diff --git a/app/Http/Controllers/Api/UsersController.php b/app/Http/Controllers/Api/UsersController.php index e48994fbae..81229d78b5 100644 --- a/app/Http/Controllers/Api/UsersController.php +++ b/app/Http/Controllers/Api/UsersController.php @@ -415,7 +415,7 @@ class UsersController extends Controller { $this->authorize('view', User::class); - if ($user = User::withCount('assets as assets_count', 'licenses as licenses_count', 'accessories as accessories_count', 'consumables as consumables_count', 'managesUsers as manages_users_count', 'managedLocations as manages_locations_count')) { + if ($user = User::withCount('assets as assets_count', 'licenses as licenses_count', 'accessories as accessories_count', 'consumables as consumables_count', 'managesUsers as manages_users_count', 'managedLocations as manages_locations_count')->find($id)) { $this->authorize('view', $user); return (new UsersTransformer)->transformUser($user); } diff --git a/tests/Feature/Users/Api/ViewUserTest.php b/tests/Feature/Users/Api/ViewUserTest.php new file mode 100644 index 0000000000..09d11a4ad3 --- /dev/null +++ b/tests/Feature/Users/Api/ViewUserTest.php @@ -0,0 +1,53 @@ +create(); + + $this->actingAs(User::factory()->viewUsers()->create()) + ->getJson(route('api.users.show', $user)) + ->assertOk(); + } + + public function testUserWithoutCompanyPermissionsCannotDeleteUser() + { + + $this->settings->enableMultipleFullCompanySupport(); + + [$companyA, $companyB] = Company::factory()->count(2)->create(); + + $superuser = User::factory()->superuser()->create(); + $userFromA = User::factory()->for($companyA)->create(); + $userFromB = User::factory()->for($companyB)->create(); + + $this->followingRedirects()->actingAsForApi(User::factory()->deleteUsers()->for($companyA)->create()) + ->delete(route('users.destroy', ['user' => $userFromB->id])) + ->assertStatus(403); + + $this->actingAs(User::factory()->deleteUsers()->for($companyA)->create()) + ->delete(route('users.destroy', ['user' => $userFromA->id])) + ->assertStatus(302) + ->assertRedirect(route('users.index')); + + $this->actingAs($superuser) + ->post(route('users.destroy', ['userId' => $userFromA->id])) + ->assertStatus(302); + + $this->actingAs($superuser) + ->post(route('users.destroy', ['userId' => $userFromB->id])) + ->assertStatus(302); + + } + +}