Don't allow non-superusers to access admin interface (eek!) Fixes #515

author: Seb Bacon <seb.bacon@gmail.com> 2012-06-27 13:35:35 +0100
committer: Seb Bacon <seb.bacon@gmail.com> 2012-06-27 13:35:35 +0100
commit: 25248d5255b9adced28160fba3b11f61d4eff189 (patch)
tree: 2db18f710b0375425e37a3598aad12fb12250c53 /spec/controllers/admin_public_body_controller_spec.rb
parent: db1a388f0a7b37cc0ceb3ca07b995b34dabdba58 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb
index 171cb21b5..55a6649b2 100644
--- a/spec/controllers/admin_public_body_controller_spec.rb
+++ b/spec/controllers/admin_public_body_controller_spec.rb
@@ -146,7 +146,15 @@ describe AdminPublicBodyController, "when administering public bodies and paying
         session[:using_admin].should == 1
     end
 
-
+    it "doesn't allow non-superusers to do stuff" do
+        session[:user_id] = users(:robin_user).id
+        @request.env["HTTP_AUTHORIZATION"] = ""
+        n = PublicBody.count
+        post :destroy, { :id => public_bodies(:forlorn_public_body).id }
+        response.should redirect_to(:controller=>'user', :action=>'signin', :token=>PostRedirect.get_last_post_redirect.token)
+        PublicBody.count.should == n
+        session[:using_admin].should == nil
+    end
 end
 
 describe AdminPublicBodyController, "when administering public bodies with i18n" do
author	Seb Bacon <seb.bacon@gmail.com>	2012-06-27 13:35:35 +0100
committer	Seb Bacon <seb.bacon@gmail.com>	2012-06-27 13:35:35 +0100
commit	25248d5255b9adced28160fba3b11f61d4eff189 (patch)
tree	2db18f710b0375425e37a3598aad12fb12250c53 /spec/controllers/admin_public_body_controller_spec.rb
parent	db1a388f0a7b37cc0ceb3ca07b995b34dabdba58 (diff)