Add lecture file delete validation

hpi-swt2 · Jan 15, 2020 · 894ee73 · 894ee73
1 parent 22bd68c
commit 894ee73
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 9 deletions.
diff --git a/app/controllers/uploaded_files_controller.rb b/app/controllers/uploaded_files_controller.rb
@@ -63,10 +63,11 @@ def uploaded_file_params
 
     def validate_destroy_rights
       @uploaded_file = UploadedFile.find(params[:id])
-      unless current_user == @uploaded_file.author
-        unless (@uploaded_file.allowsUpload.class.name == "Course") && (@uploaded_file.allowsUpload.creator_id == current_user.id)
-          redirect_to (uploaded_files_url), notice: "You can't delete this file."
-        end
+      @owner = current_user == @uploaded_file.author
+      @course_file_and_course_owner = (@uploaded_file.allowsUpload.class == Course) && (@uploaded_file.allowsUpload.creator_id == current_user.id)
+      @lecture_file_and_lecture_owner = (@uploaded_file.allowsUpload.class == Lecture) && (@uploaded_file.allowsUpload.lecturer_id == current_user.id)
+      unless @owner || @course_file_and_course_owner || @lecture_file_and_lecture_owner
+        redirect_to (uploaded_files_url), notice: "You can't delete this file."
       end
     end
 end
diff --git a/spec/controllers/uploaded_files_controller_spec.rb b/spec/controllers/uploaded_files_controller_spec.rb
@@ -60,24 +60,49 @@
         @student = FactoryBot.create(:user, :student)
         @lecturer = FactoryBot.create(:user, :lecturer)
         @course = FactoryBot.create(:course, creator: @lecturer)
-        @lecture = FactoryBot.create(:lecture, lecturer: @lecturer, course: @course)
-        @lecturer_file = FactoryBot.create(:uploaded_file, author: @student, allowsUpload_id: @course.id, allowsUpload_type: "Course")
+        @student_file = FactoryBot.create(:uploaded_file, author: @student, allowsUpload: @course)
         sign_in @student
       end
 
     it "can be deleted by the owner" do
-      expect { post :destroy, params: { id: @lecturer_file[:id] } }.to change(UploadedFile, :count).by(-1)
+      expect { post :destroy, params: { id: @student_file[:id] } }.to change(UploadedFile, :count).by(-1)
     end
 
     it "can be deleted by the course owner" do
       sign_in @lecturer
-      expect { post :destroy, params: { id: @lecturer_file[:id] } }.to change(UploadedFile, :count).by(-1)
+      expect { post :destroy, params: { id: @student_file[:id] } }.to change(UploadedFile, :count).by(-1)
+    end
+
+    it "can't be deleted by someone else" do
+      @other_lecturer = FactoryBot.create(:user, :lecturer)
+      sign_in @other_lecturer
+      expect { post :destroy, params: { id: @student_file[:id] } }.to_not change(UploadedFile, :count)
+    end
+  end
+
+  context "having a file uploaded to a lecture as a student" do
+    before :each do
+        @student = FactoryBot.create(:user, :student)
+        @lecturer = FactoryBot.create(:user, :lecturer)
+        @course = FactoryBot.create(:course, creator: @lecturer)
+        @lecture = FactoryBot.create(:lecture, lecturer: @lecturer, course: @course)
+        @student_file = FactoryBot.create(:uploaded_file, author: @student, allowsUpload: @lecture)
+        sign_in @student
+      end
+
+    it "can be deleted by the owner" do
+      expect { post :destroy, params: { id: @student_file[:id] } }.to change(UploadedFile, :count).by(-1)
+    end
+
+    it "can be deleted by the lecture owner" do
+      sign_in @lecturer
+      expect { post :destroy, params: { id: @student_file[:id] } }.to change(UploadedFile, :count).by(-1)
     end
 
     it "can't be deleted by someone else" do
       @other_lecturer = FactoryBot.create(:user, :lecturer)
       sign_in @other_lecturer
-      expect { post :destroy, params: { id: @lecturer_file[:id] } }.to_not change(UploadedFile, :count)
+      expect { post :destroy, params: { id: @student_file[:id] } }.to_not change(UploadedFile, :count)
     end
   end
 end