only can make the change as the owner of a request

author: Matthew Landauer <matthew@openaustralia.org> 2013-03-03 10:12:49 +1100
committer: Matthew Landauer <matthew@openaustralia.org> 2013-03-03 10:12:49 +1100
commit: faa70e9445a0a31fe0a49217ff2135b31ccce4ac (patch)
tree: e83c6cfd2bd7c75b1d88536a6f9c00f842fb5a3f /spec/controllers/request_controller_spec.rb
parent: 00c188d129696353c48a2598ec7c747b8a90d658 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index be9df90c4..6adba4464 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -1254,6 +1254,20 @@ describe RequestController, "describe_state_requires_admin" do
         end
     end
 
+    context "logged in but not owner of request" do
+        it "should not allow you to change the state" do
+            info_request = info_requests(:fancy_dog_request)
+            session[:user_id] = users(:silly_name_user).id
+            info_request.user_id.should_not == users(:silly_name_user).id
+
+            InfoRequest.should_receive(:find_by_url_title!).with("info_request").and_return(info_request)
+            info_request.should_not_receive(:set_described_state)
+
+            post :describe_state_requires_admin, :message => "Something weird happened", :url_title => "info_request"
+            response.should render_template('user/wrong_user')
+        end
+    end
+
     context "logged out" do
         it "should redirect to the login page" do
             info_request = info_requests(:fancy_dog_request)
author	Matthew Landauer <matthew@openaustralia.org>	2013-03-03 10:12:49 +1100
committer	Matthew Landauer <matthew@openaustralia.org>	2013-03-03 10:12:49 +1100
commit	faa70e9445a0a31fe0a49217ff2135b31ccce4ac (patch)
tree	e83c6cfd2bd7c75b1d88536a6f9c00f842fb5a3f /spec/controllers/request_controller_spec.rb
parent	00c188d129696353c48a2598ec7c747b8a90d658 (diff)