From f4b599e8fd3a6998618dcbb4a1aae60ed5bbf2e4 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Mon, 8 Apr 2013 21:21:31 +0100 Subject: [PATCH] Restriction note deletion to moderators --- app/controllers/notes_controller.rb | 1 + test/functional/notes_controller_test.rb | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/app/controllers/notes_controller.rb b/app/controllers/notes_controller.rb index b7d6631ae..db9638203 100644 --- a/app/controllers/notes_controller.rb +++ b/app/controllers/notes_controller.rb @@ -6,6 +6,7 @@ class NotesController < ApplicationController before_filter :authorize_web, :only => [:mine] before_filter :setup_user_auth, :only => [:create, :comment] before_filter :authorize, :only => [:close, :destroy] + before_filter :require_moderator, :only => [:destroy] before_filter :check_api_writable, :only => [:create, :comment, :close, :destroy] before_filter :require_allow_write_notes, :only => [:create, :comment, :close, :destroy] before_filter :set_locale, :only => [:mine] diff --git a/test/functional/notes_controller_test.rb b/test/functional/notes_controller_test.rb index 99faec25f..bfea29592 100644 --- a/test/functional/notes_controller_test.rb +++ b/test/functional/notes_controller_test.rb @@ -348,6 +348,11 @@ class NotesControllerTest < ActionController::TestCase basic_authorization(users(:public_user).email, "test") + delete :destroy, {:id => notes(:open_note_with_comment).id} + assert_response :forbidden + + basic_authorization(users(:moderator_user).email, "test") + delete :destroy, {:id => notes(:open_note_with_comment).id} assert_response :success @@ -361,6 +366,11 @@ class NotesControllerTest < ActionController::TestCase basic_authorization(users(:public_user).email, "test") + delete :destroy, {:id => 12345} + assert_response :forbidden + + basic_authorization(users(:moderator_user).email, "test") + delete :destroy, {:id => 12345} assert_response :not_found -- 2.43.2