Change User#disguise/revert to GET

2024-01-15 01:07:45 +01:00 · 2024-01-15 01:07:45 +01:00 · 93929f2c07
commit 93929f2c07
parent a35314e6be
2 changed files with 12 additions and 9 deletions
--- a/config/routes.rb
+++ b/config/routes.rb
@ -6,10 +6,10 @@ Rails.application.routes.draw do

  resources :users, only: [:index, :show, :update] do
    member do
-      post :disguise
+      get :disguise
    end
    collection do
-      post :revert
+      get :revert
    end
  end

--- a/test/system/users_test.rb
+++ b/test/system/users_test.rb
@ -118,7 +118,7 @@ class UsersTest < ApplicationSystemTestCase
    assert_link user.email
  end

-  test "disguise disallowed" do
+  test "disguise fails for admin when disallowed" do
    user = users.select(&:admin?).select(&:confirmed?).sample
    sign_in user: user

@ -126,12 +126,15 @@ class UsersTest < ApplicationSystemTestCase
    text = t("users.index.disguise")
    # Pick row without 'disguise' button
    undisguisable = all(:xpath, "//tbody//tr[not(descendant::*[contains(text(),\"#{text}\")])]")
-    within undisguisable.sample do |tr|
-      inject_button_to tr.find('td:last-child'), text,
-        disguise_user_path(User.find_by_email!(first(:link).text))
-      click_on text
-    end
-    assert_title "Bad request received (400)"
+    user_email = undisguisable.sample.first(:link).text
+    visit disguise_user_path(User.find_by_email!(user_email))
+    assert_title 'The change you wanted was rejected (422)'
+  end
+
+  test "disguise forbidden for non admin" do
+    sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
+    visit disguise_user_path(User.all.sample)
+    assert_title 'Access is forbidden to this page (403)'
  end

  test "delete profile" do