otwcode · lrequena27 · Dec 11, 2025 · Dec 11, 2025
diff --git a/app/controllers/works_controller.rb b/app/controllers/works_controller.rb
@@ -7,7 +7,7 @@ class WorksController < ApplicationController
   before_action :load_collection
   before_action :load_owner, only: [:index]
   before_action :users_only, except: [:index, :show, :navigate, :search, :collected, :edit_tags, :update_tags, :drafts, :share]
-  before_action :check_user_status, except: [:index, :edit, :edit_multiple, :confirm_delete_multiple, :delete_multiple, :confirm_delete, :destroy, :show, :show_multiple, :navigate, :search, :collected, :share]
+  before_action :check_user_status, except: [:index, :edit, :edit_multiple, :confirm_delete_multiple, :delete_multiple, :confirm_delete, :destroy, :show, :show_multiple, :navigate, :search, :collected, :share, :drafts]
   before_action :check_user_not_suspended, only: [:edit, :confirm_delete, :destroy, :show_multiple, :edit_multiple, :confirm_delete_multiple, :delete_multiple]
   before_action :load_work, except: [:new, :create, :import, :index, :show_multiple, :edit_multiple, :update_multiple, :delete_multiple, :search, :drafts, :collected]
   # this only works to check ownership of a SINGLE item and only if load_work has happened beforehand

diff --git a/spec/controllers/works/drafts_spec.rb b/spec/controllers/works/drafts_spec.rb
@@ -67,6 +67,34 @@
       end
     end
 
+    context "when logged in as a suspended user" do
+      before do
+        drafts_user.update!(suspended: true, suspended_until: 1.week.from_now)
+        fake_login_known_user(drafts_user)
+      end
+
+      it "allows them to view their drafts index" do
+        get :drafts, params: { user_id: drafts_user.login }
+        expect(response).to have_http_status(:ok)
+        expect(flash[:error]).to be_nil
+        expect(assigns(:works)).to contain_exactly(default_pseud_work, other_pseud_work)
+      end
+    end
+
+    context "when logged in as a banned user" do
+      before do
+        drafts_user.update!(banned: true)
+        fake_login_known_user(drafts_user)
+      end
+
+      it "allows them to view their drafts index" do
+        get :drafts, params: { user_id: drafts_user.login }
+        expect(response).to have_http_status(:ok)
+        expect(flash[:error]).to be_nil
+        expect(assigns(:works)).to contain_exactly(default_pseud_work, other_pseud_work)
+      end
+    end
+
     context "when logged in as another user" do
       before { fake_login }