Hide links without permission

kfischer-okarin · kfischer-okarin · commit 2a44682b8abc · 2021-02-15T13:44:14.000+09:00
diff --git a/app/views/wiki/show.html.erb b/app/views/wiki/show.html.erb
@@ -15,9 +15,11 @@
       <%= link_to_if_authorized(l(:button_lock), {:action => 'protect', :id => @page.title, :protected => 1}, :method => :post, :class => 'icon icon-lock') if !@page.protected? %>
       <%= link_to_if_authorized(l(:button_unlock), {:action => 'protect', :id => @page.title, :protected => 0}, :method => :post, :class => 'icon icon-unlock') if @page.protected? %>
       <%= link_to_if_authorized(l(:button_rename), {:action => 'rename', :id => @page.title}, :class => 'icon icon-move') %>
-      <% @redirects_to_self.map { |redirect| %>
-        <%= link_to("Delete redirect from #{WikiPage.pretty_title(redirect.title)}", {:controller => 'wiki_redirects', :action => 'destroy', :project_id => @project.identifier, :wiki_page_id => @page.title, :id => redirect.id}, :method => :delete, :class => 'icon icon-link-break') %>
-      <% } %>
+      <% if User.current.allowed_to?(:rename_wiki_pages, @project) %>
+        <% @redirects_to_self.map { |redirect| %>
+          <%= link_to("Delete redirect from #{WikiPage.pretty_title(redirect.title)}", {:controller => 'wiki_redirects', :action => 'destroy', :project_id => @project.identifier, :wiki_page_id => @page.title, :id => redirect.id}, :method => :delete, :class => 'icon icon-link-break') %>
+        <% } %>
+      <% end %>
       <%= link_to_if_authorized(l(:button_delete), {:action => 'destroy', :id => @page.title}, :method => :delete, :data => {:confirm => l(:text_are_you_sure)}, :class => 'icon icon-del') %>
     <% else %>
       <%= link_to_if_authorized(l(:button_rollback), {:action => 'edit', :id => @page.title, :version => @content.version }, :class => 'icon icon-cancel') %>
diff --git a/test/functional/wiki_controller_test.rb b/test/functional/wiki_controller_test.rb
@@ -211,6 +211,24 @@ def test_show_delete_redirect_links
     end
   end
 
+  def test_hide_delete_redirect_links_without_permission
+    @request.session[:user_id] = 2
+
+    wiki_page = WikiPage.find_by(title: 'CookBook_documentation')
+    wiki_page.title = 'Old_Cookbook'
+    wiki_page.save
+
+    project = wiki_page.wiki.project
+    role = User.find(2).members.find_by(project: project).roles.first
+    role.remove_permission! :rename_wiki_pages
+
+    get :show, :params => {:project_id => 'ecookbook', :id => 'Old_Cookbook'}
+
+    assert_select '.drdn-items' do
+      assert_select 'a.icon-link-break', count: 0
+    end
+  end
+
   def test_get_new
     @request.session[:user_id] = 2
 
