From: Tom Hughes <tom@compton.nu>
Date: Mon, 13 Feb 2017 10:09:43 +0000 (+0000)
Subject: Allow a POST with no arguments to trace#edit to fetch the form
X-Git-Tag: live~3576
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/e23541c20f9e2a74cc190c2a9e7c0b79562fe650?ds=sidebyside

Allow a POST with no arguments to trace#edit to fetch the form
---

diff --git a/app/controllers/trace_controller.rb b/app/controllers/trace_controller.rb
index e41bd01f3..8d9b670c5 100644
--- a/app/controllers/trace_controller.rb
+++ b/app/controllers/trace_controller.rb
@@ -170,7 +170,7 @@ class TraceController < ApplicationController
     else
       @title = t "trace.edit.title", :name => @trace.name
 
-      if request.post?
+      if request.post? && params[:trace]
         @trace.description = params[:trace][:description]
         @trace.tagstring = params[:trace][:tagstring]
         @trace.visibility = params[:trace][:visibility]
diff --git a/test/controllers/trace_controller_test.rb b/test/controllers/trace_controller_test.rb
index f27129b42..b238df04c 100644
--- a/test/controllers/trace_controller_test.rb
+++ b/test/controllers/trace_controller_test.rb
@@ -557,7 +557,7 @@ class TraceControllerTest < ActionController::TestCase
     assert_equal "trackable", users(:public_user).preferences.where(:k => "gps.trace.visibility").first.v
   end
 
-  # Test fetching the edit page for a trace
+  # Test fetching the edit page for a trace using GET
   def test_edit_get
     public_trace_file = create(:trace, :visibility => "public", :user => users(:normal_user))
     deleted_trace_file = create(:trace, :deleted, :user => users(:public_user))
@@ -584,10 +584,37 @@ class TraceControllerTest < ActionController::TestCase
     assert_response :success
   end
 
+  # Test fetching the edit page for a trace using POST
+  def test_edit_post_no_details
+    public_trace_file = create(:trace, :visibility => "public", :user => users(:normal_user))
+    deleted_trace_file = create(:trace, :deleted, :user => users(:public_user))
+
+    # First with no auth
+    post :edit, :display_name => users(:normal_user).display_name, :id => public_trace_file.id
+    assert_response :forbidden
+
+    # Now with some other user, which should fail
+    post :edit, { :display_name => users(:normal_user).display_name, :id => public_trace_file.id }, { :user => users(:public_user).id }
+    assert_response :forbidden
+
+    # Now with a trace which doesn't exist
+    post :edit, { :display_name => users(:public_user).display_name, :id => 0 }, { :user => users(:public_user).id }
+    assert_response :not_found
+
+    # Now with a trace which has been deleted
+    post :edit, { :display_name => users(:public_user).display_name, :id => deleted_trace_file.id }, { :user => users(:public_user).id }
+    assert_response :not_found
+
+    # Finally with a trace that we are allowed to edit
+    post :edit, { :display_name => users(:normal_user).display_name, :id => public_trace_file.id }, { :user => users(:normal_user).id }
+    assert_response :success
+  end
+
   # Test saving edits to a trace
-  def test_edit_post
+  def test_edit_post_with_details
     public_trace_file = create(:trace, :visibility => "public", :user => users(:normal_user))
     deleted_trace_file = create(:trace, :deleted, :user => users(:public_user))
+
     # New details
     new_details = { :description => "Changed description", :tagstring => "new_tag", :visibility => "private" }