Restriction note deletion to moderators

author Tom Hughes <tom@compton.nu>

Mon, 8 Apr 2013 20:21:31 +0000 (21:21 +0100)

committer Tom Hughes <tom@compton.nu>

Mon, 8 Apr 2013 20:21:31 +0000 (21:21 +0100)
author Tom Hughes <tom@compton.nu>
Mon, 8 Apr 2013 20:21:31 +0000 (21:21 +0100)
committer Tom Hughes <tom@compton.nu>
Mon, 8 Apr 2013 20:21:31 +0000 (21:21 +0100)
diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb

index b7d6631ae87853a41491123637d20b1b1c46f5d9..db963820363014b107722937ed5ae444e2409614 100644 (file)
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -6,6 +6,7 @@ class NotesController < ApplicationController
    before_filter :authorize_web, :only => [:mine]
    before_filter :setup_user_auth, :only => [:create, :comment]
    before_filter :authorize, :only => [:close, :destroy]
+  before_filter :require_moderator, :only => [:destroy]
    before_filter :check_api_writable, :only => [:create, :comment, :close, :destroy]
    before_filter :require_allow_write_notes, :only => [:create, :comment, :close, :destroy]
    before_filter :set_locale, :only => [:mine]
diff --git a/test/functional/notes_controller_test.rb b/test/functional/notes_controller_test.rb

index 99faec25f1529c8f29e580301b6a0f7f92628fc7..bfea295925f35efe00a1de152b523d166cd4f83a 100644 (file)
--- a/test/functional/notes_controller_test.rb
+++ b/test/functional/notes_controller_test.rb
@@ -348,6 +348,11 @@ class NotesControllerTest < ActionController::TestCase
  
      basic_authorization(users(:public_user).email, "test")
  
+    delete :destroy, {:id => notes(:open_note_with_comment).id}
+    assert_response :forbidden
+
+    basic_authorization(users(:moderator_user).email, "test")
+
      delete :destroy, {:id => notes(:open_note_with_comment).id}
      assert_response :success
  
@@ -361,6 +366,11 @@ class NotesControllerTest < ActionController::TestCase
  
      basic_authorization(users(:public_user).email, "test")
  
+    delete :destroy, {:id => 12345}
+    assert_response :forbidden
+
+    basic_authorization(users(:moderator_user).email, "test")
+
      delete :destroy, {:id => 12345}
      assert_response :not_found
author	Tom Hughes <tom@compton.nu>
	Mon, 8 Apr 2013 20:21:31 +0000 (21:21 +0100)
committer	Tom Hughes <tom@compton.nu>
	Mon, 8 Apr 2013 20:21:31 +0000 (21:21 +0100)
app/controllers/notes_controller.rb		patch \| blob \| history
test/functional/notes_controller_test.rb		patch \| blob \| history