From 25248d5255b9adced28160fba3b11f61d4eff189 Mon Sep 17 00:00:00 2001
From: Seb Bacon <seb.bacon@gmail.com>
Date: Wed, 27 Jun 2012 13:35:35 +0100
Subject: Don't allow non-superusers to access admin interface (eek!)  Fixes
 #515

---
 spec/controllers/admin_public_body_controller_spec.rb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'spec/controllers/admin_public_body_controller_spec.rb')

diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb
index 171cb21b5..55a6649b2 100644
--- a/spec/controllers/admin_public_body_controller_spec.rb
+++ b/spec/controllers/admin_public_body_controller_spec.rb
@@ -146,7 +146,15 @@ describe AdminPublicBodyController, "when administering public bodies and paying
         session[:using_admin].should == 1
     end
 
-
+    it "doesn't allow non-superusers to do stuff" do
+        session[:user_id] = users(:robin_user).id
+        @request.env["HTTP_AUTHORIZATION"] = ""
+        n = PublicBody.count
+        post :destroy, { :id => public_bodies(:forlorn_public_body).id }
+        response.should redirect_to(:controller=>'user', :action=>'signin', :token=>PostRedirect.get_last_post_redirect.token)
+        PublicBody.count.should == n
+        session[:using_admin].should == nil
+    end
 end
 
 describe AdminPublicBodyController, "when administering public bodies with i18n" do
-- 
cgit v1.2.3