Commit d4894499 authored by Fabrice Gangler's avatar Fabrice Gangler 🎨
Browse files

FIX: disallow connected user to display add and login forms

a connected user is redirected to his profile page
when he tries to view the following pages:
- /<lang>/users/add
- /<lang>/users/login
parent 13e17b15
Pipeline #13561 passed with stage
in 5 minutes and 20 seconds
......@@ -590,6 +590,12 @@ class UsersController extends AppController
{
$message = "";
$lang = $this->selectedLanguage;
// If user is already logged in, redirects them to their profile page
if (!is_null($this->Auth->user('id'))) {
return $this->redirect("/$lang/users/". $this->Auth->user('id'));
}
if (!empty($this->request->data)) {
$user = $this->Users->newEntity($this->request->data);
} else {
......@@ -1271,13 +1277,19 @@ class UsersController extends AppController
*/
public function login()
{
$lang = $this->selectedLanguage;
// If user is already logged in, redirects them to their profile page
if (!is_null($this->Auth->user('id'))) {
return $this->redirect("/$lang/users/". $this->Auth->user('id'));
}
if ($this->request->is('post')) {
$user = $this->Auth->identify();
if ($user) {
$user["user_type"] = $this->Users->UserTypes->get($user["user_type_id"])->get("name");
$this->Auth->setUser($user);
$this->Flash->success(__d("Forms", "You are logged"));
$lang = $this->selectedLanguage;
return $this->redirect($this->Auth->redirectUrl("/$lang/"));
}
$this->Flash->error(__d("Forms", "You are not logged"));
......
......@@ -185,6 +185,80 @@ class UsersControllerTest extends ApiIntegrationTestCase
];
}
/**
* Check if a connected user is redirected to his profile page
* when he tries to view the following pages:
* - /<lang>/users/add
* - /<lang>/users/login
*
* @group form
* @group user
* @group userType_association
* @group userType_administration
* @group userType_person
* @group userType_provider
* @return void
*/
public function testConnectedUserDoesNotDisplayAddFormOrLoginForm()
{
$addUserUrl = '/fr/users/add';
$loginUrl = '/fr/users/login';
$expectedUrlPrefix = '/fr/users/';
// User of type Administration connected
$this->setConnectedAdministrationSession();
$this->get("$addUserUrl");
$this->currentResponseIsRedirectionToAnotherUrl("$expectedUrlPrefix" . $this->getConnectedUserId(), 302);
$this->get("$loginUrl");
$this->currentResponseIsRedirectionToAnotherUrl("$expectedUrlPrefix" . $this->getConnectedUserId(), 302);
// User of type Association connected
$this->setConnectedAssociationSession();
$this->get("$addUserUrl");
$this->currentResponseIsRedirectionToAnotherUrl("$expectedUrlPrefix" . $this->getConnectedUserId(), 302);
$this->get("$loginUrl");
$this->currentResponseIsRedirectionToAnotherUrl("$expectedUrlPrefix" . $this->getConnectedUserId(), 302);
// User of type Company connected
$this->setConnectedCompanySession();
$this->get("$addUserUrl");
$this->currentResponseIsRedirectionToAnotherUrl("$expectedUrlPrefix" . $this->getConnectedUserId(), 302);
$this->get("$loginUrl");
$this->currentResponseIsRedirectionToAnotherUrl("$expectedUrlPrefix" . $this->getConnectedUserId(), 302);
// User of type Person connected
$this->setConnectedPersonSession();
$this->get("$addUserUrl");
$this->currentResponseIsRedirectionToAnotherUrl("$expectedUrlPrefix" . $this->getConnectedUserId(), 302);
$this->get("$loginUrl");
$this->currentResponseIsRedirectionToAnotherUrl("$expectedUrlPrefix" . $this->getConnectedUserId(), 302);
}
/**
* Check if a anonymous user can display the following pages:
* - /<lang>/users/add
* - /<lang>/users/login
*
* @group form
* @group user
* @group anonymous
* @group wippp
* @return void
*/
public function testAnonymousUserCanDisplayAddFormOrLoginForm()
{
$this->setAnonymousUserSession();
$this->get('/fr/users/add');
$this->assertResponseCode(302);
$this->assertRedirectContains('/fr/users/add?t1=');
$r = $this->checkUrlOk('/fr/users/login', ['html']);
$html = $r['html']['data'];
$this->assertContains('<html lang="fr">', $html);
$this->assertContains("Se connecter", $html);
}
/**
* Test add method like a end user (HTML form)
* - Check that account creation URL redirects to a URL with a "t1" parameter containing a token
......@@ -206,7 +280,6 @@ class UsersControllerTest extends ApiIntegrationTestCase
* @group public
* @group user
* @group createUser
* @group wip
*
* @return void
*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment