From 93929f2c076bb59d7dd3c1bdb1a9a7d0952e557f Mon Sep 17 00:00:00 2001 From: cryptogopher Date: Mon, 15 Jan 2024 01:07:45 +0100 Subject: [PATCH] Change User#disguise/revert to GET --- config/routes.rb | 4 ++-- test/system/users_test.rb | 17 ++++++++++------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/config/routes.rb b/config/routes.rb index bc359e6..2535626 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -6,10 +6,10 @@ Rails.application.routes.draw do resources :users, only: [:index, :show, :update] do member do - post :disguise + get :disguise end collection do - post :revert + get :revert end end diff --git a/test/system/users_test.rb b/test/system/users_test.rb index 8a59e71..ed52d30 100644 --- a/test/system/users_test.rb +++ b/test/system/users_test.rb @@ -118,7 +118,7 @@ class UsersTest < ApplicationSystemTestCase assert_link user.email end - test "disguise disallowed" do + test "disguise fails for admin when disallowed" do user = users.select(&:admin?).select(&:confirmed?).sample sign_in user: user @@ -126,12 +126,15 @@ class UsersTest < ApplicationSystemTestCase text = t("users.index.disguise") # Pick row without 'disguise' button undisguisable = all(:xpath, "//tbody//tr[not(descendant::*[contains(text(),\"#{text}\")])]") - within undisguisable.sample do |tr| - inject_button_to tr.find('td:last-child'), text, - disguise_user_path(User.find_by_email!(first(:link).text)) - click_on text - end - assert_title "Bad request received (400)" + user_email = undisguisable.sample.first(:link).text + visit disguise_user_path(User.find_by_email!(user_email)) + assert_title 'The change you wanted was rejected (422)' + end + + test "disguise forbidden for non admin" do + sign_in user: users.reject(&:admin?).select(&:confirmed?).sample + visit disguise_user_path(User.all.sample) + assert_title 'Access is forbidden to this page (403)' end test "delete profile" do