Content owners cannot update submissions, closes #86.

concerto · May 7, 2012 · 55a01e6 · 55a01e6
1 parent 3852ba8
commit 55a01e6
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -110,8 +110,8 @@ def user_abilities(user)
     # the feed is submittable or they are a member of the group.
     can :create, Submission, :feed => {:is_submittable => true} if user.persisted?
     can :create, Submission, :feed => {:group => {:id => user.group_ids }}
-    # Users can read, delete and update their own submissions.
-    can [:read, :update, :delete], Submission, :content => {:user => {:id => user.id }}
+    # Users can read and delete their own submissions.
+    can [:read,  :delete], Submission, :content => {:user => {:id => user.id }}
     # Submissions can be read and updated by moderators.
     can [:read, :update], Submission do |submission|
       submission.feed.group.leaders.include?(user)

diff --git a/test/unit/abilities/user/submission_test.rb b/test/unit/abilities/user/submission_test.rb
@@ -101,14 +101,14 @@ def setup
     assert ability.cannot?(:delete, @submission)
   end
 
-  test "Submission can be read and modified by content owner" do
+  test "Content owner can only read and delete submission" do
     content = Content.new(:user => @kristen)
     @submission.content = content
     @submission.feed = @rpitv
 
     ability = Ability.new(@kristen)
     assert ability.can?(:read, @submission)
-    assert ability.can?(:update, @submission)
+    assert ability.cannot?(:update, @submission)
     assert ability.can?(:delete, @submission)
 
     ability = Ability.new(@katie)