From 2af897df6144b40bf87a6016d92727d768547460 Mon Sep 17 00:00:00 2001 From: Krzysztof Kotlarek Date: Tue, 23 May 2023 10:54:55 +1000 Subject: [PATCH] DEV: specs to ensure that only admin can edit Community section (#21666) In addition, add lock that even admin can not delete Community section --- lib/guardian/sidebar_guardian.rb | 1 + .../sidebar_sections_controller_spec.rb | 56 +++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/lib/guardian/sidebar_guardian.rb b/lib/guardian/sidebar_guardian.rb index c7a85810a92..855733b1862 100644 --- a/lib/guardian/sidebar_guardian.rb +++ b/lib/guardian/sidebar_guardian.rb @@ -12,6 +12,7 @@ module SidebarGuardian end def can_delete_sidebar_section?(sidebar_section) + return false if sidebar_section.section_type.present? return @user.admin? if sidebar_section.public? is_my_own?(sidebar_section) end diff --git a/spec/requests/sidebar_sections_controller_spec.rb b/spec/requests/sidebar_sections_controller_spec.rb index f08027a1b4f..08b003d56e3 100644 --- a/spec/requests/sidebar_sections_controller_spec.rb +++ b/spec/requests/sidebar_sections_controller_spec.rb @@ -150,6 +150,9 @@ RSpec.describe SidebarSectionsController do fab!(:section_link_2) do Fabricate(:sidebar_section_link, sidebar_section: sidebar_section, linkable: sidebar_url_2) end + let(:community_section) do + SidebarSection.find_by(section_type: SidebarSection.section_types[:community]) + end it "allows user to update their own section and links" do sign_in(user) @@ -268,6 +271,49 @@ RSpec.describe SidebarSectionsController do expect(sidebar_url_3.reload.name).to eq("other_tags") end + + it "doesn't allow users to edit community section" do + sign_in(user) + put "/sidebar_sections/#{community_section.id}.json", + params: { + title: "custom section edited", + links: [], + } + + expect(response.status).to eq(403) + end + + it "allows admin to edit community section" do + sign_in(admin) + everything_link = community_section.sidebar_urls.find_by(name: "Everything") + my_posts_link = community_section.sidebar_urls.find_by(name: "My Posts") + community_section + .sidebar_section_links + .where.not(linkable_id: [everything_link.id, my_posts_link.id]) + .destroy_all + + put "/sidebar_sections/#{community_section.id}.json", + params: { + title: "community section edited", + links: [ + { icon: "link", id: my_posts_link.id, name: "my posts edited", value: "/my_posts" }, + { + icon: "link", + id: everything_link.id, + name: "everything edited", + value: "/everything", + }, + ], + } + + expect(response.status).to eq(200) + + expect(community_section.reload.title).to eq("community section edited") + expect(community_section.sidebar_urls[0].name).to eq("my posts edited") + expect(community_section.sidebar_urls[0].value).to eq("/my_posts") + expect(community_section.sidebar_urls[1].name).to eq("everything edited") + expect(community_section.sidebar_urls[1].value).to eq("/everything") + end end describe "#reorder" do @@ -323,6 +369,9 @@ RSpec.describe SidebarSectionsController do describe "#destroy" do fab!(:sidebar_section) { Fabricate(:sidebar_section, user: user) } + let(:community_section) do + SidebarSection.find_by(section_type: SidebarSection.section_types[:community]) + end it "allows user to delete their own section" do sign_in(user) @@ -402,5 +451,12 @@ RSpec.describe SidebarSectionsController do expect(response.parsed_body["sidebar_section"]["id"]).to eq(community_section.id) expect(response.parsed_body["sidebar_section"]["title"]).to eq(community_section.title) end + + it "doesn't allow admin to delete community sidebar section" do + sign_in(admin) + delete "/sidebar_sections/#{community_section.id}.json" + + expect(response.status).to eq(403) + end end end