pundit: convert forum topics / forum posts to pundit.

Fix it being possible for users to delete or undelete their own forum
posts and topics, even if they were deleted by a mod.

test/functional/forum_posts_controller_test.rb

@@ -21,11 +21,13 @@ class ForumPostsControllerTest < ActionDispatch::IntegrationTest
 
       should "render the vote links" do
         get_auth forum_topic_path(@forum_topic), @mod
+        assert_response :success
         assert_select "a[title='Vote up']"
       end
 
       should "render existing votes" do
         get_auth forum_topic_path(@forum_topic), @mod
+        assert_response :success
         assert_select "li.vote-score-up"
       end
 
@@ -39,10 +41,12 @@ class ForumPostsControllerTest < ActionDispatch::IntegrationTest
 
         should "hide the vote links" do
           assert_select "a[title='Vote up']", false
+          assert_response :success
         end
 
         should "still render existing votes" do
           assert_select "li.vote-score-up"
+          assert_response :success
         end
       end
     end
@@ -73,28 +77,38 @@ class ForumPostsControllerTest < ActionDispatch::IntegrationTest
         end
       end
 
-      context "with private topics" do
+      context "for posts in private topics" do
         setup do
-          as(@mod) do
-            @mod_topic = create(:mod_up_forum_topic, creator: @mod)
-            @mod_posts = create_list(:forum_post, 2, topic: @mod_topic, creator: @mod)
-          end
-          @mod_post_ids = ([@forum_post] + @mod_posts).map(&:id).reverse
+          @admin = create(:admin_user)
+          @mod_post = as(@mod) { create(:forum_post, creator: @mod, topic: build(:forum_topic, min_level: User::Levels::MODERATOR)) }
+          @admin_post = as(@admin) { create(:forum_post, creator: @admin, topic: build(:forum_topic, min_level: User::Levels::ADMIN)) }
         end
 
-        should "list only permitted posts for members" do
+        should "list only permitted posts for anons" do
           get forum_posts_path
 
           assert_response :success
           assert_select "#forum-post-#{@forum_post.id}"
-          assert_select "#forum-post-#{@mod_posts[0].id}", false
+          assert_select "#forum-post-#{@mod_post.id}", false
+          assert_select "#forum-post-#{@admin_post.id}", false
         end
 
         should "list only permitted posts for mods" do
           get_auth forum_posts_path, @mod
 
           assert_response :success
-          assert_select "#forum-post-#{@mod_posts[0].id}"
+          assert_select "#forum-post-#{@forum_post.id}"
+          assert_select "#forum-post-#{@mod_post.id}"
+          assert_select "#forum-post-#{@admin_post.id}", false
+        end
+
+        should "list only permitted posts for admins" do
+          get_auth forum_posts_path, @admin
+
+          assert_response :success
+          assert_select "#forum-post-#{@forum_post.id}"
+          assert_select "#forum-post-#{@mod_post.id}"
+          assert_select "#forum-post-#{@admin_post.id}"
         end
       end
     end
@@ -128,6 +142,12 @@ class ForumPostsControllerTest < ActionDispatch::IntegrationTest
         get_auth edit_forum_post_path(@forum_post), @other_user
         assert_response(403)
       end
+
+      should "fail if the topic is private and the editor is unauthorized" do
+        as(@user) { @forum_post.topic.update(min_level: User::Levels::ADMIN) }
+        get_auth edit_forum_post_path(@forum_post), @user
+        assert_response(403)
+      end
     end
 
     context "new action" do
@@ -135,40 +155,96 @@ class ForumPostsControllerTest < ActionDispatch::IntegrationTest
         get_auth new_forum_post_path, @user, params: {:topic_id => @forum_topic.id}
         assert_response :success
       end
+
+      should "not allow unauthorized users to quote posts in private forum topics" do
+        as(@user) { @forum_post.topic.update(min_level: User::Levels::ADMIN) }
+        get_auth new_forum_post_path, @user, params: { post_id: @forum_post.id }
+
+        assert_response 403
+      end
     end
 
     context "create action" do
       should "create a new forum post" do
         assert_difference("ForumPost.count", 1) do
           post_auth forum_posts_path, @user, params: {:forum_post => {:body => "xaxaxa", :topic_id => @forum_topic.id}}
+          assert_redirected_to(forum_topic_path(@forum_topic))
         end
+      end
 
