Skip to content

Commit

Permalink
Adding before_filter to events_controller to prevent accessing edit, …
Browse files Browse the repository at this point in the history 
…update, and delete functions for locked events.
  • Loading branch information
@aeschright
aeschright committed Feb 16, 2015
1 parent 00f01c7 commit 90f20c5
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 3 deletions.
12 changes: 9 additions & 3 deletions app/controllers/events_controller.rb
View file
@@ -1,6 +1,7 @@
class EventsController < ApplicationController
# Provides #duplicates and #squash_many_duplicates
include DuplicateChecking::ControllerActions
before_filter :find_and_redirect_if_locked, :only => [:edit, :update, :destroy]

# GET /events
# GET /events.xml
Expand Down Expand Up @@ -37,7 +38,6 @@ def new

# GET /events/1/edit
def edit
@event = Event.find(params[:id])
end

# POST /events
Expand All @@ -50,7 +50,6 @@ def create
# PUT /events/1
# PUT /events/1.xml
def update
@event = Event.find(params[:id])
create_or_update
end

Expand Down Expand Up @@ -81,7 +80,6 @@ def create_or_update
# DELETE /events/1
# DELETE /events/1.xml
def destroy
@event = Event.find(params[:id])
@event.destroy

respond_to do |format|
Expand Down Expand Up @@ -154,4 +152,12 @@ def date_or_default_for(kind)
append_flash :failure, "Can't filter by an invalid #{kind} date."
default
end

def find_and_redirect_if_locked
@event = Event.find(params[:id])
if @event.locked?
flash[:failure] = "You are not permitted to modify this event."
redirect_to root_path
end
end
end
17 changes: 17 additions & 0 deletions spec/controllers/events_controller_spec.rb
View file
Expand Up @@ -538,6 +538,13 @@
put "update", @params.merge(:preview => "Preview")
expect(response).to render_template :edit
end

it "should not allow a user to update a locked event" do
@event.lock_editing!
put "update", @params
expect(response).to be_redirect
expect(flash[:failure]).to match /not permitted/i
end
end

describe "#clone" do
Expand Down Expand Up @@ -760,5 +767,15 @@
delete 'destroy', :id => 1234
expect(response).to redirect_to(events_url)
end

it "should not allow a user to destroy a locked event" do
event = FactoryGirl.create(:event)
event.lock_editing!

delete 'destroy', :id => event.id
expect(response).to be_redirect
expect(flash[:failure]).to match /not permitted/i
end

end
end

0 comments on commit 90f20c5

Please sign in to comment.