diff --git a/lib/cadet_web/router.ex b/lib/cadet_web/router.ex index 81bb0e4f0..9c73f21da 100644 --- a/lib/cadet_web/router.ex +++ b/lib/cadet_web/router.ex @@ -136,6 +136,7 @@ defmodule CadetWeb.Router do scope "/v2/courses/:course_id/admin", CadetWeb do pipe_through([:api, :auth, :ensure_auth, :course, :ensure_admin]) + get("/assets/:foldername", AdminAssetsController, :index) post("/assets/:foldername/*filename", AdminAssetsController, :upload) delete("/assets/:foldername/*filename", AdminAssetsController, :delete) @@ -188,8 +189,6 @@ defmodule CadetWeb.Router do :get_score_leaderboard ) - get("/assets/:foldername", AdminAssetsController, :index) - get("/grading", AdminGradingController, :index) get("/grading/summary", AdminGradingController, :grading_summary) diff --git a/test/cadet_web/admin_controllers/admin_assets_controller_test.exs b/test/cadet_web/admin_controllers/admin_assets_controller_test.exs index a8cdca368..95c689cba 100644 --- a/test/cadet_web/admin_controllers/admin_assets_controller_test.exs +++ b/test/cadet_web/admin_controllers/admin_assets_controller_test.exs @@ -68,12 +68,13 @@ defmodule CadetWeb.AdminAssetsControllerTest do end end - describe "read-only permission for non-admin staff" do + describe "non-admin staff permission, forbidden" do @tag authenticate: :staff test "GET /assets/:foldername", %{conn: conn} do course_id = conn.assigns.course_id conn = get(conn, build_url(course_id, "testFolder"), %{}) - assert response(conn, 200) =~ "OK" + + assert response(conn, 403) =~ "Forbidden" end @tag authenticate: :staff