03c5533cf0
For the longest time, we've disabled the buttons to vote via web when people had already voted in a booth. However, we were still allowing HTTP requests to the actions to vote via web. So we're adding a condition to prevent it. The reason why we're changing the controller instead of the abilities model (which is what we usually do) is that there might be side-effects to the change. For instance, in the `Polls::PollComponent` class, there's an `elsif cannot?(:answer, poll)` condition which would have a different behavior if we changed the abilities model.
46 lines
1.3 KiB
Ruby
46 lines
1.3 KiB
Ruby
require "rails_helper"
|
|
|
|
describe PollsController do
|
|
describe "GET index" do
|
|
it "raises an exception when the feature is disabled" do
|
|
Setting["process.polls"] = false
|
|
|
|
expect { get :index }.to raise_exception(FeatureFlags::FeatureDisabled)
|
|
end
|
|
end
|
|
|
|
describe "POST answer" do
|
|
it "doesn't create duplicate records on simultaneous requests", :race_condition do
|
|
question = create(:poll_question_multiple, :abc)
|
|
sign_in(create(:user, :level_two))
|
|
|
|
2.times.map do
|
|
Thread.new do
|
|
post :answer, params: {
|
|
id: question.poll.id,
|
|
web_vote: {
|
|
question.id.to_s => { option_id: question.question_options.find_by(title: "Answer A").id }
|
|
}
|
|
}
|
|
rescue AbstractController::DoubleRenderError
|
|
end
|
|
end.each(&:join)
|
|
|
|
expect(Poll::Answer.count).to eq 1
|
|
end
|
|
|
|
it "denies access when users have already voted in a booth" do
|
|
poll = create(:poll)
|
|
user = create(:user, :level_two)
|
|
create(:poll_voter, :from_booth, poll: poll, user: user)
|
|
|
|
sign_in(user)
|
|
|
|
post :answer, params: { id: poll.id, web_vote: {}}
|
|
|
|
expect(response).to redirect_to "/"
|
|
expect(flash[:alert]).to eq "You do not have permission to access this page."
|
|
end
|
|
end
|
|
end
|