diff --git a/app/controllers/my_profile/cms_controller.rb b/app/controllers/my_profile/cms_controller.rb index b641e84..698ba47 100644 --- a/app/controllers/my_profile/cms_controller.rb +++ b/app/controllers/my_profile/cms_controller.rb @@ -174,6 +174,8 @@ class CmsController < MyProfileController post_only :set_home_page def set_home_page + return render_access_denied unless user.can_change_homepage? + article = params[:id].nil? ? nil : profile.articles.find(params[:id]) profile.update_attribute(:home_page, article) diff --git a/test/functional/cms_controller_test.rb b/test/functional/cms_controller_test.rb index a8bcd31..e83679b 100644 --- a/test/functional/cms_controller_test.rb +++ b/test/functional/cms_controller_test.rb @@ -114,6 +114,13 @@ class CmsControllerTest < ActionController::TestCase assert_no_tag :tag => 'div', :content => /Profile homepage/, :attributes => { :class => "cms-homepage"} end + should 'not allow profile homepage changes if cannot change homepage' do + env = Environment.default; env.enable('cant_change_homepage') + a = profile.articles.create!(:name => 'my new home page') + post :set_home_page, :profile => profile.identifier, :id => a.id + assert_response 403 + end + should 'be able to set home page' do a = profile.articles.build(:name => 'my new home page') a.save! -- libgit2 0.21.2