Merge pull request #763 from romainneutron/fix-1567

[3.8] Fix #1567 : Disallow a user to remove himself from DB
2025-10-24 10:23:17 +00:00 · 2013-11-05 08:09:32 -08:00
parent 68cba5d061 05485308ae
commit af312b65f8
2 changed files with 12 additions and 0 deletions
--- a/lib/Alchemy/Phrasea/Helper/User/Edit.php
+++ b/lib/Alchemy/Phrasea/Helper/User/Edit.php
@@ -65,6 +65,9 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper
    public function delete_users()
    {
        foreach ($this->users as $usr_id) {
+            if ($this->app['authentication']->getUser()->get_id() === (int) $usr_id) {
+                continue;
+            }
            $user = \User_Adapter::getInstance($usr_id, $this->app);
            $this->delete_user($user);
        }
--- a/tests/Alchemy/Tests/Phrasea/Controller/Admin/UsersTest.php
+++ b/tests/Alchemy/Tests/Phrasea/Controller/Admin/UsersTest.php
@@ -46,6 +46,15 @@ class ControllerUsersTest extends \PhraseanetWebTestCaseAuthenticatedAbstract
        }
    }

+    public function testRouteDeleteCurrentUserDoesNothing()
+    {
+        self::$DI['client']->request('POST', '/admin/users/delete/', array('users'   => self::$DI['user']->get_id()));
+        $response = self::$DI['client']->getResponse();
+        $this->assertTrue($response->isRedirect());
+
+        $this->assertTrue(false !== \User_Adapter::get_usr_id_from_login(self::$DI['app'], self::$DI['user']->get_login()));
+    }
+
    public function testRouteRightsApply()
    {
        $this->mockNotificationDeliverer('Alchemy\Phrasea\Notification\Mail\MailSuccessEmailUpdate', 2);