               has_many :changesets, :dependent => :nullify
               has_one :preference, :dependent => :destroy, :class_name => 'UserPreference'
               has_one :rss_token, :dependent => :destroy, :class_name => 'Token', :conditions => "action='feeds'"
               has_one :api_token, :dependent => :destroy, :class_name => 'Token', :conditions => "action='api'"
               belongs_to :auth_source
               # Active non-anonymous users scope
               named_scope :active, :conditions => "#{User.table_name}.status = #{STATUS_ACTIVE}"
               acts_as_customizable
               attr_accessor :password, :password_confirmation
               attr_accessor :last_before_login_on
               # Prevents unauthorized assignments
               attr_protected :login, :admin, :password, :password_confirmation, :hashed_password, :group_ids
               validates_presence_of :login, :firstname, :lastname, :mail, :if => Proc.new { |user| !user.is_a?(AnonymousUser) }
               validates_uniqueness_of :login, :if => Proc.new { |user| !user.login.blank? }, :case_sensitive => false
               validates_uniqueness_of :mail, :if => Proc.new { |user| !user.mail.blank? }, :case_sensitive => false
               # Login must contain lettres, numbers, underscores only
               validates_format_of :login, :with => /^[a-z0-9_\-@\.]*$/i
               validates_length_of :login, :maximum => 30
               validates_format_of :firstname, :lastname, :with => /^[\w\s\'\-\.]*$/i
               validates_length_of :firstname, :lastname, :maximum => 30
               validates_format_of :mail, :with => /^([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})$/i, :allow_nil => true
               validates_length_of :mail, :maximum => 60, :allow_nil => true
               validates_confirmation_of :password, :allow_nil => true
               def before_create
                 self.mail_notification = Setting.default_notification_option if self.mail_notification.blank?
                 true
               end
               def before_save
                 # update hashed_password if password was set
                 self.hashed_password = User.hash_password(self.password) if self.password && self.auth_source_id.blank?
               end
               def reload(*args)
                 @name = nil
                 super
               end
               def mail=(arg)
                 write_attribute(:mail, arg.to_s.strip)
               end
               def identity_url=(url)
                 if url.blank?
                   write_attribute(:identity_url, '')
                 else
                   begin
                     write_attribute(:identity_url, OpenIdAuthentication.normalize_identifier(url))
                   rescue OpenIdAuthentication::InvalidOpenId
                     # Invlaid url, don't save
                   end
                 end
                 self.read_attribute(:identity_url)
               end
               # Returns the user that matches provided login and password, or nil
               def self.try_to_login(login, password)
                 # Make sure no one can sign in with an empty password
                 return nil if password.to_s.empty?
                 user = find_by_login(login)
                 if user
                   # user is already in local database
                   return nil if !user.active?
                   if user.auth_source
                     # user has an external authentication method
                     return nil unless user.auth_source.authenticate(login, password)
                   else
                     # authentication with local password
                     return nil unless User.hash_password(password) == user.hashed_password
                   end
                 else
                   # user is not yet registered, try to authenticate with available sources
                   attrs = AuthSource.authenticate(login, password)
                   if attrs
                     user = new(attrs)
                     user.login = login
                     user.language = Setting.default_language
                     if user.save
                       user.reload
                       logger.info("User '#{user.login}' created from external auth source: #{user.auth_source.type} - #{user.auth_source.name}") if logger && user.auth_source
                     end
                   end
                 end
                 user.update_attribute(:last_login_on, Time.now) if user && !user.new_record?
                 user
               rescue => text
                 raise text
               end
               # Returns the user who matches the given autologin +key+ or nil
               def self.try_to_autologin(key)
                 tokens = Token.find_all_by_action_and_value('autologin', key)
                 # Make sure there's only 1 token that matches the key
                 if tokens.size == 1
                   token = tokens.first
                   if (token.created_on > Setting.autologin.to_i.day.ago) && token.user && token.user.active?
                     token.user.update_attribute(:last_login_on, Time.now)
                     token.user
                   end
                 end
               end
               # Return user's full name for display
               def name(formatter = nil)
                 if formatter
                   eval('"' + (USER_FORMATS[formatter] || USER_FORMATS[:firstname_lastname]) + '"')
                 else
                   @name ||= eval('"' + (USER_FORMATS[Setting.user_format] || USER_FORMATS[:firstname_lastname]) + '"')
                 end
               end
               def active?
