From 05485308ae00ece2e4e83dd67a30029905e63fb2 Mon Sep 17 00:00:00 2001 From: Romain Neutron Date: Tue, 5 Nov 2013 15:51:50 +0100 Subject: [PATCH] Fix #1567 : Disallow a user to remove himself from DB --- lib/Alchemy/Phrasea/Helper/User/Edit.php | 3 +++ .../Alchemy/Tests/Phrasea/Controller/Admin/UsersTest.php | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/lib/Alchemy/Phrasea/Helper/User/Edit.php b/lib/Alchemy/Phrasea/Helper/User/Edit.php index 8d22e09402..02c1b53a28 100644 --- a/lib/Alchemy/Phrasea/Helper/User/Edit.php +++ b/lib/Alchemy/Phrasea/Helper/User/Edit.php @@ -65,6 +65,9 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper public function delete_users() { foreach ($this->users as $usr_id) { + if ($this->app['authentication']->getUser()->get_id() === (int) $usr_id) { + continue; + } $user = \User_Adapter::getInstance($usr_id, $this->app); $this->delete_user($user); } diff --git a/tests/Alchemy/Tests/Phrasea/Controller/Admin/UsersTest.php b/tests/Alchemy/Tests/Phrasea/Controller/Admin/UsersTest.php index 28d1748ccf..6c7156ded2 100644 --- a/tests/Alchemy/Tests/Phrasea/Controller/Admin/UsersTest.php +++ b/tests/Alchemy/Tests/Phrasea/Controller/Admin/UsersTest.php @@ -46,6 +46,15 @@ class ControllerUsersTest extends \PhraseanetWebTestCaseAuthenticatedAbstract } } + public function testRouteDeleteCurrentUserDoesNothing() + { + self::$DI['client']->request('POST', '/admin/users/delete/', array('users' => self::$DI['user']->get_id())); + $response = self::$DI['client']->getResponse(); + $this->assertTrue($response->isRedirect()); + + $this->assertTrue(false !== \User_Adapter::get_usr_id_from_login(self::$DI['app'], self::$DI['user']->get_login())); + } + public function testRouteRightsApply() { $this->mockNotificationDeliverer('Alchemy\Phrasea\Notification\Mail\MailSuccessEmailUpdate', 2);