Fix #4990: Allow admins to delete uploads.

Allow admins to delete media asset files. This only deletes the image file itself, not the upload or media asset record. The upload will still be in the user's upload list, but the image will be gone. The media asset page will still exist, but it will only show the file's metadata, not the image itself. We don't delete the metadata so we have a record of what the file's MD5 was and who uploaded it, to prevent the file from being uploaded again and to take action against the user if necessary.
2022-11-29 18:09:25 -06:00
parent 695568e08b
commit 756362f89e
11 changed files with 83 additions and 13 deletions
--- a/test/functional/media_assets_controller_test.rb
+++ b/test/functional/media_assets_controller_test.rb
@@ -44,5 +44,32 @@ class MediaAssetsControllerTest < ActionDispatch::IntegrationTest
        assert_response :success
      end
    end
+
+    context "destroy action" do
+      should "delete the asset's files" do
+        @admin = create(:admin_user)
+        @media_asset = MediaAsset.upload!("test/files/test.jpg")
+        delete_auth media_asset_path(@media_asset), @admin
+
+        assert_redirected_to @media_asset
+
+        assert_equal("deleted", @media_asset.reload.status)
+        @media_asset.variants.each do |variant|
+          assert_nil(variant.open_file)
+        end
+
+        assert_equal(1, ModAction.count)
+        assert_equal("media_asset_delete", ModAction.last.category)
+        assert_equal(@media_asset, ModAction.last.subject)
+        assert_equal(@admin, ModAction.last.creator)
+      end
+
+      should "fail for non-admins" do
+        @media_asset = create(:media_asset)
+        delete_auth media_asset_path(@media_asset), create(:user)
+
+        assert_response 403
+      end
+    end
  end
 end