diff options
| author | Struan Donald <struan@exo.org.uk> | 2020-10-23 14:28:38 +0100 |
|---|---|---|
| committer | Struan Donald <struan@exo.org.uk> | 2020-10-28 09:56:07 +0000 |
| commit | cfda101b3006f12280a41adc4b28ca555b867556 (patch) | |
| tree | f7f09eeec2cb31c8db33b9d0d819ebd9b84fea54 /t/app/controller | |
| parent | c5f80e9cd8a896ff469acfa9a90f69a5a7b5243e (diff) | |
prevent editing of category names with hardcoded flag
If a category has hardcoded set to 1 in it's extra metadata then prevent
the name being edited in the admin. This is to avoid issues where the
name of the category is used in e.g. layers or other configuration and
changing it breaks things.
Also includes admin interface for setting this that is restricted to
super users only.
Fixes mysociety/fixmystreet-commercial#1992
Diffstat (limited to 't/app/controller')
| -rw-r--r-- | t/app/controller/admin/bodies.t | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/t/app/controller/admin/bodies.t b/t/app/controller/admin/bodies.t index 542c3f4c0..811ac4362 100644 --- a/t/app/controller/admin/bodies.t +++ b/t/app/controller/admin/bodies.t @@ -15,6 +15,10 @@ my $mech = FixMyStreet::TestMech->new; my $superuser = $mech->create_user_ok('superuser@example.com', name => 'Super User', is_superuser => 1); $mech->log_in_ok( $superuser->email ); my $body = $mech->create_body_ok(2650, 'Aberdeen City Council'); +my $body2 = $mech->create_body_ok(2237, 'Oxfordshire County Council'); + +my $user = $mech->create_user_ok('user@example.com', name => 'OCC User', from_body => $body2); +$user->user_body_permissions->create({ body => $body2, permission_type => 'category_edit' }); # This override is wrapped around ALL the /admin/body tests FixMyStreet::override_config { @@ -117,6 +121,8 @@ subtest 'check contact renaming' => sub { $mech->submit_form_ok( { with_fields => { category => 'test category' } } ); }; + + subtest 'check contact updating' => sub { $mech->get_ok('/admin/body/' . $body->id . '/test%20category'); $mech->content_like(qr{test2\@example.com</strong>[^<]*</td>[^<]*<td>unconfirmed}s); @@ -442,4 +448,63 @@ subtest 'check update disallowed message' => sub { }; }; +subtest 'check hardcoded contact renaming' => sub { + FixMyStreet::override_config { + MAPIT_URL => 'http://mapit.uk/', + 'ALLOWED_COBRANDS' => [ 'oxfordshire' ], + }, sub { + my $contact = FixMyStreet::DB->resultset('Contact')->create( + { + body_id => $body2->id, + category => 'protected category', + state => 'confirmed', + editor => $0, + whenedited => \'current_timestamp', + note => 'protected contact', + email => 'protected@example.org', + } + ); + $contact->set_extra_metadata( 'hardcoded', 1 ); + $contact->update; + $mech->get_ok('/admin/body/' . $body2->id .'/protected%20category'); + $mech->content_contains( 'name="hardcoded"' ); + $mech->content_like( qr'value="protected category"[^>]*readonly's ); + $mech->submit_form_ok( { with_fields => { category => 'non protected category', note => 'rename category' } } ); + $mech->content_contains( 'protected category' ); + $mech->content_lacks( 'non protected category' ); + $mech->get('/admin/body/' . $body2->id . '/non%20protected%20category'); + is $mech->res->code, 404; + + $mech->get_ok('/admin/body/' . $body2->id .'/protected%20category'); + $mech->submit_form_ok( { with_fields => { hardcoded => 0, note => 'remove hardcoding' } } ); + $mech->get_ok('/admin/body/' . $body2->id .'/protected%20category'); + $mech->content_unlike( qr'value="protected category"[^>]*readonly's ); + $mech->submit_form_ok( { with_fields => { category => 'non protected category', note => 'rename category' } } ); + $mech->content_contains( 'non protected category' ); + $mech->get_ok('/admin/body/' . $body2->id . '/non%20protected%20category'); + $mech->get('/admin/body/' . $body2->id . '/protected%20category'); + is $mech->res->code, 404; + + $contact->discard_changes; + $contact->set_extra_metadata( 'hardcoded', 1 ); + $contact->update; + + $mech->log_out_ok( $superuser->email ); + $mech->log_in_ok( $user->email ); + $mech->get_ok('/admin/body/' . $body2->id . '/non%20protected%20category'); + $mech->content_lacks( 'name="hardcoded"' ); + $user->update( { is_superuser => 1 } ); + $mech->get_ok('/admin/body/' . $body2->id . '/non%20protected%20category'); + $mech->content_contains('name="hardcoded"' ); + $user->update( { is_superuser => 0 } ); + $mech->submit_form_ok( { with_fields => { hardcoded => 0, note => 'remove hardcoding' } } ); + $mech->content_lacks( 'name="hardcoded"' ); + + $contact->discard_changes; + is $contact->get_extra_metadata('hardcoded'), 1, "non superuser can't remove hardcoding"; + + $mech->log_out_ok( $user->email ); + }; +}; + done_testing(); |