From 3d2b2d62be287075ca402f1d59a880687f18dfcd Mon Sep 17 00:00:00 2001
From: Jeremy <jeremy.benoist@gmail.com>
Date: Tue, 10 Feb 2015 22:33:18 +0100
Subject: Avoid user to see other entries

hehe :)
---
 .../Tests/Controller/EntryControllerTest.php        | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'src/Wallabag/CoreBundle/Tests')

diff --git a/src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php b/src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php
index 05854525..7276f8e4 100644
--- a/src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php
+++ b/src/Wallabag/CoreBundle/Tests/Controller/EntryControllerTest.php
@@ -174,4 +174,25 @@ class EntryControllerTest extends WallabagTestCase
 
         $this->assertEquals($res->isDeleted(), true);
     }
+
+    public function testViewOtherUserEntry()
+    {
+        $this->logInAs('bob');
+        $client = $this->getClient();
+
+        $content = $client->getContainer()
+            ->get('doctrine.orm.entity_manager')
+            ->getRepository('WallabagCoreBundle:Entry')
+            ->createQueryBuilder('e')
+            ->select('e.id')
+            ->leftJoin('e.user', 'u')
+            ->where('u.username != :username')->setParameter('username', 'bob')
+            ->setMaxResults(1)
+            ->getQuery()
+            ->getSingleResult(AbstractQuery::HYDRATE_ARRAY);
+
+        $client->request('GET', '/view/'.$content['id']);
+
+        $this->assertEquals(403, $client->getResponse()->getStatusCode());
+    }
 }
-- 
cgit v1.2.3