Avoid user to see other entries

hehe :)
2015-02-10 22:33:18 +01:00
parent eb3bd7efb7
commit 3d2b2d62be
2 changed files with 63 additions and 11 deletions
--- a/src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php
+++ b/src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php
@ -174,4 +174,25 @@ class EntryControllerTest extends WallabagTestCase

        $this->assertEquals($res->isDeleted(), true);
    }
+
+    public function testViewOtherUserEntry()
+    {
+        $this->logInAs('bob');
+        $client = $this->getClient();
+
+        $content = $client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->createQueryBuilder('e')
+            ->select('e.id')
+            ->leftJoin('e.user', 'u')
+            ->where('u.username != :username')->setParameter('username', 'bob')
+            ->setMaxResults(1)
+            ->getQuery()
+            ->getSingleResult(AbstractQuery::HYDRATE_ARRAY);
+
+        $client->request('GET', '/view/'.$content['id']);
+
+        $this->assertEquals(403, $client->getResponse()->getStatusCode());
+    }
 }