Skip to content
Browse files

Add robust course and permission checks 💪

  • Loading branch information...
1 parent 211f7c3 commit 5a2a0cac27ef256d1a6497a98d71da7af2ad25e8 @wicz wicz committed Mar 18, 2012
Showing with 48 additions and 11 deletions.
  1. +14 −7 app/controllers/tasks_controller.rb
  2. +28 −0 test/functional/tasks_controller_test.rb
  3. +6 −4 test/test_helper.rb
View
21 app/controllers/tasks_controller.rb
@@ -1,5 +1,5 @@
class TasksController < ApplicationController
- before_filter :find_course
+ before_filter :find_course, :check_permission
def new
@task = @course.tasks.build
@@ -9,7 +9,7 @@ def create
task = @course.tasks.build(params[:task])
if task.save
- redirect_to @course, flash: { success: "Task created" }
+ redirect_to(@course, notice: "Task created")
else
redirect_to new_course_task_path(@course)
end
@@ -19,17 +19,24 @@ def destroy
task = Task.find(params[:id])
if task.destroy
- flash[:success] = "Task removed successfully"
+ flash[:notice] = "Task removed successfully"
else
- flash[:error] = "Sorry, there was an error remove the task from the course"
+ flash[:alert] = "Sorry, there was an error remove the task from the course"
end
- redirect_to @course
+ redirect_to @course
end
private
+ def check_permission
+ unless current_person.has_role?(:instructor, @course)
+ redirect_to(@course, alert: "Unauthorized access")
+ end
+ end
+
def find_course
@course = Course.find(params[:course_id])
+ rescue ActiveRecord::RecordNotFound
+ redirect_to(root_url, alert: "Couldn't find course")
end
-
-end
+end
View
28 test/functional/tasks_controller_test.rb
@@ -0,0 +1,28 @@
+require "test_helper"
+
+class TasksControllerTest < ActionController::TestCase
+ fixtures :all
+
+ def setup
+ @controller.current_person = clubhouse_person("instructor")
+ end
+
+ test "#new is not allowed to students" do
+ @controller.current_person = clubhouse_person("student")
+
+ get(:new, course_id: courses(:webdev).id)
+ assert_redirected_to(courses(:webdev))
+ assert flash[:alert]
+ end
+
+ test "#new is allowed to instructors" do
+ get(:new, course_id: courses(:webdev).id)
+ assert_template "new"
+ end
+
+ test "redirects to root if can't find course" do
+ get(:new, course_id: 'ohai!')
+ assert_redirected_to(root_url)
+ assert flash[:alert]
+ end
+end
View
10 test/test_helper.rb
@@ -4,8 +4,11 @@
require "capybara/rails"
+Clubhouse::Client.test_mode = true
+
def clubhouse_person(github_nickname)
- Clubhouse::Client::Person.new(github_nickname)
+ # FIXME: duplicates code from ApplicationController
+ PersonDecorator.new(Clubhouse::Client::Person.new(github_nickname))
end
class ActiveSupport::TestCase
@@ -28,9 +31,8 @@ def sign_in(person)
visit root_url
fill_in("Name", with: person.name)
fill_in("Email", with: person.email)
- fill_in("Nickname", with: person.github_nickname)
+ fill_in("Nickname", with: person.github_nickname)
click_button "Sign In"
assert_includes(page.body, "Welcome to Liskov")
end
-end
-
+end

0 comments on commit 5a2a0ca

Please sign in to comment.
Something went wrong with that request. Please try again.