Merge pull request #2775 from evazion/fix-user-feedbacks

Prevent mods from editing/deleting feedbacks given to themselves.
2016-11-28 12:02:47 -08:00
parent 4c0e44806c fa74c71b6d
commit 5c761d4a60
5 changed files with 24 additions and 4 deletions
--- a/test/functional/user_feedbacks_controller_test.rb
+++ b/test/functional/user_feedbacks_controller_test.rb
@@ -5,6 +5,7 @@ class UserFeedbacksControllerTest < ActionController::TestCase
    setup do
      @user = FactoryGirl.create(:user)
      @critic = FactoryGirl.create(:gold_user)
+      @mod = FactoryGirl.create(:moderator_user)
      CurrentUser.user = @critic
      CurrentUser.ip_addr = "127.0.0.1"
    end
@@ -62,7 +63,7 @@ class UserFeedbacksControllerTest < ActionController::TestCase

    context "destroy action" do
      setup do
-        @user_feedback = FactoryGirl.create(:user_feedback)
+        @user_feedback = FactoryGirl.create(:user_feedback, user: @user)
      end

      should "delete a feedback" do
@@ -70,6 +71,21 @@ class UserFeedbacksControllerTest < ActionController::TestCase
          post :destroy, {:id => @user_feedback.id}, {:user_id => @critic.id}
        end
      end
+
+      context "by a moderator" do
+        should "allow deleting feedbacks given to other users" do
+          assert_difference "UserFeedback.count", -1 do
+            post :destroy, {:id => @user_feedback.id}, {:user_id => @mod.id}
+          end
+        end
+
+        should "not allow deleting feedbacks given to themselves" do
+          @user_feedback = FactoryGirl.create(:user_feedback, user: @mod)
+          assert_difference "UserFeedback.count", 0 do
+            post :destroy, {:id => @user_feedback.id}, {:user_id => @mod.id}
+          end
+        end
+      end
    end
  end
 end