From 8d610ddd3702c06b9762f7830c183a009ecb19c5 Mon Sep 17 00:00:00 2001
From: Luciano Prestes Cavalcanti <lucianopcbr@gmail.com>
Date: Tue, 26 Jan 2016 17:30:45 +0000
Subject: [PATCH] Fix protection of create_institution_admin

---
 src/noosfero-spb/gov_user/controllers/gov_user_plugin_controller.rb          |  2 ++
 src/noosfero-spb/gov_user/test/functional/gov_user_plugin_controller_test.rb | 26 +++++++++++++++++++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/noosfero-spb/gov_user/controllers/gov_user_plugin_controller.rb b/src/noosfero-spb/gov_user/controllers/gov_user_plugin_controller.rb
index 991f36f..9b7b1de 100644
--- a/src/noosfero-spb/gov_user/controllers/gov_user_plugin_controller.rb
+++ b/src/noosfero-spb/gov_user/controllers/gov_user_plugin_controller.rb
@@ -5,6 +5,8 @@ class GovUserPluginController < ApplicationController
     :governmental_sphere, :governmental_power, :juridical_nature, :sisp
   ]
 
+  protect "create_institution_admin", :environment
+
   def hide_registration_incomplete_percentage
     response = false
 
diff --git a/src/noosfero-spb/gov_user/test/functional/gov_user_plugin_controller_test.rb b/src/noosfero-spb/gov_user/test/functional/gov_user_plugin_controller_test.rb
index 21f9d5b..7c8f782 100644
--- a/src/noosfero-spb/gov_user/test/functional/gov_user_plugin_controller_test.rb
+++ b/src/noosfero-spb/gov_user/test/functional/gov_user_plugin_controller_test.rb
@@ -9,7 +9,7 @@ class GovUserPluginControllerTest < ActionController::TestCase
   def setup
     @admin = create_user("adminuser").person
     @admin.stubs(:has_permission?).returns("true")
-    @controller.stubs(:current_user).returns(@admin.user)
+    login_as(@admin.user_login)
 
     @environment = Environment.default
     @environment.enabled_plugins = ['SoftwareCommunitiesPlugin']
@@ -255,4 +255,28 @@ class GovUserPluginControllerTest < ActionController::TestCase
     assert(Institution.last.community.is_admin?(admin2) )
   end
 
+  should "admin user can access action create_institution_admin" do
+    login_as(@admin.user_login)
+
+    post :create_institution_admin
+
+    assert_response 200
+  end
+
+  should "disconnected user can not access action create_institution_admin" do
+    logout
+
+    post :create_institution_admin
+
+    assert_response 403
+  end
+
+  should "regular user can not access action create_institution_admin" do
+    disconnected_user = create_user("another_admin").person
+    login_as(disconnected_user.user_login)
+
+    post :create_institution_admin
+
+    assert_response 403
+  end
 end
--
libgit2 0.21.2