pundit: convert forum topics / forum posts to pundit.

Fix it being possible for users to delete or undelete their own forum posts and topics, even if they were deleted by a mod.
2020-03-16 02:42:54 -05:00
parent b3ff08fedf
commit db63b6d44f
18 changed files with 262 additions and 170 deletions
--- a/test/functional/forum_topics_controller_test.rb
+++ b/test/functional/forum_topics_controller_test.rb
@@ -95,9 +95,12 @@ class ForumTopicsControllerTest < ActionDispatch::IntegrationTest
        end
      end

-      should "list all forum topics" do
+      should "list public forum topics for members" do
        get forum_topics_path
+
        assert_response :success
+        assert_select "a.forum-post-link", count: 1, text: @topic1.title
+        assert_select "a.forum-post-link", count: 1, text: @topic2.title
      end

      should "not list stickied topics first for JSON responses" do
@@ -111,6 +114,26 @@ class ForumTopicsControllerTest < ActionDispatch::IntegrationTest
        assert_response :success
      end

+      context "with private topics" do
+        should "not show private topics to unprivileged users" do
+          as(@user) { @topic2.update!(min_level: User::Levels::MODERATOR) }
+          get forum_topics_path
+
+          assert_response :success
+          assert_select "a.forum-post-link", count: 1, text: @topic1.title
+          assert_select "a.forum-post-link", count: 0, text: @topic2.title
+        end
+
+        should "show private topics to privileged users" do
+          as(@user) { @topic2.update!(min_level: User::Levels::MODERATOR) }
+          get_auth forum_topics_path, @mod
+
+          assert_response :success
+          assert_select "a.forum-post-link", count: 1, text: @topic1.title
+          assert_select "a.forum-post-link", count: 1, text: @topic2.title
+        end
+      end
+
      context "with search conditions" do
        should "list all matching forum topics" do
          get forum_topics_path, params: {:search => {:title_matches => "forum"}}
@@ -217,6 +240,29 @@ class ForumTopicsControllerTest < ActionDispatch::IntegrationTest
        assert_redirected_to forum_topic_path(@forum_topic)
        assert_equal(true, @forum_topic.reload.is_locked)
      end
+
+      should "allow users to update their own topics" do
+        put_auth forum_topic_path(@forum_topic), @user, params: { forum_topic: { title: "test" }}
+
+        assert_redirected_to forum_topic_path(@forum_topic)
+        assert_equal("test", @forum_topic.reload.title)
+      end
+
+      should "not allow users to update locked topics" do
+        as(@mod) { @forum_topic.update!(is_locked: true) }
+        put_auth forum_topic_path(@forum_topic), @user, params: { forum_topic: { title: "test" }}
+
+        assert_response 403
+        assert_not_equal("test", @forum_topic.reload.title)
+      end
+
+      should "allow mods to update locked topics" do
+        as(@mod) { @forum_topic.update!(is_locked: true) }
+        put_auth forum_topic_path(@forum_topic), @mod, params: { forum_topic: { title: "test" }}
+
+        assert_redirected_to forum_topic_path(@forum_topic)
+        assert_equal("test", @forum_topic.reload.title)
+      end
    end

    context "destroy action" do