From bba080a4c587b9fb59494bb84346b03bce8322ed Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 28 Nov 2016 03:47:43 -0600
Subject: [PATCH 1/2] Test mod deletion of user feedbacks.

---
 .../user_feedbacks_controller_test.rb          | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/test/functional/user_feedbacks_controller_test.rb b/test/functional/user_feedbacks_controller_test.rb
index 806f5d82d..688705d02 100644
--- a/test/functional/user_feedbacks_controller_test.rb
+++ b/test/functional/user_feedbacks_controller_test.rb
@@ -5,6 +5,7 @@ class UserFeedbacksControllerTest < ActionController::TestCase
     setup do
       @user = FactoryGirl.create(:user)
       @critic = FactoryGirl.create(:gold_user)
+      @mod = FactoryGirl.create(:moderator_user)
       CurrentUser.user = @critic
       CurrentUser.ip_addr = "127.0.0.1"
     end
@@ -62,7 +63,7 @@ class UserFeedbacksControllerTest < ActionController::TestCase
 
     context "destroy action" do
       setup do
-        @user_feedback = FactoryGirl.create(:user_feedback)
+        @user_feedback = FactoryGirl.create(:user_feedback, user: @user)
       end
 
       should "delete a feedback" do
@@ -70,6 +71,21 @@ class UserFeedbacksControllerTest < ActionController::TestCase
           post :destroy, {:id => @user_feedback.id}, {:user_id => @critic.id}
         end
       end
+
+      context "by a moderator" do
+        should "allow deleting feedbacks given to other users" do
+          assert_difference "UserFeedback.count", -1 do
+            post :destroy, {:id => @user_feedback.id}, {:user_id => @mod.id}
+          end
+        end
+
+        should "not allow deleting feedbacks given to themselves" do
+          @user_feedback = FactoryGirl.create(:user_feedback, user: @mod)
+          assert_difference "UserFeedback.count", 0 do
+            post :destroy, {:id => @user_feedback.id}, {:user_id => @mod.id}
+          end
+        end
+      end
     end
   end
 end

From fa74c71b6d38065140fcaa306b46875bc1f11c4b Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Mon, 28 Nov 2016 03:48:24 -0600
Subject: [PATCH 2/2] Prevent mods from editing/deleting feedbacks given to
 themselves.

---
 app/controllers/user_feedbacks_controller.rb | 2 +-
 app/models/user_feedback.rb                  | 4 ++++
 app/views/user_feedbacks/index.html.erb      | 2 +-
 app/views/user_feedbacks/show.html.erb       | 2 +-
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/app/controllers/user_feedbacks_controller.rb b/app/controllers/user_feedbacks_controller.rb
index bc68ffd22..815abbb38 100644
--- a/app/controllers/user_feedbacks_controller.rb
+++ b/app/controllers/user_feedbacks_controller.rb
@@ -49,6 +49,6 @@ class UserFeedbacksController < ApplicationController
 
 private
   def check_privilege(user_feedback)
-    raise User::PrivilegeError unless (user_feedback.creator_id == CurrentUser.id || CurrentUser.is_moderator?)
+    raise User::PrivilegeError unless user_feedback.editable_by?(CurrentUser.user)
   end
 end
diff --git a/app/models/user_feedback.rb b/app/models/user_feedback.rb
index 19059f87a..dc7536da4 100644
--- a/app/models/user_feedback.rb
+++ b/app/models/user_feedback.rb
@@ -98,4 +98,8 @@ class UserFeedback < ActiveRecord::Base
       return true
     end
   end
+
+  def editable_by?(editor)
+    (editor.is_moderator? && editor != user) || creator == editor
+  end
 end
diff --git a/app/views/user_feedbacks/index.html.erb b/app/views/user_feedbacks/index.html.erb
index d6490f147..005e7d1bc 100644
--- a/app/views/user_feedbacks/index.html.erb
+++ b/app/views/user_feedbacks/index.html.erb
@@ -20,7 +20,7 @@
             <td><%= compact_time(feedback.created_at) %></td>
             <td><%= format_text(feedback.body) %></td>
             <td>
-              <% if feedback.creator_id == CurrentUser.id || CurrentUser.is_moderator? %>
+              <% if feedback.editable_by?(CurrentUser.user) %>
                 <%= link_to "edit", edit_user_feedback_path(feedback) %>
                 | <%= link_to "delete", user_feedback_path(feedback), :method => :delete, :data => {:confirm => "Are you sure you want to delete this user feedback?"} %>
               <% end %>
diff --git a/app/views/user_feedbacks/show.html.erb b/app/views/user_feedbacks/show.html.erb
index 0d45da9bb..34efbfb57 100644
--- a/app/views/user_feedbacks/show.html.erb
+++ b/app/views/user_feedbacks/show.html.erb
@@ -9,7 +9,7 @@
       <li><strong>Message</strong> <%= format_text @user_feedback.body %></li>
     </ul>
 
-    <% if @user_feedback.creator_id == CurrentUser.id || CurrentUser.is_moderator? %>
+    <% if @user_feedback.editable_by?(CurrentUser.user) %>
       <p><%= link_to "Edit", edit_user_feedback_path(@user_feedback) %></p>
     <% end %>
   </div>