FIX: You should be an admin to do the wizard

This commit is contained in:
Robin Ward 2016-09-22 11:12:34 -04:00
parent 8f7a2cb470
commit 7f66cf618c
5 changed files with 8 additions and 4 deletions

View file

@ -461,6 +461,10 @@ class ApplicationController < ActionController::Base
raise Discourse::InvalidAccess.new unless current_user && current_user.staff?
end
def ensure_admin
raise Discourse::InvalidAccess.new unless current_user && current_user.admin?
end
def ensure_wizard_enabled
raise Discourse::InvalidAccess.new unless SiteSetting.wizard_enabled?
end

View file

@ -6,7 +6,7 @@ class StepsController < ApplicationController
before_filter :ensure_wizard_enabled
before_filter :ensure_logged_in
before_filter :ensure_staff
before_filter :ensure_admin
def update
wizard = Wizard::Builder.new(current_user).build

View file

@ -4,7 +4,7 @@ require_dependency 'wizard/builder'
class WizardController < ApplicationController
before_filter :ensure_wizard_enabled, only: [:index]
before_filter :ensure_logged_in
before_filter :ensure_staff
before_filter :ensure_admin
skip_before_filter :check_xhr, :preload_json

View file

@ -13,7 +13,7 @@ describe StepsController do
end
it "raises an error if you aren't an admin" do
log_in
log_in(:moderator)
xhr :put, :update, id: 'made-up-id', fields: { forum_title: "updated title" }
expect(response).to be_forbidden
end

View file

@ -14,7 +14,7 @@ describe WizardController do
end
it "raises an error if you aren't an admin" do
log_in
log_in(:moderator)
xhr :get, :index
expect(response).to be_forbidden
end