Browse files

Fix: Guest have access to the /ads/new...

  • Loading branch information...
1 parent 0695504 commit d5421b15f1e15d7b1b7562010e96cdc4004b4eb0 @vaski committed Sep 28, 2012
View
4 app/models/ability.rb
@@ -5,7 +5,7 @@ def initialize(user)
user ||= User.new # guest user (not logged in)
- if user.role.admin?
+ if user.admin?
can :read, :all
can :create, User
can [:destroy, :update, :assign_role], User do |usr|
@@ -16,7 +16,7 @@ def initialize(user)
else
can :read, Ad, state: 'published'
- if user.role.user?
+ if user.user?
can :read, User, id: user.id
can :create, Ad
can [:read, :update, :destroy, :verify], Ad, user_id: user.id
View
2 app/models/user.rb
@@ -40,7 +40,7 @@ class User < ActiveRecord::Base
VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
validates :email, format: { with: VALID_EMAIL_REGEX }
- enumerize :role, in: [:user, :admin], default: :user
+ enumerize :role, in: %w(user admin), predicates: true
private
View
4 app/views/layouts/_navbar.html.erb
@@ -5,12 +5,12 @@
<nav>
<ul class="nav pull-right">
<% if user_signed_in? %>
- <% if can? :create, User %>
+ <% if current_user.admin? %>
<li><%= link_to "Users", users_path %></li>
<li><%= link_to "Categories", categories_path %></li>
<li><%= link_to "Verified ads", verified_ads_path %></li>
<% end %>
- <% if can? :create, Ad %>
+ <% if current_user.user? %>
<li><%= link_to "Create ad", new_ad_path %></li>
<% end %>
<li class="dropdown">
View
2 spec/factories.rb
@@ -27,6 +27,6 @@
end
factory :category do
- category_name "Cows"
+ category_name "Category"
end
end
View
2 spec/models/user_spec.rb
@@ -83,6 +83,8 @@
describe 'with valid data' do
let(:user) { FactoryGirl.build(:user) }
+ it { user.role.should be_nil }
+
describe "when password doesn't match confirmation" do
before { user.password_confirmation = 'mismatch' }
it { should_not be_valid }
View
18 spec/requests/guest_spec.rb
@@ -0,0 +1,18 @@
+require 'spec_helper'
+
+describe 'Guest' do
+
+ forbidden_urls = [ '/ads/new',
+ '/categories',
+ '/categories/new',
+ '/users',
+ '/users/new',
+ '/verified_ads']
+
+ forbidden_urls.each do |url|
+ it "can not access #{url}" do
+ get url
+ response.should redirect_to(root_path)
+ end
+ end
+end

0 comments on commit d5421b1

Please sign in to comment.