Fixes #3755 - User with user_id 1 is show in admin interface (which should not)

This commit is contained in:
Romit Choudhary 2021-09-23 14:01:09 +02:00 committed by Thorsten Eckel
parent 9beb793e3b
commit d98445d1fe
2 changed files with 16 additions and 1 deletions

View file

@ -174,10 +174,13 @@ returns
if is_query
statement = statement.where(
'(users.firstname LIKE ? OR users.lastname LIKE ? OR users.email LIKE ? OR users.login LIKE ?) AND users.id != 1', "%#{query}%", "%#{query}%", "%#{query}%", "%#{query}%"
'(users.firstname LIKE ? OR users.lastname LIKE ? OR users.email LIKE ? OR users.login LIKE ?)', "%#{query}%", "%#{query}%", "%#{query}%", "%#{query}%"
)
end
# Fixes #3755 - User with user_id 1 is show in admin interface (which should not)
statement = statement.where('users.id != 1')
statement.order(Arel.sql(order_sql))
.offset(offset)
.limit(limit)

View file

@ -1421,6 +1421,12 @@ RSpec.describe 'User', type: :request do
make_request(query: '9U7Z', group_ids: { 999 => 'read' })
expect(json_response.count).to eq(0)
end
it 'does not list user with id 1' do
make_request(query: '')
not_in_response = json_response.none? { |item| item['id'] == 1 }
expect(not_in_response).to be(true)
end
end
describe 'with searchindex', searchindex: true do
@ -1449,6 +1455,12 @@ RSpec.describe 'User', type: :request do
make_request(query: '9U7Z', group_ids: { 999 => 'read' })
expect(json_response.count).to eq(0)
end
it 'does not list user with id 1' do
make_request(query: '')
not_in_response = json_response.none? { |item| item['id'] == 1 }
expect(not_in_response).to be(true)
end
end
end