jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

BURs: don't allow builders to edit or reject BURs by other users.

Browse Source 
Only admins can edit or reject BURs by other users now. The BUR creator
can still edit or reject their own BURs.
This commit is contained in:
evazion
2021-09-22 00:32:39 -05:00
parent 5af21f03de
commit 28d2753c53
2 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/policies/bulk_update_request_policy.rb
View File

@@ -4,7 +4,7 @@ class BulkUpdateRequestPolicy < ApplicationPolicy
end end
def update? def update?
unbanned? && (user.is_builder? || record.user_id == user.id) unbanned? && (user.is_admin? || record.user_id == user.id)
end end
def approve? def approve?

14
test/functional/bulk_update_requests_controller_test.rb
View File

@@ -48,12 +48,18 @@ class BulkUpdateRequestsControllerTest < ActionDispatch::IntegrationTest
end end
context "#update" do context "#update" do
should "allow builders to update other people's requests" do should "allow admins to update other people's requests" do
put_auth bulk_update_request_path(@bulk_update_request.id), create(:builder_user), params: {bulk_update_request: {script: "create alias zzz -> 222" }} put_auth bulk_update_request_path(@bulk_update_request.id), create(:admin_user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
assert_response :redirect assert_response :redirect
assert_equal("create alias zzz -> 222", @bulk_update_request.reload.script) assert_equal("create alias zzz -> 222", @bulk_update_request.reload.script)
end end
should "not allow builders to update other people's requests" do
put_auth bulk_update_request_path(@bulk_update_request.id), create(:builder_user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
assert_response 403
assert_equal("create alias aaa -> bbb", @bulk_update_request.reload.script)
end
should "not allow members to update other people's requests" do should "not allow members to update other people's requests" do
put_auth bulk_update_request_path(@bulk_update_request.id), create(:user), params: {bulk_update_request: {script: "create alias zzz -> 222" }} put_auth bulk_update_request_path(@bulk_update_request.id), create(:user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
assert_response 403 assert_response 403
@@ -111,10 +117,10 @@ class BulkUpdateRequestsControllerTest < ActionDispatch::IntegrationTest
end end
end end
context "for another member" do context "for another Builder" do
should "fail" do should "fail" do
assert_difference("BulkUpdateRequest.count", 0) do assert_difference("BulkUpdateRequest.count", 0) do
delete_auth bulk_update_request_path(@bulk_update_request), create(:user) delete_auth bulk_update_request_path(@bulk_update_request), create(:builder_user)
assert_response 403 assert_response 403
end end
end end