                 self.status == STATUS_ACTIVE
               end
               def registered?
                 self.status == STATUS_REGISTERED
               end
               def locked?
                 self.status == STATUS_LOCKED
               end
               def activate
                 self.status = STATUS_ACTIVE
               end
               def register
                 self.status = STATUS_REGISTERED
               end
               def lock
                 self.status = STATUS_LOCKED
               end
               def activate!
                 update_attribute(:status, STATUS_ACTIVE)
               end
               def register!
                 update_attribute(:status, STATUS_REGISTERED)
               end
               def lock!
                 update_attribute(:status, STATUS_LOCKED)
               end
               def check_password?(clear_password)
                 if auth_source_id.present?
                   auth_source.authenticate(self.login, clear_password)
                 else
                   User.hash_password(clear_password) == self.hashed_password
                 end
               end
               # Does the backend storage allow this user to change their password?
               def change_password_allowed?
                 return true if auth_source_id.blank?
                 return auth_source.allow_password_changes?
               end
               # Generate and set a random password.  Useful for automated user creation
               # Based on Token#generate_token_value
               #
               def random_password
                 chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
                 password = ''
 .times { |i| password << chars[rand(chars.size-1)] }
                 self.password = password
                 self.password_confirmation = password
                 self
               end
               def pref
                 self.preference ||= UserPreference.new(:user => self)
               end
               def time_zone
                 @time_zone ||= (self.pref.time_zone.blank? ? nil : ActiveSupport::TimeZone[self.pref.time_zone])
               end
               def wants_comments_in_reverse_order?
                 self.pref[:comments_sorting] == 'desc'
               end
               # Return user's RSS key (a 40 chars long string), used to access feeds
               def rss_key
                 token = self.rss_token || Token.create(:user => self, :action => 'feeds')
                 token.value
               end
               # Return user's API key (a 40 chars long string), used to access the API
               def api_key
                 token = self.api_token || self.create_api_token(:action => 'api')
                 token.value
               end
               # Return an array of project ids for which the user has explicitly turned mail notifications on
               def notified_projects_ids
                 @notified_projects_ids ||= memberships.select {|m| m.mail_notification?}.collect(&:project_id)
               end
               def notified_project_ids=(ids)
                 Member.update_all("mail_notification = #{connection.quoted_false}", ['user_id = ?', id])
                 Member.update_all("mail_notification = #{connection.quoted_true}", ['user_id = ? AND project_id IN (?)', id, ids]) if ids && !ids.empty?
                 @notified_projects_ids = nil
                 notified_projects_ids
               end
               # Only users that belong to more than 1 project can select projects for which they are notified
               def valid_notification_options
                 # Note that @user.membership.size would fail since AR ignores
                 # :include association option when doing a count
                 if memberships.length < 1
                   MAIL_NOTIFICATION_OPTIONS.delete_if {|option| option.first == :selected}
                 else
                   MAIL_NOTIFICATION_OPTIONS
                 end
               end
               # Find a user account by matching the exact login and then a case-insensitive
               # version.  Exact matches will be given priority.
               def self.find_by_login(login)
                 # force string comparison to be case sensitive on MySQL
                 type_cast = (ActiveRecord::Base.connection.adapter_name == 'MySQL') ? 'BINARY' : ''
                 # First look for an exact match
                 user = first(:conditions => ["#{type_cast} login = ?", login])
                 # Fail over to case-insensitive if none was found
                 user ||= first(:conditions => ["#{type_cast} LOWER(login) = ?", login.to_s.downcase])
               end
               def self.find_by_rss_key(key)
                 token = Token.find_by_value(key)
                 token && token.user.active? ? token.user : nil
               end
               def self.find_by_api_key(key)
                 token = Token.find_by_action_and_value('api', key)
                 token && token.user.active? ? token.user : nil
               end
               # Makes find_by_mail case-insensitive
               def self.find_by_mail(mail)
                 find(:first, :conditions => ["LOWER(mail) = ?", mail.to_s.downcase])
               end
               def to_s
                 name
               end
               # Returns the current day according to user's time zone
               def today
                 if time_zone.nil?
                   Date.today
                 else
                   Time.now.in_time_zone(time_zone).to_date
                 end
               end
               def logged?
                 true
               end
               def anonymous?
