[refs #57] Forbid access to users_path for simple users

2011-12-16 11:32:34 +04:00 · 2011-12-16 11:32:34 +04:00 · c81698b81b
parent 021f1f8691
commit c81698b81b
2 changed files with 5 additions and 1 deletions
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -31,6 +31,7 @@ class Ability
        can :read, Project, :visibility => 'open'
        can :read, Group
        can :read, User
+        cannot :index, User
        can :manage_collaborators, Project do |project|
          project.relations.exists? :object_id => user.id, :object_type => 'User', :role => 'admin'
        end
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -53,6 +53,9 @@ describe UsersController do
      set_session_for(@simple_user)
    end

-    it_should_behave_like 'user with users list viewer rights'
+    it 'should not be able to perform index action' do
+      get :index
+      response.should redirect_to(forbidden_path)
+    end
  end
 end