Commit a268478c authored by Drew Blessing's avatar Drew Blessing Committed by Drew Blessing

Fix user display name permission check

The current_user and user were swapped in the permission check
for the UsersHelper#user_display_name method, resulting in
authenticated users seeing an unconfirmed user's full name on
the profile page.
parent e10c3757
......@@ -181,7 +181,7 @@ module UsersHelper
def user_display_name(user)
return s_('UserProfile|Blocked user') if user.blocked?
can_read_profile = can?(user, :read_user_profile, current_user)
can_read_profile = can?(current_user, :read_user_profile, user)
return s_('UserProfile|Unconfirmed user') unless user.confirmed? || can_read_profile
user.name
......
......@@ -126,26 +126,41 @@ RSpec.describe 'User page' do
context 'with unconfirmed user' do
let_it_be(:user) { create(:user, :unconfirmed) }
before do
visit_profile
end
shared_examples 'unconfirmed user profile' do
before do
visit_profile
end
it 'shows user name as unconfirmed' do
expect(page).to have_css(".cover-title", text: 'Unconfirmed user')
end
it 'shows user name as unconfirmed' do
expect(page).to have_css(".cover-title", text: 'Unconfirmed user')
end
it 'shows no tab' do
expect(page).to have_css("div.profile-header")
expect(page).not_to have_css("ul.nav-links")
it 'shows no tab' do
expect(page).to have_css("div.profile-header")
expect(page).not_to have_css("ul.nav-links")
end
it 'shows no additional fields' do
expect(page).not_to have_css(".profile-user-bio")
expect(page).not_to have_css(".profile-link-holder")
end
it 'shows private profile message' do
expect(page).to have_content("This user has a private profile")
end
end
it 'shows no additional fields' do
expect(page).not_to have_css(".profile-user-bio")
expect(page).not_to have_css(".profile-link-holder")
context 'when visited by an authenticated user' do
before do
authenticated_user = create(:user)
sign_in(authenticated_user)
end
it_behaves_like 'unconfirmed user profile'
end
it 'shows private profile message' do
expect(page).to have_content("This user has a private profile")
context 'when visited by an unauthenticated user' do
it_behaves_like 'unconfirmed user profile'
end
end
......
......@@ -330,7 +330,7 @@ RSpec.describe UsersHelper do
end
def stub_profile_permission_allowed(allowed, current_user = nil)
allow(helper).to receive(:can?).with(user, :read_user_profile, current_user).and_return(allowed)
allow(helper).to receive(:can?).with(current_user, :read_user_profile, user).and_return(allowed)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment