Commit a268478c authored by Drew Blessing's avatar Drew Blessing Committed by Drew Blessing

Fix user display name permission check

The current_user and user were swapped in the permission check
for the UsersHelper#user_display_name method, resulting in
authenticated users seeing an unconfirmed user's full name on
the profile page.
parent e10c3757
......@@ -181,7 +181,7 @@ module UsersHelper
def user_display_name(user)
return s_('UserProfile|Blocked user') if user.blocked?
can_read_profile = can?(user, :read_user_profile, current_user)
can_read_profile = can?(current_user, :read_user_profile, user)
return s_('UserProfile|Unconfirmed user') unless user.confirmed? || can_read_profile
user.name
......
......@@ -126,6 +126,7 @@ RSpec.describe 'User page' do
context 'with unconfirmed user' do
let_it_be(:user) { create(:user, :unconfirmed) }
shared_examples 'unconfirmed user profile' do
before do
visit_profile
end
......@@ -149,6 +150,20 @@ RSpec.describe 'User page' do
end
end
context 'when visited by an authenticated user' do
before do
authenticated_user = create(:user)
sign_in(authenticated_user)
end
it_behaves_like 'unconfirmed user profile'
end
context 'when visited by an unauthenticated user' do
it_behaves_like 'unconfirmed user profile'
end
end
it 'shows the status if there was one' do
create(:user_status, user: user, message: "Working hard!")
......
......@@ -330,7 +330,7 @@ RSpec.describe UsersHelper do
end
def stub_profile_permission_allowed(allowed, current_user = nil)
allow(helper).to receive(:can?).with(user, :read_user_profile, current_user).and_return(allowed)
allow(helper).to receive(:can?).with(current_user, :read_user_profile, user).and_return(allowed)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment