diff --git a/taiga/base/users/api.py b/taiga/base/users/api.py index 481aba4a..6fc88f92 100644 --- a/taiga/base/users/api.py +++ b/taiga/base/users/api.py @@ -37,7 +37,7 @@ class MembersFilterBackend(BaseFilterBackend): if request.user.is_superuser: return queryset else: - raise exc.PermissionDenied(_("You don't have permisions to see all users.")) + return queryset.filter(pk=request.user.id) class PermissionsViewSet(ModelListViewSet): permission_classes = (IsAuthenticated,) diff --git a/taiga/projects/tests/tests_api.py b/taiga/projects/tests/tests_api.py index 4017968b..f95e3c91 100644 --- a/taiga/projects/tests/tests_api.py +++ b/taiga/projects/tests/tests_api.py @@ -37,6 +37,16 @@ class ProfileTestCase(test.TestCase): response = self.client.get(reverse("users-list")) self.assertEqual(response.status_code, 200) + users_list = response.data + self.assertEqual(len(users_list), 1) + + response = self.client.login(username=self.user1.username, + password=self.user1.username) + self.assertTrue(response) + + response = self.client.get(reverse("users-list")) + self.assertEqual(response.status_code, 200) + users_list = response.data self.assertEqual(len(users_list), 3) @@ -52,7 +62,7 @@ class ProfileTestCase(test.TestCase): reverse("users-detail", args=[self.user2.pk]), content_type="application/json", data=json.dumps(data)) - self.assertEqual(response.status_code, 400) + self.assertEqual(response.status_code, 404) def test_update_users_self(self): response = self.client.login(username=self.user3.username, @@ -88,7 +98,7 @@ class ProfileTestCase(test.TestCase): data = {"first_name": "Foo Bar"} response = self.client.delete( reverse("users-detail", args=[self.user2.pk])) - self.assertEqual(response.status_code, 400) + self.assertEqual(response.status_code, 404) def test_delete_users_self(self): response = self.client.login(username=self.user3.username,