From c63eb64565064ddbefbe2ec48166e32e518797dc Mon Sep 17 00:00:00 2001
From: Skud <skud@infotrope.net>
Date: Fri, 31 May 2013 23:35:07 +1000
Subject: [PATCH] photo and planting owners must match

---
 app/controllers/photos_controller.rb       |  9 +++++-
 spec/controllers/photos_controller_spec.rb | 32 ++++++++++++++++++++--
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/app/controllers/photos_controller.rb b/app/controllers/photos_controller.rb
index 0280734a1..41348cb1e 100644
--- a/app/controllers/photos_controller.rb
+++ b/app/controllers/photos_controller.rb
@@ -51,10 +51,17 @@ class PhotosController < ApplicationController
       Photo.new(params[:photo])
     @photo.owner_id = current_member.id
     @photo.set_flickr_metadata
+
     if params[:planting_id]
       planting = Planting.find_by_id(params[:planting_id])
       if planting
-        @photo.plantings << planting
+        if planting.owner.id == current_member.id
+          @photo.plantings << planting
+        else
+          flash[:alert] = "You must own both the planting and the photo."
+        end
+      else
+        flash[:alert] = "Couldn't find planting to connect to photo."
       end
     end
 
diff --git a/spec/controllers/photos_controller_spec.rb b/spec/controllers/photos_controller_spec.rb
index 569463c02..efb7a651d 100644
--- a/spec/controllers/photos_controller_spec.rb
+++ b/spec/controllers/photos_controller_spec.rb
@@ -96,8 +96,12 @@ describe PhotosController do
       end
 
       it "attaches the photo to a planting" do
-        planting = FactoryGirl.create(:planting)
-        post :create, {:photo => { :flickr_photo_id => 1 },
+        member = FactoryGirl.create(:member)
+        controller.stub(:current_member) { member }
+        garden = FactoryGirl.create(:garden, :owner => member)
+        planting = FactoryGirl.create(:planting, :garden => garden)
+        photo = FactoryGirl.create(:photo, :owner => member)
+        post :create, {:photo => { :flickr_photo_id => photo.flickr_photo_id },
           :planting_id => planting.id }
         Photo.last.plantings.first.should eq planting
       end
@@ -114,6 +118,30 @@ describe PhotosController do
       end
     end
 
+    describe "with matching owners" do
+      it "creates the planting/photo link" do
+        member = FactoryGirl.create(:member)
+        controller.stub(:current_member) { member }
+        garden = FactoryGirl.create(:garden, :owner => member)
+        planting = FactoryGirl.create(:planting, :garden => garden)
+        photo = FactoryGirl.create(:photo, :owner => member)
+        post :create, {:photo => { :flickr_photo_id => photo.flickr_photo_id },
+          :planting_id => planting.id }
+        Photo.last.plantings.first.should eq planting
+      end
+    end
+
+    describe "with mismatched owners" do
+      it "creates the planting/photo link" do
+        # members will be auto-created, and different
+        planting = FactoryGirl.create(:planting)
+        photo = FactoryGirl.create(:photo)
+        post :create, {:photo => { :flickr_photo_id => photo.flickr_photo_id },
+          :planting_id => planting.id }
+        Photo.last.plantings.first.should_not eq planting
+      end
+    end
+
     describe "with invalid params" do
       it "assigns a newly created but unsaved photo as @photo" do
         # Trigger the behavior that occurs when invalid params are submitted