Test protecting controller paths

2026-04-03 13:30:02 +00:00 · 2015-10-30 07:51:35 -04:00
parent d1437a56af
commit 685c71ade9
9 changed files with 457 additions and 52 deletions
--- a/app/controllers/mats_controller.rb
+++ b/app/controllers/mats_controller.rb
@@ -1,6 +1,6 @@
 class MatsController < ApplicationController
  before_action :set_mat, only: [:show, :edit, :update, :destroy]
-  before_filter :check_access, only: [:new,:create,:update,:destroy]
+  before_filter :check_access, only: [:new,:create,:update,:destroy,:edit]

  # GET /mats/1
  # GET /mats/1.json
@@ -76,12 +76,15 @@ class MatsController < ApplicationController

    def check_access
 	if params[:tournament]
-	   @tournament = params[:tournament]
-	else
+	   @tournament = Tournament.find(params[:tournament])
+	elsif params[:mat]
+	   @mat = Mat.new(mat_params) 
+	   @tournament = Tournament.find(@mat.tournament_id)
+	elsif @mat
 	   @tournament = @mat.tournament
 	end
 	if current_user != @tournament.user
-	  redirect_to root_path
+	  redirect_to '/static_pages/not_allowed'
 	end
    end
 end
--- a/app/controllers/schools_controller.rb
+++ b/app/controllers/schools_controller.rb
@@ -80,12 +80,15 @@ class SchoolsController < ApplicationController

    def check_access
 	if params[:tournament]
-	   @tournament = params[:tournament]
-	else
+	   @tournament = Tournament.find(params[:tournament])
+	elsif params[:school]
+	   @school = School.new(school_params)
+	   @tournament = Tournament.find(@school.tournament_id)
+	elsif @school
 	   @tournament = @school.tournament
 	end
 	if current_user != @tournament.user
-	  redirect_to root_path
+	  redirect_to '/static_pages/not_allowed'
 	end
    end

--- a/app/controllers/weights_controller.rb
+++ b/app/controllers/weights_controller.rb
@@ -1,6 +1,6 @@
 class WeightsController < ApplicationController
  before_action :set_weight, only: [:show, :edit, :update, :destroy]
-  before_filter :check_access, only: [:new,:create,:update,:destroy]
+  before_filter :check_access, only: [:new,:create,:update,:destroy,:edit]


  # GET /weights/1
@@ -91,15 +91,19 @@ class WeightsController < ApplicationController
    def weight_params
      params.require(:weight).permit(:max, :tournament_id, :mat_id)
    end
-    def check_access
+   def check_access
 	if params[:tournament]
-	   @tournament = params[:tournament]
-	else
+	   @tournament = Tournament.find(params[:tournament])
+	elsif params[:weight]
+	   @weight = Weight.new(weight_params)
+	   @tournament = Tournament.find(@weight.tournament_id)
+	elsif @weight
 	   @tournament = @weight.tournament
 	end
 	if current_user != @tournament.user
-	  redirect_to root_path
+	  redirect_to '/static_pages/not_allowed'
 	end
    end

+
 end
--- a/app/controllers/wrestlers_controller.rb
+++ b/app/controllers/wrestlers_controller.rb
@@ -1,6 +1,6 @@
 class WrestlersController < ApplicationController
  before_action :set_wrestler, only: [:show, :edit, :update, :destroy]
-  before_filter :check_access, only: [:new,:create,:update,:destroy]
+  before_filter :check_access, only: [:new,:create,:update,:destroy,:edit]


  # GET /wrestlers/1
@@ -39,9 +39,6 @@ class WrestlersController < ApplicationController
  # POST /wrestlers.json
  def create
    @wrestler = Wrestler.new(wrestler_params)
-    if current_user != @wrestler.tournament.user
-	redirect_to root_path
-    end
    @school = School.find(wrestler_params[:school_id])
    respond_to do |format|
      if @wrestler.save
@@ -57,9 +54,6 @@ class WrestlersController < ApplicationController
  # PATCH/PUT /wrestlers/1
  # PATCH/PUT /wrestlers/1.json
  def update
-   if current_user != @wrestler.tournament.user
-	redirect_to root_path
-    end 
    @school = School.find(@wrestler.school_id)
    respond_to do |format|
      if @wrestler.update(wrestler_params)
@@ -75,9 +69,6 @@ class WrestlersController < ApplicationController
  # DELETE /wrestlers/1
  # DELETE /wrestlers/1.json
  def destroy
-   if current_user != @wrestler.tournament.user
-	redirect_to root_path
-    end 
    @school = School.find(@wrestler.school_id)
    @wrestler.destroy
    respond_to do |format|
@@ -97,14 +88,18 @@ class WrestlersController < ApplicationController
      params.require(:wrestler).permit(:name, :school_id, :weight_id, :seed, :original_seed, :season_win, :season_loss,:criteria,:extra,:offical_weight)
    end
    def check_access
-	if params[:tournament]
-	   @tournament = params[:tournament]
-	else
+	if params[:school]
+	   @school = School.find(params[:school])
+	   @tournament = Tournament.find(@school.tournament.id)
+	elsif params[:wrestler]
+	   @wrestler = Wrestler.new(wrestler_params)
+	   @school = School.find(@wrestler.school_id)
+	   @tournament = Tournament.find(@school.tournament.id)
+	elsif @wrestler
 	   @tournament = @wrestler.tournament
 	end
 	if current_user != @tournament.user
-	  redirect_to root_path
+	  redirect_to '/static_pages/not_allowed'
 	end
    end
-
 end