Restriction note deletion to moderators

diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index b7d6631ae87853a41491123637d20b1b1c46f5d9..db963820363014b107722937ed5ae444e2409614 100644 (file)
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -6,6 +6,7 @@ class NotesController < ApplicationController
   before_filter :authorize_web, :only => [:mine]
   before_filter :setup_user_auth, :only => [:create, :comment]
   before_filter :authorize, :only => [:close, :destroy]
+  before_filter :require_moderator, :only => [:destroy]
   before_filter :check_api_writable, :only => [:create, :comment, :close, :destroy]
   before_filter :require_allow_write_notes, :only => [:create, :comment, :close, :destroy]
   before_filter :set_locale, :only => [:mine]

diff --git a/test/functional/notes_controller_test.rb b/test/functional/notes_controller_test.rb
index 99faec25f1529c8f29e580301b6a0f7f92628fc7..bfea295925f35efe00a1de152b523d166cd4f83a 100644 (file)
--- a/test/functional/notes_controller_test.rb
+++ b/test/functional/notes_controller_test.rb
@@ -348,6 +348,11 @@ class NotesControllerTest < ActionController::TestCase
 
     basic_authorization(users(:public_user).email, "test")
 
+    delete :destroy, {:id => notes(:open_note_with_comment).id}
+    assert_response :forbidden
+
+    basic_authorization(users(:moderator_user).email, "test")
+
     delete :destroy, {:id => notes(:open_note_with_comment).id}
     assert_response :success
 
@@ -361,6 +366,11 @@ class NotesControllerTest < ActionController::TestCase
 
     basic_authorization(users(:public_user).email, "test")
 
+    delete :destroy, {:id => 12345}
+    assert_response :forbidden
+
+    basic_authorization(users(:moderator_user).email, "test")
+
     delete :destroy, {:id => 12345}
     assert_response :not_found