jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

BURs: don't allow builders to edit or reject BURs by other users.

Browse Source 
Only admins can edit or reject BURs by other users now. The BUR creator
can still edit or reject their own BURs.
This commit is contained in:
evazion
2021-09-22 00:32:39 -05:00
parent 5af21f03de
commit 28d2753c53
2 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/policies/bulk_update_request_policy.rb
View File

@@ -4,7 +4,7 @@ class BulkUpdateRequestPolicy < ApplicationPolicy
end
def update?
unbanned? && (user.is_builder? || record.user_id == user.id)
unbanned? && (user.is_admin? || record.user_id == user.id)
end
def approve?

14
test/functional/bulk_update_requests_controller_test.rb
View File

@@ -48,12 +48,18 @@ class BulkUpdateRequestsControllerTest < ActionDispatch::IntegrationTest
end
context "#update" do
should "allow builders to update other people's requests" do
put_auth bulk_update_request_path(@bulk_update_request.id), create(:builder_user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
should "allow admins to update other people's requests" do
put_auth bulk_update_request_path(@bulk_update_request.id), create(:admin_user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
assert_response :redirect
assert_equal("create alias zzz -> 222", @bulk_update_request.reload.script)
end
should "not allow builders to update other people's requests" do
put_auth bulk_update_request_path(@bulk_update_request.id), create(:builder_user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
assert_response 403
assert_equal("create alias aaa -> bbb", @bulk_update_request.reload.script)
end
should "not allow members to update other people's requests" do
put_auth bulk_update_request_path(@bulk_update_request.id), create(:user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
assert_response 403
@@ -111,10 +117,10 @@ class BulkUpdateRequestsControllerTest < ActionDispatch::IntegrationTest
end
end
context "for another member" do
context "for another Builder" do
should "fail" do
assert_difference("BulkUpdateRequest.count", 0) do
delete_auth bulk_update_request_path(@bulk_update_request), create(:user)
delete_auth bulk_update_request_path(@bulk_update_request), create(:builder_user)
assert_response 403
end
end