Look at line 50 of posts_controller.rb:
def require_ownership_or_moderator
@user ||= User.find(params[:user_id])
@post ||= Post.find(params[:id]) if params[:id]
unless admin? || moderator? || (@post &&
(@post.user.eql?(current_user))) || (!...@post && @user &&
@user.eql?(current_user))
redirect_to :controller => 'sessions', :action => 'new' and return
false
end
return @user
end
Specifically: (!...@post && @user && @user.eql?(current_user))
If there's no post and there is a @user (set on line 51) and the @user is
the same as the logged in user (current_user), then the method returns true.
This prevents you from logging in as quentin and going to /aaron/posts/new
and creating a post for aaron.
1) Why do these tests pass (and by the way, they DON'T pass for me now, but
> when I installed CE all the tests pass)?
>
If you have failing tests on a blank CE install from master, please report
them in lighthouse.
> 2) furthermore, the code makes no sense. Why should moderators be required
> for the :create method? These are posts, not forums.
>
It makes perfect sense. Admins and mods can create posts for other users (so
an admin/mod *can* go to /anyuser/posts/new), but normal users can only
create posts for themselves (/myusername/posts/new).
--
You received this message because you are subscribed to the Google Groups
"CommunityEngine" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/communityengine?hl=en.