-        forum_post = ForumPost.last
+      should "not allow unauthorized users to create posts in private topics" do
+        as(@user) { @forum_post.topic.update!(min_level: User::Levels::ADMIN) }
+
+        post_auth forum_posts_path, @user, params: { forum_post: { body: "xaxaxa", topic_id: @forum_topic.id }}
+        assert_response 403
+      end
+
+      should "not allow non-moderators to create posts in locked topics" do
+        as(@user) { @forum_post.topic.update!(is_locked: true) }
+
+        post_auth forum_posts_path, @user, params: { forum_post: { body: "xaxaxa", topic_id: @forum_topic.id }}
+        assert_response 403
+      end
+
+      should "allow moderators to create posts in locked topics" do
+        as(@user) { @forum_post.topic.update!(is_locked: true) }
+
+        post_auth forum_posts_path, @mod, params: { forum_post: { body: "xaxaxa", topic_id: @forum_topic.id }}
         assert_redirected_to(forum_topic_path(@forum_topic))
       end
     end
 
+    context "update action" do
+      should "allow users to update their own posts" do
+        put_auth forum_post_path(@forum_post), @user, params: { forum_post: { body: "test" }}
+        assert_redirected_to(forum_topic_path(@forum_topic, anchor: "forum_post_#{@forum_post.id}"))
+      end
+
+      should "not allow users to update their own posts in locked topics" do
+        as(@user) { @forum_post.topic.update!(is_locked: true) }
+
+        put_auth forum_post_path(@forum_post), @user, params: { forum_post: { body: "test" }}
+        assert_response 403
+      end
+
+      should "not allow users to update other people's posts" do
+        put_auth forum_post_path(@forum_post), @other_user, params: { forum_post: { body: "test" }}
+        assert_response 403
+      end
+
+      should "allow moderators to update other people's posts" do
+        put_auth forum_post_path(@forum_post), @mod, params: { forum_post: { body: "test" }}
+        assert_redirected_to(forum_topic_path(@forum_topic, anchor: "forum_post_#{@forum_post.id}"))
+      end
+    end
+
     context "destroy action" do
-      should "destroy the posts" do
+      should "allow mods to delete posts" do
         delete_auth forum_post_path(@forum_post), @mod
         assert_redirected_to(forum_post_path(@forum_post))
-        @forum_post.reload
-        assert_equal(true, @forum_post.is_deleted?)
+        assert_equal(true, @forum_post.reload.is_deleted?)
+      end
+
+      should "not allow users to delete their own posts" do
+        delete_auth forum_post_path(@forum_post), @user
+        assert_response 403
+        assert_equal(false, @forum_post.reload.is_deleted?)
       end
     end
 
     context "undelete action" do
-      setup do
-        as(@mod) do
-          @forum_post.update(is_deleted: true)
-        end
-      end
-
-      should "restore the post" do
+      should "allow mods to undelete posts" do
+        as(@mod) { @forum_post.update!(is_deleted: true) }
         post_auth undelete_forum_post_path(@forum_post), @mod
         assert_redirected_to(forum_post_path(@forum_post))
-        @forum_post.reload
-        assert_equal(false, @forum_post.is_deleted?)
+        assert_equal(false, @forum_post.reload.is_deleted?)
+      end
+
+      should "not allow users to undelete their own posts" do
+        as(@mod) { @forum_post.update!(is_deleted: true) }
+        post_auth undelete_forum_post_path(@forum_post), @user
+        assert_response 403
+        assert_equal(true, @forum_post.reload.is_deleted?)
       end
     end
   end