                 !logged?
               end
               # Return user's roles for project
               def roles_for_project(project)
                 roles = []
                 # No role on archived projects
                 return roles unless project && project.active?
                 if logged?
                   # Find project membership
                   membership = memberships.detect {|m| m.project_id == project.id}
                   if membership
                     roles = membership.roles
                   else
                     @role_non_member ||= Role.non_member
                     roles << @role_non_member
                   end
                 else
                   @role_anonymous ||= Role.anonymous
                   roles << @role_anonymous
                 end
                 roles
               end
               # Return true if the user is a member of project
               def member_of?(project)
                 !roles_for_project(project).detect {|role| role.member?}.nil?
               end
               # Return true if the user is allowed to do the specified action on a specific context
               # Action can be:
               # * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit')
               # * a permission Symbol (eg. :edit_project)
               # Context can be:
               # * a project : returns true if user is allowed to do the specified action on this project
               # * a group of projects : returns true if user is allowed on every project
               # * nil with options[:global] set : check if user has at least one role allowed for this action,
               #   or falls back to Non Member / Anonymous permissions depending if the user is logged
               def allowed_to?(action, project, options={})
                 if project && project.is_a?(Project)
                   # No action allowed on archived projects
                   return false unless project.active?
                   # No action allowed on disabled modules
                   return false unless project.allows_to?(action)
                   # Admin users are authorized for anything else
                   return true if admin?
                   roles = roles_for_project(project)
                   return false unless roles
                   roles.detect {|role| (project.is_public? || role.member?) && role.allowed_to?(action)}
                 elsif project && project.is_a?(Array)
                   # Authorize if user is authorized on every element of the array
-                  project.inject do |memo,p|
+                  project.map do |p|
-                    memo && allowed_to?(action,p,options)
+                    allowed_to?(action,p,options)
+                  end.inject do |memo,p|
+                    memo && p
                   end
                 elsif options[:global]
                   # Admin users are always authorized
                   return true if admin?
                   # authorize if user has at least one role that has this permission
                   roles = memberships.collect {|m| m.roles}.flatten.uniq
                   roles.detect {|r| r.allowed_to?(action)} || (self.logged? ? Role.non_member.allowed_to?(action) : Role.anonymous.allowed_to?(action))
                 else
                   false
                 end
               end
               # Is the user allowed to do the specified action on any project?
               # See allowed_to? for the actions and valid options.
               def allowed_to_globally?(action, options)
                 allowed_to?(action, nil, options.reverse_merge(:global => true))
               end
               # Utility method to help check if a user should be notified about an
               # event.
               #
               # TODO: only supports Issue events currently
               def notify_about?(object)
                 case mail_notification.to_sym
                 when :all
                   true
                 when :selected
                   # Handled by the Project
                 when :none
                   false
                 when :only_my_events
                   if object.is_a?(Issue) && (object.author == self || object.assigned_to == self)
                     true
                   else
                     false
                   end
                 when :only_assigned
                   if object.is_a?(Issue) && object.assigned_to == self
                     true
                   else
                     false
                   end
                 when :only_owner
                   if object.is_a?(Issue) && object.author == self
                     true
                   else
                     false
                   end
                 else
                   false
                 end
               end
               def self.current=(user)
                 @current_user = user
               end
               def self.current
                 @current_user ||= User.anonymous
               end
               # Returns the anonymous user.  If the anonymous user does not exist, it is created.  There can be only
               # one anonymous user per database.
               def self.anonymous
                 anonymous_user = AnonymousUser.find(:first)
                 if anonymous_user.nil?
                   anonymous_user = AnonymousUser.create(:lastname => 'Anonymous', :firstname => '', :mail => '', :login => '', :status => 0)
                   raise 'Unable to create the anonymous user.' if anonymous_user.new_record?
                 end
                 anonymous_user
               end
               protected
               def validate
                 # Password length validation based on setting
                 if !password.nil? && password.size < Setting.password_min_length.to_i
                   errors.add(:password, :too_short, :count => Setting.password_min_length.to_i)
                 end
               end
               private
               # Return password digest
               def self.hash_password(clear_password)
                 Digest::SHA1.hexdigest(clear_password || "")
               end
             end
             class AnonymousUser < User
               def validate_on_create
                 # There should be only one AnonymousUser in the database
                 errors.add_to_base 'An anonymous user already exists.' if AnonymousUser.find(:first)
               end
               def available_custom_fields
                 []
               end
               # Overrides a few properties
               def logged?; false end
               def admin; false end
               def name(*args); I18n.t(:label_user_anonymous) end
               def mail; nil end
               def time_zone; nil end
               def rss_key; nil end
             end

test/unit/user_test.rb +4 0

             # redMine - project management software
             # Copyright (C) 2006  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require File.dirname(__FILE__) + '/../test_helper'
             class UserTest < ActiveSupport::TestCase
               fixtures :users, :members, :projects, :roles, :member_roles, :auth_sources
               def setup
                 @admin = User.find(1)
                 @jsmith = User.find(2)
                 @dlopper = User.find(3)
               end
               test 'object_daddy creation' do
                 User.generate_with_protected!(:firstname => 'Testing connection')
                 User.generate_with_protected!(:firstname => 'Testing connection')
                 assert_equal 2, User.count(:all, :conditions => {:firstname => 'Testing connection'})
               end
               def test_truth
                 assert_kind_of User, @jsmith
               end
               def test_mail_should_be_stripped
                 u = User.new
                 u.mail = " foo@bar.com  "
                 assert_equal "foo@bar.com", u.mail
               end
               def test_create
                 user = User.new(:firstname => "new", :lastname => "user", :mail => "newuser@somenet.foo")
                 user.login = "jsmith"
                 user.password, user.password_confirmation = "password", "password"
                 # login uniqueness
                 assert !user.save
                 assert_equal 1, user.errors.count
                 user.login = "newuser"
                 user.password, user.password_confirmation = "passwd", "password"
                 # password confirmation
                 assert !user.save
                 assert_equal 1, user.errors.count
                 user.password, user.password_confirmation = "password", "password"
                 assert user.save
               end
               context "User#before_create" do
                 should "set the mail_notification to the default Setting" do
                   @user1 = User.generate_with_protected!
                   assert_equal 'only_my_events', @user1.mail_notification
                   with_settings :default_notification_option => 'all' do
                     @user2 = User.generate_with_protected!
                     assert_equal 'all', @user2.mail_notification
                   end
                 end
               end
               context "User.login" do
                 should "be case-insensitive." do
                   u = User.new(:firstname => "new", :lastname => "user", :mail => "newuser@somenet.foo")
                   u.login = 'newuser'
                   u.password, u.password_confirmation = "password", "password"
                   assert u.save
                   u = User.new(:firstname => "Similar", :lastname => "User", :mail => "similaruser@somenet.foo")
                   u.login = 'NewUser'
                   u.password, u.password_confirmation = "password", "password"
                   assert !u.save
                   assert_equal I18n.translate('activerecord.errors.messages.taken'), u.errors.on(:login)
                 end
               end
               def test_mail_uniqueness_should_not_be_case_sensitive
                 u = User.new(:firstname => "new", :lastname => "user", :mail => "newuser@somenet.foo")
                 u.login = 'newuser1'
                 u.password, u.password_confirmation = "password", "password"
                 assert u.save
                 u = User.new(:firstname => "new", :lastname => "user", :mail => "newUser@Somenet.foo")
                 u.login = 'newuser2'
                 u.password, u.password_confirmation = "password", "password"
                 assert !u.save
                 assert_equal I18n.translate('activerecord.errors.messages.taken'), u.errors.on(:mail)
               end
               def test_update
                 assert_equal "admin", @admin.login
                 @admin.login = "john"
                 assert @admin.save, @admin.errors.full_messages.join("; ")
                 @admin.reload
                 assert_equal "john", @admin.login
               end
               def test_destroy
                 User.find(2).destroy
                 assert_nil User.find_by_id(2)
                 assert Member.find_all_by_user_id(2).empty?
