From 4eeb6b75167e662e3f9bea3bc6ab1838cc9ff956 Mon Sep 17 00:00:00 2001 From: fujiwara-e Date: Tue, 7 Apr 2026 10:21:38 +0900 Subject: [PATCH 1/3] Refactor user show view to display API tokens conditionally and remove links for user name and screen name --- app/controllers/users_controller.rb | 2 +- app/views/users/show.html.erb | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 6200335a..1c3d7bad 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -9,7 +9,7 @@ def index # GET /users/1 or /users/1.json def show - @api_tokens = ApiToken.all + @api_tokens = @user == current_user ? @user.api_tokens : [] @assigned_tasks = @user.assigned_tasks.active.desc(5) end diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb index 7022bd71..e09dc900 100644 --- a/app/views/users/show.html.erb +++ b/app/views/users/show.html.erb @@ -2,12 +2,12 @@

氏名

- <%= link_to @user.name, user_path(@user), class: "text-muted text-decoration-none" %> + <%= @user.name %>

アカウント名

- <%= link_to @user.screen_name, user_path(@user), class: "text-muted text-decoration-none" %> + <%= @user.screen_name %>
@@ -16,10 +16,10 @@ <%= link_to "タスク一覧へ", tasks_path, method: :get, class: "text-muted text-decoration-none" %>
-
-

APIトークン

- <% @api_tokens.each do |api_token| %> - <% if api_token.user_id == current_user.id %> +<% if @user == current_user %> +
+

APIトークン

+ <% @api_tokens.each do |api_token| %>

APIトークン: <%= api_token.secret %>

@@ -32,7 +32,7 @@ <%= button_to '削除', api_token, method: :delete, data: { turbo_confirm: 'このAPIトークンを削除しますか?' }, class: "btn btn-sm" %>
<% end %> - <% end %> -
+
+<% end %> <%= link_to '編集', edit_user_path(@user), class: "btn btn-sm" %> From 1e57feea901f8c5179f9287a299f77583166bc1b Mon Sep 17 00:00:00 2001 From: fujiwara-e Date: Tue, 7 Apr 2026 11:40:52 +0900 Subject: [PATCH 2/3] Refactor based on Copilot's review --- app/controllers/users_controller.rb | 2 +- app/views/users/show.html.erb | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 1c3d7bad..8c19dcde 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -9,7 +9,7 @@ def index # GET /users/1 or /users/1.json def show - @api_tokens = @user == current_user ? @user.api_tokens : [] + @api_tokens = current_user?(@user) ? @user.api_tokens : [] @assigned_tasks = @user.assigned_tasks.active.desc(5) end diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb index e09dc900..2f3d7f98 100644 --- a/app/views/users/show.html.erb +++ b/app/views/users/show.html.erb @@ -16,7 +16,7 @@ <%= link_to "タスク一覧へ", tasks_path, method: :get, class: "text-muted text-decoration-none" %>
-<% if @user == current_user %> +<% if logged_in? && current_user?(@user) %>

APIトークン

<% @api_tokens.each do |api_token| %> @@ -26,8 +26,6 @@

トークン名: <%= api_token.description %>

有効期限: <%= api_token.expired_at %>

-
-
<%= link_to '編集', edit_api_token_path(api_token), class: "btn btn-sm" %> <%= button_to '削除', api_token, method: :delete, data: { turbo_confirm: 'このAPIトークンを削除しますか?' }, class: "btn btn-sm" %> From b69824a7951a9696d6ca7b03435c32a6cdb4fb08 Mon Sep 17 00:00:00 2001 From: fujiwara-e Date: Tue, 7 Apr 2026 12:00:43 +0900 Subject: [PATCH 3/3] Add tests for API token visibility based on user ownership and update fixture data --- test/controllers/users_controller_test.rb | 29 +++++++++++++++++++++++ test/fixtures/api_tokens.yml | 12 +++++----- 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb index c4f4edd1..7819b329 100644 --- a/test/controllers/users_controller_test.rb +++ b/test/controllers/users_controller_test.rb @@ -51,4 +51,33 @@ class UsersControllerTest < ActionDispatch::IntegrationTest delete user_url(@user) end end + + test "should not show own api tokens when viewing other user's page" do + user_a = users(:one) + user_b = users(:two) + log_in_as(user_a) + + get user_url(user_b) + assert_response :success + + # ユーザーAのAPIトークンのsecretが表示されていないことを確認 + assert_not_includes @response.body, api_tokens(:one).secret + + # ユーザーBのAPIトークンのsecretも表示されていないことを確認 + assert_not_includes @response.body, api_tokens(:two).secret + end + + test "should show own api tokens on own user page" do + user_a = users(:one) + log_in_as(user_a) + + get user_url(user_a) + assert_response :success + + # ユーザーAのAPIトークンのsecretが表示されていることを確認 + assert_includes @response.body, api_tokens(:one).secret + + # ユーザーAのAPIトークンのdescriptionが表示されていることを確認 + assert_includes @response.body, api_tokens(:one).description + end end diff --git a/test/fixtures/api_tokens.yml b/test/fixtures/api_tokens.yml index 3ee69789..6cba1a13 100644 --- a/test/fixtures/api_tokens.yml +++ b/test/fixtures/api_tokens.yml @@ -1,13 +1,13 @@ # Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html one: - secret: MyString - description: MyString + secret: secret_token_for_user_one_abc123 + description: Token for User One expired_at: 2021-08-27 20:27:00 - user_id: one + user: one two: - secret: MyString - description: MyString + secret: secret_token_for_user_two_xyz789 + description: Token for User Two expired_at: 2021-08-27 20:27:00 - user_id: two + user: two