From faa70e9445a0a31fe0a49217ff2135b31ccce4ac Mon Sep 17 00:00:00 2001
From: Matthew Landauer <matthew@openaustralia.org>
Date: Sun, 3 Mar 2013 10:12:49 +1100
Subject: only can make the change as the owner of a request

---
 spec/controllers/request_controller_spec.rb | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'spec/controllers/request_controller_spec.rb')

diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index be9df90c4..6adba4464 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -1254,6 +1254,20 @@ describe RequestController, "describe_state_requires_admin" do
         end
     end
 
+    context "logged in but not owner of request" do
+        it "should not allow you to change the state" do
+            info_request = info_requests(:fancy_dog_request)
+            session[:user_id] = users(:silly_name_user).id
+            info_request.user_id.should_not == users(:silly_name_user).id
+
+            InfoRequest.should_receive(:find_by_url_title!).with("info_request").and_return(info_request)
+            info_request.should_not_receive(:set_described_state)
+
+            post :describe_state_requires_admin, :message => "Something weird happened", :url_title => "info_request"
+            response.should render_template('user/wrong_user')
+        end
+    end
+
     context "logged out" do
         it "should redirect to the login page" do
             info_request = info_requests(:fancy_dog_request)
-- 
cgit v1.2.3