From: Tom Hughes <tom@compton.nu>
Date: Mon, 8 Apr 2013 20:21:31 +0000 (+0100)
Subject: Restriction note deletion to moderators
X-Git-Tag: live~5111^2~5
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/f4b599e8fd3a6998618dcbb4a1aae60ed5bbf2e4

Restriction note deletion to moderators
---

diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb
index b7d6631ae..db9638203 100644
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@@ -6,6 +6,7 @@ class NotesController < ApplicationController
   before_filter :authorize_web, :only => [:mine]
   before_filter :setup_user_auth, :only => [:create, :comment]
   before_filter :authorize, :only => [:close, :destroy]
+  before_filter :require_moderator, :only => [:destroy]
   before_filter :check_api_writable, :only => [:create, :comment, :close, :destroy]
   before_filter :require_allow_write_notes, :only => [:create, :comment, :close, :destroy]
   before_filter :set_locale, :only => [:mine]
diff --git a/test/functional/notes_controller_test.rb b/test/functional/notes_controller_test.rb
index 99faec25f..bfea29592 100644
--- a/test/functional/notes_controller_test.rb
+++ b/test/functional/notes_controller_test.rb
@@ -348,6 +348,11 @@ class NotesControllerTest < ActionController::TestCase
 
     basic_authorization(users(:public_user).email, "test")
 
+    delete :destroy, {:id => notes(:open_note_with_comment).id}
+    assert_response :forbidden
+
+    basic_authorization(users(:moderator_user).email, "test")
+
     delete :destroy, {:id => notes(:open_note_with_comment).id}
     assert_response :success
 
@@ -361,6 +366,11 @@ class NotesControllerTest < ActionController::TestCase
 
     basic_authorization(users(:public_user).email, "test")
 
+    delete :destroy, {:id => 12345}
+    assert_response :forbidden
+
+    basic_authorization(users(:moderator_user).email, "test")
+
     delete :destroy, {:id => 12345}
     assert_response :not_found