0
@@ -4,6 +4,7 @@ class PostsController < ApplicationController
0
   
0
   before_filter :login_required
0
   before_filter :get_instance_vars
0
+  before_filter :authenticate_edit, :only => [:edit, :update]
0
 
0
   # Used for both forum and blog posts.
0
   def index
0
@@ -34,8 +35,6 @@ class PostsController < ApplicationController
0
 
0
   # Used for both forum and blog posts.
0
   def edit
0
-    @post = model.find(params[:id])
0
-    
0
     respond_to do |format|
0
       format.html { render :action => resource_template("edit") }
0
     end
0
@@ -56,8 +55,6 @@ class PostsController < ApplicationController
0
   end
0
 
0
   def update
0
-    @post = model.find(params[:id])
0
-
0
     respond_to do |format|
0
       if @post.update_attributes(params[:post])
0
         flash[:success] = 'Post was successfully updated.'
0
@@ -79,7 +76,10 @@ class PostsController < ApplicationController
0
   
0
   private
0
   
0
+    ## Before filters
0
+  
0
     def get_instance_vars
0
+      @post = model.find(params[:id]) unless params[:id].nil?
0
       if forum?
0
         @forum = Forum.find(:first)
0
         @topic = Topic.find(params[:topic_id])
0
@@ -87,6 +87,16 @@ class PostsController < ApplicationController
0
         @blog = Blog.find(params[:blog_id])
0
       end
0
     end
0
+
0
+    # Make sure the current user is authorized to edit this post
0
+    def authenticate_edit
0
+      if forum?
0
+        redirect_to home_url unless @topic.person == current_person
0
+      elsif blog?
0
+        redirect_to home_url unless (@blog.person == current_person and
0
+                                     @post.blog   == @blog)
0
+      end
0
+    end
0
     
0
     ## Handle forum and blog posts in a uniform manner.
0
     

0
@@ -43,11 +43,19 @@ describe PostsController do
0
         assigns(:post).person.should == @person
0
       end
0
     end
0
+    
0
     it "should render the new template on creation failure" do
0
       post :create, :forum_id => @forum, :topic_id => @topic,
0
-                          :post => { :body => "" }
0
+                    :post => { :body => "" }
0
       response.should render_template("forum_new")
0
     end
0
+    
0
+    it "should require the right user for editing" do
0
+      person = login_as(:aaron)
0
+      @post.person.should_not == person
0
+      get :edit, :forum_id => @forum, :topic_id => @topic, :id => @post
0
+      response.should redirect_to(home_url)
0
+    end
0
   end
0
   
0
   describe "blog posts" do
0
@@ -91,5 +99,19 @@ describe PostsController do
0
       post :create, :blog_id => @blog, :post => {}
0
       response.should render_template("blog_new")
0
     end
0
+    
0
+    it "should require the right user for editing" do
0
+      person = login_as(:aaron)
0
+      @post.blog.person.should_not == person
0
+      get :edit, :blog_id => @blog, :id => @post
0
+      response.should redirect_to(home_url)
0
+    end
0
+    
0
+    it "should require the post to belong to the blog" do
0
+      wrong_blog = blogs(:two)
0
+      wrong_blog.should_not == @blog
0
+      get :edit, :blog_id => wrong_blog, :id => @post
0
+      response.should redirect_to(home_url)      
0
+    end
0
   end
0
 end
0
\ No newline at end of file

0
@@ -1,3 +1,6 @@
0
 one:
0
   id: 1
0
-  person: quentin
0
\ No newline at end of file
0
+  person: quentin
0
+two:
0
+  id: 2
0
+  person: aaron
0
\ No newline at end of file