               end
               def test_validate
                 @admin.login = ""
                 assert !@admin.save
                 assert_equal 1, @admin.errors.count
               end
               context "User#try_to_login" do
                 should "fall-back to case-insensitive if user login is not found as-typed." do
                   user = User.try_to_login("AdMin", "admin")
                   assert_kind_of User, user
                   assert_equal "admin", user.login
                 end
                 should "select the exact matching user first" do
                   case_sensitive_user = User.generate_with_protected!(:login => 'changed', :password => 'admin', :password_confirmation => 'admin')
                   # bypass validations to make it appear like existing data
                   case_sensitive_user.update_attribute(:login, 'ADMIN')
                   user = User.try_to_login("ADMIN", "admin")
                   assert_kind_of User, user
                   assert_equal "ADMIN", user.login
                 end
               end
               def test_password
                 user = User.try_to_login("admin", "admin")
                 assert_kind_of User, user
                 assert_equal "admin", user.login
                 user.password = "hello"
                 assert user.save
                 user = User.try_to_login("admin", "hello")
                 assert_kind_of User, user
                 assert_equal "admin", user.login
                 assert_equal User.hash_password("hello"), user.hashed_password
               end
               def test_name_format
                 assert_equal 'Smith, John', @jsmith.name(:lastname_coma_firstname)
                 Setting.user_format = :firstname_lastname
                 assert_equal 'John Smith', @jsmith.reload.name
                 Setting.user_format = :username
                 assert_equal 'jsmith', @jsmith.reload.name
               end
               def test_lock
                 user = User.try_to_login("jsmith", "jsmith")
                 assert_equal @jsmith, user
                 @jsmith.status = User::STATUS_LOCKED
                 assert @jsmith.save
                 user = User.try_to_login("jsmith", "jsmith")
                 assert_equal nil, user
               end
               if ldap_configured?
                 context "#try_to_login using LDAP" do
                   context "with failed connection to the LDAP server" do
                     should "return nil" do
                       @auth_source = AuthSourceLdap.find(1)
                       AuthSource.any_instance.stubs(:initialize_ldap_con).raises(Net::LDAP::LdapError, 'Cannot connect')
                       assert_equal nil, User.try_to_login('edavis', 'wrong')
                     end
                   end
                   context "with an unsuccessful authentication" do
                     should "return nil" do
                       assert_equal nil, User.try_to_login('edavis', 'wrong')
                     end
                   end
                   context "on the fly registration" do
                     setup do
                       @auth_source = AuthSourceLdap.find(1)
                     end
                     context "with a successful authentication" do
                       should "create a new user account if it doesn't exist" do
                         assert_difference('User.count') do
                           user = User.try_to_login('edavis', '123456')
                           assert !user.admin?
                         end
                       end
                       should "retrieve existing user" do
                         user = User.try_to_login('edavis', '123456')
                         user.admin = true
                         user.save!
                         assert_no_difference('User.count') do
                           user = User.try_to_login('edavis', '123456')
                           assert user.admin?
                         end
                       end
                     end
                   end
                 end
               else
                 puts "Skipping LDAP tests."
               end
               def test_create_anonymous
                 AnonymousUser.delete_all
                 anon = User.anonymous
                 assert !anon.new_record?
                 assert_kind_of AnonymousUser, anon
               end
               should_have_one :rss_token
               def test_rss_key
                 assert_nil @jsmith.rss_token
                 key = @jsmith.rss_key
                 assert_equal 40, key.length
                 @jsmith.reload
                 assert_equal key, @jsmith.rss_key
               end
               should_have_one :api_token
               context "User#api_key" do
                 should "generate a new one if the user doesn't have one" do
                   user = User.generate_with_protected!(:api_token => nil)
                   assert_nil user.api_token
                   key = user.api_key
                   assert_equal 40, key.length
                   user.reload
                   assert_equal key, user.api_key
                 end
                 should "return the existing api token value" do
                   user = User.generate_with_protected!
