From 91c5520c7078f2caa3cbdbdcff4f86a29d9d7390 Mon Sep 17 00:00:00 2001
From: Dave Arter <davea@mysociety.org>
Date: Mon, 1 Aug 2016 16:36:55 +0100
Subject: Restrict user editing in admin

The 'user_edit' permission is required to edit users.

The admin pages on UK council cobrands only allow editing of users whose
from_body is the same as the logged-in user, or who have sent reports or updates
to the council.
---
 t/app/controller/admin.t | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 't/app/controller/admin.t')

diff --git a/t/app/controller/admin.t b/t/app/controller/admin.t
index aceaf2981..531fa7726 100644
--- a/t/app/controller/admin.t
+++ b/t/app/controller/admin.t
@@ -1102,6 +1102,30 @@ subtest 'user search' => sub {
     $mech->content_contains('Haringey');
 };
 
+subtest 'search does not show user from another council' => sub {
+    FixMyStreet::override_config {
+        ALLOWED_COBRANDS => [ 'oxfordshire' ],
+    }, sub {
+        $mech->get_ok('/admin/users');
+        $mech->get_ok('/admin/users?search=' . $user->name);
+
+        $mech->content_contains( "Searching found no users." );
+
+        $mech->get_ok('/admin/users?search=' . $user->email);
+        $mech->content_contains( "Searching found no users." );
+    };
+};
+
+subtest 'user_edit does not show user from another council' => sub {
+    FixMyStreet::override_config {
+        ALLOWED_COBRANDS => [ 'oxfordshire' ],
+    }, sub {
+        $mech->get('/admin/user_edit/' . $user->id);
+        ok !$mech->res->is_success(), "want a bad response";
+        is $mech->res->code, 404, "got 404";
+    };
+};
+
 $log_entries = FixMyStreet::App->model('DB::AdminLog')->search(
     {
         object_type => 'user',
-- 
cgit v1.2.3