Merge pull request #174 from mariovisic/hide_unauthorized_links

Links are incorrectly shown to actions accounts cannot access.
2011-08-22 15:55:41 -07:00 · 2011-08-22 15:55:41 -07:00 · e111e2c1f9
commit e111e2c1f9
parent f140fcc260 22445856ec
8 changed files with 59 additions and 6 deletions
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -61,6 +61,8 @@ class Ability
    can :point, Site
    cannot :create, Site
    can :manage, Membership
    cannot :change_role, Membership do |membership|
--- a/app/views/admin/current_site/edit.html.haml
+++ b/app/views/admin/current_site/edit.html.haml
@ -3,10 +3,11 @@
 - content_for :submenu do
  = render_cell 'admin/settings_menu', :show
- if can?(:manage, @site)
+- content_for :buttons do
-  - content_for :buttons do
+  - if can?(:manage, @site)
    = admin_button_tag :export, new_admin_export_url, :class => 'new'
    = admin_button_tag :import, new_admin_import_url, :class => 'new'
  - if can?(:create, Account)
    = admin_button_tag t('.new_membership'), new_admin_membership_url, :class => 'new'
 %p!= t('.help')
--- a/app/views/admin/my_account/edit.html.haml
+++ b/app/views/admin/my_account/edit.html.haml
@ -8,7 +8,7 @@
 - if multi_sites?
  - content_for :buttons do
-    = admin_button_tag t('.new_site'), new_admin_site_url, :class => 'new' if can?(:manage, Site)
+    = admin_button_tag t('.new_site'), new_admin_site_url, :class => 'new' if can?(:create, Site)
 %p= t('.help')
--- a/app/views/admin/theme_assets/_asset.html.haml
+++ b/app/views/admin/theme_assets/_asset.html.haml
@ -9,5 +9,5 @@
    %span!= t('.updated_at')
    %span.date= l asset.updated_at, :format => :short
-    - if edit
+    - if edit && can?(:destroy, asset)
      = link_to image_tag('admin/list/icons/trash.png'), admin_theme_asset_path(asset), :class => 'remove', :confirm => t('admin.messages.confirm'), :method => :delete
--- a/features/admin/authorization/account_settings.feature
+++ b/features/admin/authorization/account_settings.feature
@ -0,0 +1,28 @@
 Feature: Account Settings
  In order to ensure sites are not tampered with
  As an admin, designer or author
  I will be restricted based on my role
 Background:
  Given I have the site: "test site" set up
  And I have a designer and an author
  Scenario: As an unauthenticated user
    Given I am not authenticated
    When I go to account settings
    Then I should see "Log in"
  Scenario: Accessing site settings as an Admin
    Given I am an authenticated "admin"
    When I go to account settings
    Then I should see "new site"
  Scenario: Accessing site settings as a Designer
    Given I am an authenticated "designer"
    When I go to account settings
    Then I should not see "new site"
  Scenario: Accessing site settings as an Author
    Given I am an authenticated "author"
    When I go to account settings
    Then I should not see "new site"
--- a/features/admin/authorization/current_site.feature
+++ b/features/admin/authorization/current_site.feature
@ -30,7 +30,7 @@ Background:
    Given I am an authenticated "designer"
    When I go to site settings
    Then I should see "import"
-    And I should see "add account"
+    And I should not see "add account"
    And I should see "SEO settings"
    And I should see "Access points"
    And I should not see the role dropdown on myself
--- a/features/admin/authorization/theme_assets.feature
+++ b/features/admin/authorization/theme_assets.feature
@ -6,6 +6,7 @@ Feature: Theme Assets
 Background:
  Given I have the site: "test site" set up
  And I have a designer and an author
  And I have an image theme asset named "dog.png"
  Scenario: As an unauthenticated user
    Given I am not authenticated
@ -20,6 +21,8 @@ Background:
    And I should see "Snippets"
    And I should see "Style and javascript"
    And I should see "Images"
    And I should see "dog.png"
    And I should see a delete image button
  Scenario: Accessing theme assets as a Designer
    Given I am an authenticated "designer"
@ -29,6 +32,8 @@ Background:
    And I should see "Snippets"
    And I should see "Style and javascript"
    And I should see "Images"
    And I should see "dog.png"
    And I should see a delete image button
  Scenario: Accessing theme assets as an Author
    Given I am an authenticated "author"
@ -38,3 +43,5 @@ Background:
    And I should not see "Snippets"
    And I should not see "Style and javascript"
    And I should see "Images"
    And I should see "dog.png"
    And I should not see a delete image button
--- a/features/step_definitions/theme_asset_steps.rb
+++ b/features/step_definitions/theme_asset_steps.rb
@ -24,8 +24,23 @@ Given /^a stylesheet asset named "([^"]*)"$/ do |name|
  @asset = create_plain_text_asset(name, 'stylesheet')
 end
 Given /^I have an image theme asset named "([^"]*)"$/ do |name|
  @asset = FactoryGirl.create(:theme_asset, :site => @site, :source => File.open(Rails.root.join('spec', 'fixtures', 'assets', '5k.png')))
  @asset.source_filename = name
  @asset.save!
 end
 # other stuff
 Then /^I should see "([^"]*)" as theme asset code$/ do |code|
  find(:css, "#theme_asset_plain_text").text.should == code
-end
+end
 Then /^I should see a delete image button$/ do
  page.has_css?("ul.theme-assets li .more a.remove").should be_true
 end
 Then /^I should not see a delete image button$/ do
  page.has_css?("ul.theme-assets li .more a.remove").should be_false
 end