                   token = Token.generate!(:action => 'api')
                   user.api_token = token
                   assert user.save
                   assert_equal token.value, user.api_key
                 end
               end
               context "User#find_by_api_key" do
                 should "return nil if no matching key is found" do
                   assert_nil User.find_by_api_key('zzzzzzzzz')
                 end
                 should "return nil if the key is found for an inactive user" do
                   user = User.generate_with_protected!(:status => User::STATUS_LOCKED)
                   token = Token.generate!(:action => 'api')
                   user.api_token = token
                   user.save
                   assert_nil User.find_by_api_key(token.value)
                 end
                 should "return the user if the key is found for an active user" do
                   user = User.generate_with_protected!(:status => User::STATUS_ACTIVE)
                   token = Token.generate!(:action => 'api')
                   user.api_token = token
                   user.save
                   assert_equal user, User.find_by_api_key(token.value)
                 end
               end
               def test_roles_for_project
                 # user with a role
                 roles = @jsmith.roles_for_project(Project.find(1))
                 assert_kind_of Role, roles.first
                 assert_equal "Manager", roles.first.name
                 # user with no role
                 assert_nil @dlopper.roles_for_project(Project.find(2)).detect {|role| role.member?}
               end
               def test_mail_notification_all
                 @jsmith.mail_notification = 'all'
                 @jsmith.notified_project_ids = []
                 @jsmith.save
                 @jsmith.reload
                 assert @jsmith.projects.first.recipients.include?(@jsmith.mail)
               end
               def test_mail_notification_selected
                 @jsmith.mail_notification = 'selected'
                 @jsmith.notified_project_ids = [1]
                 @jsmith.save
                 @jsmith.reload
                 assert Project.find(1).recipients.include?(@jsmith.mail)
               end
               def test_mail_notification_only_my_events
                 @jsmith.mail_notification = 'only_my_events'
                 @jsmith.notified_project_ids = []
                 @jsmith.save
                 @jsmith.reload
                 assert !@jsmith.projects.first.recipients.include?(@jsmith.mail)
               end
               def test_comments_sorting_preference
                 assert !@jsmith.wants_comments_in_reverse_order?
                 @jsmith.pref.comments_sorting = 'asc'
                 assert !@jsmith.wants_comments_in_reverse_order?
                 @jsmith.pref.comments_sorting = 'desc'
                 assert @jsmith.wants_comments_in_reverse_order?
               end
               def test_find_by_mail_should_be_case_insensitive
                 u = User.find_by_mail('JSmith@somenet.foo')
                 assert_not_nil u
                 assert_equal 'jsmith@somenet.foo', u.mail
               end
               def test_random_password
                 u = User.new
                 u.random_password
                 assert !u.password.blank?
                 assert !u.password_confirmation.blank?
               end
               context "#change_password_allowed?" do
                 should "be allowed if no auth source is set" do
                   user = User.generate_with_protected!
                   assert user.change_password_allowed?
                 end
                 should "delegate to the auth source" do
                   user = User.generate_with_protected!
                   allowed_auth_source = AuthSource.generate!
                   def allowed_auth_source.allow_password_changes?; true; end
                   denied_auth_source = AuthSource.generate!
                   def denied_auth_source.allow_password_changes?; false; end
                   assert user.change_password_allowed?
                   user.auth_source = allowed_auth_source
                   assert user.change_password_allowed?, "User not allowed to change password, though auth source does"
                   user.auth_source = denied_auth_source
                   assert !user.change_password_allowed?, "User allowed to change password, though auth source does not"
                 end
               end
               context "#allowed_to?" do
                 context "with a unique project" do
                   should "return false if project is archived" do
                     project = Project.find(1)
                     Project.any_instance.stubs(:status).returns(Project::STATUS_ARCHIVED)
                     assert ! @admin.allowed_to?(:view_issues, Project.find(1))
                   end
                   should "return false if related module is disabled" do
                     project = Project.find(1)
                     project.enabled_module_names = ["issue_tracking"]
                     assert @admin.allowed_to?(:add_issues, project)
                     assert ! @admin.allowed_to?(:view_wiki_pages, project)
                   end
                   should "authorize nearly everything for admin users" do
                     project = Project.find(1)
                     assert ! @admin.member_of?(project)
                     %w(edit_issues delete_issues manage_news manage_documents manage_wiki).each do |p|
                       assert @admin.allowed_to?(p.to_sym, project)
                     end
                   end
                   should "authorize normal users depending on their roles" do
                     project = Project.find(1)
                     assert @jsmith.allowed_to?(:delete_messages, project)    #Manager
                     assert ! @dlopper.allowed_to?(:delete_messages, project) #Developper
                   end
                 end
                 context "with multiple projects" do
                   should "return false if array is empty" do
                     assert ! @admin.allowed_to?(:view_project, [])
                   end
                   should "return true only if user has permission on all these projects" do
                     assert @admin.allowed_to?(:view_project, Project.all)
                     assert ! @dlopper.allowed_to?(:view_project, Project.all) #cannot see Project(2)
                     assert @jsmith.allowed_to?(:edit_issues, @jsmith.projects) #Manager or Developer everywhere
                     assert ! @jsmith.allowed_to?(:delete_issue_watchers, @jsmith.projects) #Dev cannot delete_issue_watchers
                   end
+                  should "behave correctly with arrays of 1 project" do
+                    assert ! User.anonymous.allowed_to?(:delete_issues, [Project.first])
+                  end
                 end
                 context "with options[:global]" do
                   should "authorize if user has at least one role that has this permission" do
                     @dlopper2 = User.find(5) #only Developper on a project, not Manager anywhere
                     @anonymous = User.find(6)
                     assert @jsmith.allowed_to?(:delete_issue_watchers, nil, :global => true)
                     assert ! @dlopper2.allowed_to?(:delete_issue_watchers, nil, :global => true)
                     assert @dlopper2.allowed_to?(:add_issues, nil, :global => true)
                     assert ! @anonymous.allowed_to?(:add_issues, nil, :global => true)
                     assert @anonymous.allowed_to?(:view_issues, nil, :global => true)
                   end
                 end
               end
               context "User#notify_about?" do
                 context "Issues" do
                   setup do
                     @project = Project.find(1)
                     @author = User.generate_with_protected!
