From 07c9b1c98a104a88f6bd0c97b54a8783444a2ac4 Mon Sep 17 00:00:00 2001
From: Jeremy Benoist <jeremy.benoist@gmail.com>
Date: Fri, 22 Jan 2016 18:48:04 +0100
Subject: [PATCH] Fix permission to settings page

---
 app/config/security.yml                       |  2 +-
 .../Controller/SettingsControllerTest.php     | 32 +++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 src/Wallabag/CoreBundle/Tests/Controller/SettingsControllerTest.php

diff --git a/app/config/security.yml b/app/config/security.yml
index 6f20490b..7c10889f 100644
--- a/app/config/security.yml
+++ b/app/config/security.yml
@@ -57,5 +57,5 @@ security:
         - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: /(unread|starred|archive).xml$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
-        - { path: ^/, roles: ROLE_USER }
         - { path: ^/settings, roles: ROLE_SUPER_ADMIN }
+        - { path: ^/, roles: ROLE_USER }
diff --git a/src/Wallabag/CoreBundle/Tests/Controller/SettingsControllerTest.php b/src/Wallabag/CoreBundle/Tests/Controller/SettingsControllerTest.php
new file mode 100644
index 00000000..354aedba
--- /dev/null
+++ b/src/Wallabag/CoreBundle/Tests/Controller/SettingsControllerTest.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace Wallabag\CoreBundle\Tests\Controller;
+
+use Wallabag\CoreBundle\Tests\WallabagCoreTestCase;
+
+/**
+ * The controller `SettingsController` does not exist.
+ * This test cover security against the internal settings page managed by CraueConfigBundle
+ */
+class SettingsControllerTest extends WallabagCoreTestCase
+{
+    public function testSettingsWithAdmin()
+    {
+        $this->logInAs('admin');
+        $client = $this->getClient();
+
+        $crawler = $client->request('GET', '/settings');
+
+        $this->assertEquals(200, $client->getResponse()->getStatusCode());
+    }
+
+    public function testSettingsWithNormalUser()
+    {
+        $this->logInAs('bob');
+        $client = $this->getClient();
+
+        $crawler = $client->request('GET', '/settings');
+
+        $this->assertEquals(403, $client->getResponse()->getStatusCode());
+    }
+}
-- 
2.41.0