Make sure only admins or collection creators can toggle the all access setting

This commit is contained in:
Jorge Manrubia
2025-11-05 15:51:19 +01:00
parent 26df0095bc
commit 193cc26a98
5 changed files with 48 additions and 1 deletions
+11
View File
@@ -2,6 +2,7 @@ class BoardsController < ApplicationController
include FilterScoped
before_action :set_board, except: %i[ new create ]
before_action :ensure_permission_to_change_all_access, only: %i[ update ]
def show
if @filter.used?(ignore_boards: true)
@@ -47,6 +48,16 @@ class BoardsController < ApplicationController
@board = Current.user.boards.find params[:id]
end
def ensure_permission_to_change_all_access
if all_access_changed? && !Current.user.can_administer_board?(@board)
head :forbidden
end
end
def all_access_changed?
params[:board]&.key?(:all_access)
end
def show_filtered_cards
@filter.board_ids = [ @board.id ]
set_page_and_extract_portion_from @filter.cards
+4
View File
@@ -21,4 +21,8 @@ module User::Role
def can_administer?(other = nil)
admin? && other != self
end
def can_administer_board?(board)
admin? || board.creator == self
end
end
+1 -1
View File
@@ -16,7 +16,7 @@
<hr class="separator--horizontal flex-item-grow" style="--border-color: var(--color-ink-medium); --border-style: dashed" aria-hidden="true" />
<label for="board_all_access" class="switch">
<%= form.check_box :all_access, class: "switch__input", checked: board.all_access?, data: { action: "change->toggle-class#toggle" } %>
<%= form.check_box :all_access, class: "switch__input", checked: board.all_access?, disabled: !Current.user.can_administer_board?(board), data: { action: "change->toggle-class#toggle" } %>
<span class="switch__btn round"></span>
<span class="for-screen-reader">Give everyone access to this board</span>
</label>
@@ -95,4 +95,17 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
assert_redirected_to root_path
assert_raises(ActiveRecord::RecordNotFound) { board.reload }
end
test "non-admin cannot change all_access on board they don't own" do
Session.destroy_all
sign_in_as :jz
board = boards(:writebook)
original_all_access = board.all_access
patch board_path(board), params: { board: { all_access: !original_all_access } }
assert_response :forbidden
assert_equal original_all_access, board.reload.all_access
end
end
+19
View File
@@ -7,4 +7,23 @@ class User::RoleTest < ActiveSupport::TestCase
assert_not users(:kevin).can_administer?(users(:kevin))
assert_not users(:jz).can_administer?(users(:kevin))
end
test "can administer board?" do
writebook_board = boards(:writebook)
private_board = boards(:private)
# Admin can administer any board
assert users(:kevin).can_administer_board?(writebook_board)
assert users(:kevin).can_administer_board?(private_board)
# Creator can administer their own board
assert users(:david).can_administer_board?(writebook_board)
# Regular user cannot administer boards they didn't create
assert_not users(:jz).can_administer_board?(writebook_board)
assert_not users(:jz).can_administer_board?(private_board)
# Creator cannot administer other people's boards
assert_not users(:david).can_administer_board?(private_board)
end
end