Skip to content

Commit

Permalink
Add robust course and permission checks 💪
Browse files Browse the repository at this point in the history
  • Loading branch information
wicz committed Mar 18, 2012
1 parent 211f7c3 commit 5a2a0ca
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 11 deletions.
21 changes: 14 additions & 7 deletions app/controllers/tasks_controller.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
class TasksController < ApplicationController
before_filter :find_course
before_filter :find_course, :check_permission

def new
@task = @course.tasks.build
Expand All @@ -9,7 +9,7 @@ def create
task = @course.tasks.build(params[:task])

if task.save
redirect_to @course, flash: { success: "Task created" }
redirect_to(@course, notice: "Task created")
else
redirect_to new_course_task_path(@course)
end
Expand All @@ -19,17 +19,24 @@ def destroy
task = Task.find(params[:id])

if task.destroy
flash[:success] = "Task removed successfully"
flash[:notice] = "Task removed successfully"
else
flash[:error] = "Sorry, there was an error remove the task from the course"
flash[:alert] = "Sorry, there was an error remove the task from the course"
end
redirect_to @course
redirect_to @course
end

private

def check_permission
unless current_person.has_role?(:instructor, @course)
redirect_to(@course, alert: "Unauthorized access")
end
end

def find_course
@course = Course.find(params[:course_id])
rescue ActiveRecord::RecordNotFound
redirect_to(root_url, alert: "Couldn't find course")
end

end
end
28 changes: 28 additions & 0 deletions test/functional/tasks_controller_test.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
require "test_helper"

class TasksControllerTest < ActionController::TestCase
fixtures :all

def setup
@controller.current_person = clubhouse_person("instructor")
end

test "#new is not allowed to students" do
@controller.current_person = clubhouse_person("student")

get(:new, course_id: courses(:webdev).id)
assert_redirected_to(courses(:webdev))
assert flash[:alert]
end

test "#new is allowed to instructors" do
get(:new, course_id: courses(:webdev).id)
assert_template "new"
end

test "redirects to root if can't find course" do
get(:new, course_id: 'ohai!')
assert_redirected_to(root_url)
assert flash[:alert]
end
end
10 changes: 6 additions & 4 deletions test/test_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,11 @@

require "capybara/rails"

Clubhouse::Client.test_mode = true

def clubhouse_person(github_nickname)
Clubhouse::Client::Person.new(github_nickname)
# FIXME: duplicates code from ApplicationController
PersonDecorator.new(Clubhouse::Client::Person.new(github_nickname))
end

class ActiveSupport::TestCase
Expand All @@ -28,9 +31,8 @@ def sign_in(person)
visit root_url
fill_in("Name", with: person.name)
fill_in("Email", with: person.email)
fill_in("Nickname", with: person.github_nickname)
fill_in("Nickname", with: person.github_nickname)
click_button "Sign In"
assert_includes(page.body, "Welcome to Liskov")
end
end

end

0 comments on commit 5a2a0ca

Please sign in to comment.