Added test to block normal user from updating wiki, fixes #397 (#1155)

* Test to block normal user from updating wiki * Update wiki_controller_test.rb
publiclab · Jan 3, 2017 · ecabc0a · ecabc0a
1 parent 940286e
commit ecabc0a
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/app/controllers/wiki_controller.rb b/app/controllers/wiki_controller.rb
@@ -143,7 +143,11 @@ def update
       title: params[:title],
       body:  params[:body]
     })
-    if @revision.valid?
+    if @node.has_tag('locked') && (current_user.role != "admin" && current_user.role != "moderator")
+      flash[:warning] = "This page is <a href='/wiki/power-tags#Locking'>locked</a>, and only <a href='/wiki/moderators'>moderators</a> can update it."
+      redirect_to @node.path
+
+    elsif @revision.valid?
       ActiveRecord::Base.transaction do
         @revision.save
         @node.vid = @revision.vid

diff --git a/test/functional/wiki_controller_test.rb b/test/functional/wiki_controller_test.rb
@@ -143,6 +143,16 @@ def teardown
     assert_redirected_to node(:organizers).path
   end
 
+  test "basic user blocked from updating a locked wiki page" do
+    node(:organizers).add_tag('locked', rusers(:admin)) # lock the page with a tag
+    # then try editing it
+    assert_difference 'DrupalNodeRevision.count', 0 do
+      post :update,
+          id: 'organizers'
+    end
+    assert_equal flash[:warning] , "This page is <a href='/wiki/power-tags#Locking'>locked</a>, and only <a href='/wiki/moderators'>moderators</a> can update it."
+    assert_redirected_to node(:organizers).path
+  end
 
   test "updating wiki with bad title" do