                     @assignee = User.generate_with_protected!
                     @issue = Issue.generate_for_project!(@project, :assigned_to => @assignee, :author => @author)
                   end
                   should "be true for a user with :all" do
                     @author.update_attribute(:mail_notification, :all)
                     assert @author.notify_about?(@issue)
                   end
                   should "be false for a user with :none" do
                     @author.update_attribute(:mail_notification, :none)
                     assert ! @author.notify_about?(@issue)
                   end
                   should "be false for a user with :only_my_events and isn't an author, creator, or assignee" do
                     @user = User.generate_with_protected!(:mail_notification => :only_my_events)
                     assert ! @user.notify_about?(@issue)
                   end
                   should "be true for a user with :only_my_events and is the author" do
                     @author.update_attribute(:mail_notification, :only_my_events)
                     assert @author.notify_about?(@issue)
                   end
                   should "be true for a user with :only_my_events and is the assignee" do
                     @assignee.update_attribute(:mail_notification, :only_my_events)
                     assert @assignee.notify_about?(@issue)
                   end
                   should "be true for a user with :only_assigned and is the assignee" do
                     @assignee.update_attribute(:mail_notification, :only_assigned)
                     assert @assignee.notify_about?(@issue)
                   end
                   should "be false for a user with :only_assigned and is not the assignee" do
                     @author.update_attribute(:mail_notification, :only_assigned)
                     assert ! @author.notify_about?(@issue)
                   end
                   should "be true for a user with :only_owner and is the author" do
                     @author.update_attribute(:mail_notification, :only_owner)
                     assert @author.notify_about?(@issue)
                   end
                   should "be false for a user with :only_owner and is not the author" do
                     @assignee.update_attribute(:mail_notification, :only_owner)
                     assert ! @assignee.notify_about?(@issue)
                   end
                   should "be false if the mail_notification is anything else" do
                     @assignee.update_attribute(:mail_notification, :somthing_else)
                     assert ! @assignee.notify_about?(@issue)
                   end
                 end
                 context "other events" do
                   should 'be added and tested'
                 end
               end
               if Object.const_defined?(:OpenID)
               def test_setting_identity_url
                 normalized_open_id_url = 'http://example.com/'
                 u = User.new( :identity_url => 'http://example.com/' )
                 assert_equal normalized_open_id_url, u.identity_url
               end
               def test_setting_identity_url_without_trailing_slash
                 normalized_open_id_url = 'http://example.com/'
                 u = User.new( :identity_url => 'http://example.com' )
                 assert_equal normalized_open_id_url, u.identity_url
               end
               def test_setting_identity_url_without_protocol
                 normalized_open_id_url = 'http://example.com/'
                 u = User.new( :identity_url => 'example.com' )
                 assert_equal normalized_open_id_url, u.identity_url
               end
               def test_setting_blank_identity_url
                 u = User.new( :identity_url => 'example.com' )
                 u.identity_url = ''
                 assert u.identity_url.blank?
               end
               def test_setting_invalid_identity_url
                 u = User.new( :identity_url => 'this is not an openid url' )
                 assert u.identity_url.blank?
               end
               else
                 puts "Skipping openid tests."
               end
             end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages