Merge pull request #1979 from sarken/issue_4210

4210 Don't let banned users access or request invitations
otwcode · Jan 6, 2015 · c58edf8 · c58edf8
2 parents bff78a8 + b81b264
commit c58edf8
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 0 deletions.
diff --git a/app/controllers/invitations_controller.rb b/app/controllers/invitations_controller.rb
@@ -2,6 +2,7 @@ class InvitationsController < ApplicationController
 
   before_filter :check_permission
   before_filter :admin_only, :only => [:create, :destroy]
+  before_filter :check_user_status, :only => [:index, :manage, :invite_friend, :update]
 
   def check_permission
     @user = User.find_by_login(params[:user_id])

diff --git a/app/controllers/user_invite_requests_controller.rb b/app/controllers/user_invite_requests_controller.rb
@@ -1,5 +1,6 @@
 class UserInviteRequestsController < ApplicationController
   before_filter :admin_only, :except => [:new, :create]
+  before_filter :check_user_status, :only => [:new, :create]
 
   # GET /user_invite_requests
   # GET /user_invite_requests.xml

diff --git a/features/other_a/invite_request.feature b/features/other_a/invite_request.feature
@@ -138,3 +138,10 @@ Feature: Invite requests
       And I should not see "Get an Invite"
       And I should not see "Create an Account"
       And I should see "Log In"
+
+  Scenario: Banned users cannot access their invitations page
+
+    Given I am logged in as a banned user
+    When I go to my invitations page
+    Then I should be on my user page
+    And I should see "Your account has been banned."
diff --git a/features/step_definitions/user_steps.rb b/features/step_definitions/user_steps.rb
@@ -76,6 +76,20 @@
   assert UserSession.find
 end
 
+Given /^I am logged in as a banned user$/ do
+  step("I am logged out")
+  user = FactoryGirl.create(:user, {:login => "banned", :password => DEFAULT_PASSWORD})
+  user.activate
+  user.banned = true
+  user.save
+  visit login_path
+  fill_in "User name", :with => "banned"
+  fill_in "Password", :with => DEFAULT_PASSWORD
+  check "Remember Me"
+  click_button "Log In"
+  assert UserSession.find
+end
+
 Given /^I am logged out$/ do
   visit logout_path
   assert !UserSession.find

diff --git a/features/support/paths.rb b/features/support/paths.rb
@@ -107,6 +107,8 @@ def path_to(page_name)
       user_related_works_path(User.current_user)
     when /my inbox page/
       user_inbox_path(User.current_user)
+    when /my invitations page/
+      user_invitations_path(User.current_user)
     when /the import page/
       new_work_path(:import => 'true')
     when /the work-skins page/