From cd15a410a4673db619f96d52b11ffc293f0a1eba Mon Sep 17 00:00:00 2001 From: Victor Costa Date: Wed, 7 Jan 2015 15:03:11 -0300 Subject: [PATCH] Deny access to set_home_page for unauthorized users --- app/controllers/my_profile/cms_controller.rb | 2 ++ test/functional/cms_controller_test.rb | 7 +++++++ 2 files changed, 9 insertions(+), 0 deletions(-) diff --git a/app/controllers/my_profile/cms_controller.rb b/app/controllers/my_profile/cms_controller.rb index b641e84..698ba47 100644 --- a/app/controllers/my_profile/cms_controller.rb +++ b/app/controllers/my_profile/cms_controller.rb @@ -174,6 +174,8 @@ class CmsController < MyProfileController post_only :set_home_page def set_home_page + return render_access_denied unless user.can_change_homepage? + article = params[:id].nil? ? nil : profile.articles.find(params[:id]) profile.update_attribute(:home_page, article) diff --git a/test/functional/cms_controller_test.rb b/test/functional/cms_controller_test.rb index a8bcd31..e83679b 100644 --- a/test/functional/cms_controller_test.rb +++ b/test/functional/cms_controller_test.rb @@ -114,6 +114,13 @@ class CmsControllerTest < ActionController::TestCase assert_no_tag :tag => 'div', :content => /Profile homepage/, :attributes => { :class => "cms-homepage"} end + should 'not allow profile homepage changes if cannot change homepage' do + env = Environment.default; env.enable('cant_change_homepage') + a = profile.articles.create!(:name => 'my new home page') + post :set_home_page, :profile => profile.identifier, :id => a.id + assert_response 403 + end + should 'be able to set home page' do a = profile.articles.build(:name => 'my new home page') a.save! -- libgit2 0.21.2