Commit cd15a410a4673db619f96d52b11ffc293f0a1eba
1 parent
83dd0faf
Exists in
master
and in
29 other branches
Deny access to set_home_page for unauthorized users
Showing
2 changed files
with
9 additions
and
0 deletions
Show diff stats
app/controllers/my_profile/cms_controller.rb
| ... | ... | @@ -174,6 +174,8 @@ class CmsController < MyProfileController |
| 174 | 174 | |
| 175 | 175 | post_only :set_home_page |
| 176 | 176 | def set_home_page |
| 177 | + return render_access_denied unless user.can_change_homepage? | |
| 178 | + | |
| 177 | 179 | article = params[:id].nil? ? nil : profile.articles.find(params[:id]) |
| 178 | 180 | profile.update_attribute(:home_page, article) |
| 179 | 181 | ... | ... |
test/functional/cms_controller_test.rb
| ... | ... | @@ -114,6 +114,13 @@ class CmsControllerTest < ActionController::TestCase |
| 114 | 114 | assert_no_tag :tag => 'div', :content => /Profile homepage/, :attributes => { :class => "cms-homepage"} |
| 115 | 115 | end |
| 116 | 116 | |
| 117 | + should 'not allow profile homepage changes if cannot change homepage' do | |
| 118 | + env = Environment.default; env.enable('cant_change_homepage') | |
| 119 | + a = profile.articles.create!(:name => 'my new home page') | |
| 120 | + post :set_home_page, :profile => profile.identifier, :id => a.id | |
| 121 | + assert_response 403 | |
| 122 | + end | |
| 123 | + | |
| 117 | 124 | should 'be able to set home page' do |
| 118 | 125 | a = profile.articles.build(:name => 'my new home page') |
| 119 | 126 | a.save! | ... | ... |