Fixes #3755 - User with user_id 1 is show in admin interface (which should not)
This commit is contained in:
parent
9beb793e3b
commit
d98445d1fe
2 changed files with 16 additions and 1 deletions
|
@ -174,10 +174,13 @@ returns
|
||||||
|
|
||||||
if is_query
|
if is_query
|
||||||
statement = statement.where(
|
statement = statement.where(
|
||||||
'(users.firstname LIKE ? OR users.lastname LIKE ? OR users.email LIKE ? OR users.login LIKE ?) AND users.id != 1', "%#{query}%", "%#{query}%", "%#{query}%", "%#{query}%"
|
'(users.firstname LIKE ? OR users.lastname LIKE ? OR users.email LIKE ? OR users.login LIKE ?)', "%#{query}%", "%#{query}%", "%#{query}%", "%#{query}%"
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Fixes #3755 - User with user_id 1 is show in admin interface (which should not)
|
||||||
|
statement = statement.where('users.id != 1')
|
||||||
|
|
||||||
statement.order(Arel.sql(order_sql))
|
statement.order(Arel.sql(order_sql))
|
||||||
.offset(offset)
|
.offset(offset)
|
||||||
.limit(limit)
|
.limit(limit)
|
||||||
|
|
|
@ -1421,6 +1421,12 @@ RSpec.describe 'User', type: :request do
|
||||||
make_request(query: '9U7Z', group_ids: { 999 => 'read' })
|
make_request(query: '9U7Z', group_ids: { 999 => 'read' })
|
||||||
expect(json_response.count).to eq(0)
|
expect(json_response.count).to eq(0)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'does not list user with id 1' do
|
||||||
|
make_request(query: '')
|
||||||
|
not_in_response = json_response.none? { |item| item['id'] == 1 }
|
||||||
|
expect(not_in_response).to be(true)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'with searchindex', searchindex: true do
|
describe 'with searchindex', searchindex: true do
|
||||||
|
@ -1449,6 +1455,12 @@ RSpec.describe 'User', type: :request do
|
||||||
make_request(query: '9U7Z', group_ids: { 999 => 'read' })
|
make_request(query: '9U7Z', group_ids: { 999 => 'read' })
|
||||||
expect(json_response.count).to eq(0)
|
expect(json_response.count).to eq(0)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it 'does not list user with id 1' do
|
||||||
|
make_request(query: '')
|
||||||
|
not_in_response = json_response.none? { |item| item['id'] == 1 }
|
||||||
|
expect(not_in_response).to be(true)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue