votes: allow Members to vote.

* Allow Member-level users to vote. * Don't allow Banned or Restricted users to create favorites any more. Banned and Restricted users aren't allowed to upvote or favorite any more to prevent sockpuppet accounts from upvoting even after they're banned.
2021-11-16 05:11:04 -06:00
parent 1a27b1d5eb
commit 055e5939b4
5 changed files with 24 additions and 7 deletions
--- a/app/policies/favorite_policy.rb
+++ b/app/policies/favorite_policy.rb
@@ -1,6 +1,6 @@
 class FavoritePolicy < ApplicationPolicy
  def create?
-    !user.is_anonymous?
+    unbanned? && user.is_member?
  end

  def destroy?
--- a/app/policies/post_vote_policy.rb
+++ b/app/policies/post_vote_policy.rb
@@ -1,6 +1,6 @@
 class PostVotePolicy < ApplicationPolicy
  def create?
-    unbanned? && user.is_gold?
+    unbanned? && user.is_member?
  end

  def destroy?
--- a/test/factories/user.rb
+++ b/test/factories/user.rb
@@ -8,6 +8,7 @@ FactoryBot.define do
    factory(:banned_user) do
      transient { ban_duration {3} }
      is_banned {true}
+      active_ban factory: :ban
    end

    factory(:restricted_user) do
--- a/test/functional/favorites_controller_test.rb
+++ b/test/functional/favorites_controller_test.rb
@@ -48,12 +48,21 @@ class FavoritesControllerTest < ActionDispatch::IntegrationTest
        end
      end

-      should "allow banned users to create favorites" do
+      should "not allow banned users to create favorites" do
        @banned_user = create(:banned_user)

-        assert_difference [-> { @post.favorites.count }, -> { @post.reload.fav_count }, -> { @banned_user.reload.favorite_count }], 1 do
+        assert_difference [-> { @post.favorites.count }, -> { @post.reload.fav_count }, -> { @banned_user.reload.favorite_count }], 0 do
          post_auth favorites_path(post_id: @post.id), @banned_user, as: :javascript
-          assert_response :redirect
+          assert_response 403
+        end
+      end
+
+      should "not allow restricted users to create favorites" do
+        @restricted_user = create(:restricted_user)
+
+        assert_difference [-> { @post.favorites.count }, -> { @post.reload.fav_count }, -> { @restricted_user.reload.favorite_count }], 0 do
+          post_auth favorites_path(post_id: @post.id), @restricted_user, as: :javascript
+          assert_response 403
        end
      end

--- a/test/functional/post_votes_controller_test.rb
+++ b/test/functional/post_votes_controller_test.rb
@@ -185,13 +185,20 @@ class PostVotesControllerTest < ActionDispatch::IntegrationTest
        assert_equal(0, @post.reload.score)
      end

-      should "not allow members to vote" do
-        post_auth post_post_votes_path(post_id: @post.id), create(:user), params: { score: 1, format: "js" }
+      should "not allow restricted users to vote" do
+        post_auth post_post_votes_path(post_id: @post.id), create(:restricted_user), params: { score: 1, format: "js"}

        assert_response 403
        assert_equal(0, @post.reload.score)
      end

+      should "allow members to vote" do
+        post_auth post_post_votes_path(post_id: @post.id), create(:user), params: { score: 1, format: "js" }
+
+        assert_response :success
+        assert_equal(1, @post.reload.score)
+      end
+
      should "not allow invalid scores" do
        post_auth post_post_votes_path(post_id: @post.id), @user, params: { score: 3, format: "js" }