From 7f66cf618c9c97ba1009989e3c708a4511d6d08d Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Thu, 22 Sep 2016 11:12:34 -0400
Subject: [PATCH] FIX: You should be an admin to do the wizard

---
 app/controllers/application_controller.rb  | 4 ++++
 app/controllers/steps_controller.rb        | 2 +-
 app/controllers/wizard_controller.rb       | 2 +-
 spec/controllers/steps_controller_spec.rb  | 2 +-
 spec/controllers/wizard_controller_spec.rb | 2 +-
 5 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index c015c06ad8f..ed040589e28 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -461,6 +461,10 @@ class ApplicationController < ActionController::Base
       raise Discourse::InvalidAccess.new unless current_user && current_user.staff?
     end
 
+    def ensure_admin
+      raise Discourse::InvalidAccess.new unless current_user && current_user.admin?
+    end
+
     def ensure_wizard_enabled
       raise Discourse::InvalidAccess.new unless SiteSetting.wizard_enabled?
     end
diff --git a/app/controllers/steps_controller.rb b/app/controllers/steps_controller.rb
index 6f9df1d65c1..005d2d7d781 100644
--- a/app/controllers/steps_controller.rb
+++ b/app/controllers/steps_controller.rb
@@ -6,7 +6,7 @@ class StepsController < ApplicationController
 
   before_filter :ensure_wizard_enabled
   before_filter :ensure_logged_in
-  before_filter :ensure_staff
+  before_filter :ensure_admin
 
   def update
     wizard = Wizard::Builder.new(current_user).build
diff --git a/app/controllers/wizard_controller.rb b/app/controllers/wizard_controller.rb
index 951ad1d9ed8..4b7bc82faa4 100644
--- a/app/controllers/wizard_controller.rb
+++ b/app/controllers/wizard_controller.rb
@@ -4,7 +4,7 @@ require_dependency 'wizard/builder'
 class WizardController < ApplicationController
   before_filter :ensure_wizard_enabled, only: [:index]
   before_filter :ensure_logged_in
-  before_filter :ensure_staff
+  before_filter :ensure_admin
 
   skip_before_filter :check_xhr, :preload_json
 
diff --git a/spec/controllers/steps_controller_spec.rb b/spec/controllers/steps_controller_spec.rb
index 950005b2027..50bafc95fb0 100644
--- a/spec/controllers/steps_controller_spec.rb
+++ b/spec/controllers/steps_controller_spec.rb
@@ -13,7 +13,7 @@ describe StepsController do
   end
 
   it "raises an error if you aren't an admin" do
-    log_in
+    log_in(:moderator)
     xhr :put, :update, id: 'made-up-id', fields: { forum_title: "updated title" }
     expect(response).to be_forbidden
   end
diff --git a/spec/controllers/wizard_controller_spec.rb b/spec/controllers/wizard_controller_spec.rb
index ffc1ed64bd0..6621e34815c 100644
--- a/spec/controllers/wizard_controller_spec.rb
+++ b/spec/controllers/wizard_controller_spec.rb
@@ -14,7 +14,7 @@ describe WizardController do
     end
 
     it "raises an error if you aren't an admin" do
-      log_in
+      log_in(:moderator)
       xhr :get, :index
       expect(response).to be_forbidden
     end