Merge pull request #174 from mariovisic/hide_unauthorized_links
Links are incorrectly shown to actions accounts cannot access.
This commit is contained in:
commit
e111e2c1f9
@ -61,6 +61,8 @@ class Ability
|
||||
|
||||
can :point, Site
|
||||
|
||||
cannot :create, Site
|
||||
|
||||
can :manage, Membership
|
||||
|
||||
cannot :change_role, Membership do |membership|
|
||||
|
@ -3,10 +3,11 @@
|
||||
- content_for :submenu do
|
||||
= render_cell 'admin/settings_menu', :show
|
||||
|
||||
- if can?(:manage, @site)
|
||||
- content_for :buttons do
|
||||
- content_for :buttons do
|
||||
- if can?(:manage, @site)
|
||||
= admin_button_tag :export, new_admin_export_url, :class => 'new'
|
||||
= admin_button_tag :import, new_admin_import_url, :class => 'new'
|
||||
- if can?(:create, Account)
|
||||
= admin_button_tag t('.new_membership'), new_admin_membership_url, :class => 'new'
|
||||
|
||||
%p!= t('.help')
|
||||
|
@ -8,7 +8,7 @@
|
||||
|
||||
- if multi_sites?
|
||||
- content_for :buttons do
|
||||
= admin_button_tag t('.new_site'), new_admin_site_url, :class => 'new' if can?(:manage, Site)
|
||||
= admin_button_tag t('.new_site'), new_admin_site_url, :class => 'new' if can?(:create, Site)
|
||||
|
||||
%p= t('.help')
|
||||
|
||||
|
@ -9,5 +9,5 @@
|
||||
%span!= t('.updated_at')
|
||||
%span.date= l asset.updated_at, :format => :short
|
||||
|
||||
- if edit
|
||||
- if edit && can?(:destroy, asset)
|
||||
= link_to image_tag('admin/list/icons/trash.png'), admin_theme_asset_path(asset), :class => 'remove', :confirm => t('admin.messages.confirm'), :method => :delete
|
||||
|
28
features/admin/authorization/account_settings.feature
Normal file
28
features/admin/authorization/account_settings.feature
Normal file
@ -0,0 +1,28 @@
|
||||
Feature: Account Settings
|
||||
In order to ensure sites are not tampered with
|
||||
As an admin, designer or author
|
||||
I will be restricted based on my role
|
||||
|
||||
Background:
|
||||
Given I have the site: "test site" set up
|
||||
And I have a designer and an author
|
||||
|
||||
Scenario: As an unauthenticated user
|
||||
Given I am not authenticated
|
||||
When I go to account settings
|
||||
Then I should see "Log in"
|
||||
|
||||
Scenario: Accessing site settings as an Admin
|
||||
Given I am an authenticated "admin"
|
||||
When I go to account settings
|
||||
Then I should see "new site"
|
||||
|
||||
Scenario: Accessing site settings as a Designer
|
||||
Given I am an authenticated "designer"
|
||||
When I go to account settings
|
||||
Then I should not see "new site"
|
||||
|
||||
Scenario: Accessing site settings as an Author
|
||||
Given I am an authenticated "author"
|
||||
When I go to account settings
|
||||
Then I should not see "new site"
|
@ -30,7 +30,7 @@ Background:
|
||||
Given I am an authenticated "designer"
|
||||
When I go to site settings
|
||||
Then I should see "import"
|
||||
And I should see "add account"
|
||||
And I should not see "add account"
|
||||
And I should see "SEO settings"
|
||||
And I should see "Access points"
|
||||
And I should not see the role dropdown on myself
|
||||
|
@ -6,6 +6,7 @@ Feature: Theme Assets
|
||||
Background:
|
||||
Given I have the site: "test site" set up
|
||||
And I have a designer and an author
|
||||
And I have an image theme asset named "dog.png"
|
||||
|
||||
Scenario: As an unauthenticated user
|
||||
Given I am not authenticated
|
||||
@ -20,6 +21,8 @@ Background:
|
||||
And I should see "Snippets"
|
||||
And I should see "Style and javascript"
|
||||
And I should see "Images"
|
||||
And I should see "dog.png"
|
||||
And I should see a delete image button
|
||||
|
||||
Scenario: Accessing theme assets as a Designer
|
||||
Given I am an authenticated "designer"
|
||||
@ -29,6 +32,8 @@ Background:
|
||||
And I should see "Snippets"
|
||||
And I should see "Style and javascript"
|
||||
And I should see "Images"
|
||||
And I should see "dog.png"
|
||||
And I should see a delete image button
|
||||
|
||||
Scenario: Accessing theme assets as an Author
|
||||
Given I am an authenticated "author"
|
||||
@ -38,3 +43,5 @@ Background:
|
||||
And I should not see "Snippets"
|
||||
And I should not see "Style and javascript"
|
||||
And I should see "Images"
|
||||
And I should see "dog.png"
|
||||
And I should not see a delete image button
|
||||
|
@ -24,8 +24,23 @@ Given /^a stylesheet asset named "([^"]*)"$/ do |name|
|
||||
@asset = create_plain_text_asset(name, 'stylesheet')
|
||||
end
|
||||
|
||||
Given /^I have an image theme asset named "([^"]*)"$/ do |name|
|
||||
@asset = FactoryGirl.create(:theme_asset, :site => @site, :source => File.open(Rails.root.join('spec', 'fixtures', 'assets', '5k.png')))
|
||||
@asset.source_filename = name
|
||||
@asset.save!
|
||||
end
|
||||
|
||||
|
||||
# other stuff
|
||||
|
||||
Then /^I should see "([^"]*)" as theme asset code$/ do |code|
|
||||
find(:css, "#theme_asset_plain_text").text.should == code
|
||||
end
|
||||
|
||||
Then /^I should see a delete image button$/ do
|
||||
page.has_css?("ul.theme-assets li .more a.remove").should be_true
|
||||
end
|
||||
|
||||
Then /^I should not see a delete image button$/ do
|
||||
page.has_css?("ul.theme-assets li .more a.remove").should be_false
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user