65ed778226
It was possible to remove a map location from a different proposal (even one created by a different author) by modifying the hidden `id` parameter in the form. So we're making sure the map location we destroy is the one associated to the proposal we're updating. Since we're now using the `@proposal` instance variable in the `destroy_map_location_association` method, we're calling that method after loading the resource with cancancan.
35 lines
977 B
Ruby
35 lines
977 B
Ruby
require "rails_helper"
|
|
|
|
describe ProposalsController do
|
|
describe "GET index" do
|
|
it "raises an exception when the feature is disabled" do
|
|
Setting["process.proposals"] = false
|
|
|
|
expect { get :index }.to raise_exception(FeatureFlags::FeatureDisabled)
|
|
end
|
|
end
|
|
|
|
describe "PATCH update" do
|
|
before { InvisibleCaptcha.timestamp_enabled = false }
|
|
after { InvisibleCaptcha.timestamp_enabled = true }
|
|
|
|
it "does not delete other proposal's map location" do
|
|
proposal = create(:proposal)
|
|
other_proposal = create(:proposal, :with_map_location)
|
|
|
|
sign_in(proposal.author)
|
|
|
|
patch :update, params: {
|
|
proposal: {
|
|
map_location_attributes: { id: other_proposal.map_location.id },
|
|
responsible_name: "Skinny Fingers"
|
|
},
|
|
id: proposal.id
|
|
}
|
|
|
|
expect(proposal.reload.responsible_name).to eq "Skinny Fingers"
|
|
expect(other_proposal.reload.map_location).not_to be nil
|
|
end
|
|
end
|
|
end
|