Make sure only admins or collection creators can toggle the all access setting
This commit is contained in:
@@ -2,6 +2,7 @@ class BoardsController < ApplicationController
|
||||
include FilterScoped
|
||||
|
||||
before_action :set_board, except: %i[ new create ]
|
||||
before_action :ensure_permission_to_change_all_access, only: %i[ update ]
|
||||
|
||||
def show
|
||||
if @filter.used?(ignore_boards: true)
|
||||
@@ -47,6 +48,16 @@ class BoardsController < ApplicationController
|
||||
@board = Current.user.boards.find params[:id]
|
||||
end
|
||||
|
||||
def ensure_permission_to_change_all_access
|
||||
if all_access_changed? && !Current.user.can_administer_board?(@board)
|
||||
head :forbidden
|
||||
end
|
||||
end
|
||||
|
||||
def all_access_changed?
|
||||
params[:board]&.key?(:all_access)
|
||||
end
|
||||
|
||||
def show_filtered_cards
|
||||
@filter.board_ids = [ @board.id ]
|
||||
set_page_and_extract_portion_from @filter.cards
|
||||
|
||||
@@ -21,4 +21,8 @@ module User::Role
|
||||
def can_administer?(other = nil)
|
||||
admin? && other != self
|
||||
end
|
||||
|
||||
def can_administer_board?(board)
|
||||
admin? || board.creator == self
|
||||
end
|
||||
end
|
||||
|
||||
@@ -16,7 +16,7 @@
|
||||
<hr class="separator--horizontal flex-item-grow" style="--border-color: var(--color-ink-medium); --border-style: dashed" aria-hidden="true" />
|
||||
|
||||
<label for="board_all_access" class="switch">
|
||||
<%= form.check_box :all_access, class: "switch__input", checked: board.all_access?, data: { action: "change->toggle-class#toggle" } %>
|
||||
<%= form.check_box :all_access, class: "switch__input", checked: board.all_access?, disabled: !Current.user.can_administer_board?(board), data: { action: "change->toggle-class#toggle" } %>
|
||||
<span class="switch__btn round"></span>
|
||||
<span class="for-screen-reader">Give everyone access to this board</span>
|
||||
</label>
|
||||
|
||||
@@ -95,4 +95,17 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
|
||||
assert_redirected_to root_path
|
||||
assert_raises(ActiveRecord::RecordNotFound) { board.reload }
|
||||
end
|
||||
|
||||
test "non-admin cannot change all_access on board they don't own" do
|
||||
Session.destroy_all
|
||||
sign_in_as :jz
|
||||
|
||||
board = boards(:writebook)
|
||||
original_all_access = board.all_access
|
||||
|
||||
patch board_path(board), params: { board: { all_access: !original_all_access } }
|
||||
|
||||
assert_response :forbidden
|
||||
assert_equal original_all_access, board.reload.all_access
|
||||
end
|
||||
end
|
||||
|
||||
@@ -7,4 +7,23 @@ class User::RoleTest < ActiveSupport::TestCase
|
||||
assert_not users(:kevin).can_administer?(users(:kevin))
|
||||
assert_not users(:jz).can_administer?(users(:kevin))
|
||||
end
|
||||
|
||||
test "can administer board?" do
|
||||
writebook_board = boards(:writebook)
|
||||
private_board = boards(:private)
|
||||
|
||||
# Admin can administer any board
|
||||
assert users(:kevin).can_administer_board?(writebook_board)
|
||||
assert users(:kevin).can_administer_board?(private_board)
|
||||
|
||||
# Creator can administer their own board
|
||||
assert users(:david).can_administer_board?(writebook_board)
|
||||
|
||||
# Regular user cannot administer boards they didn't create
|
||||
assert_not users(:jz).can_administer_board?(writebook_board)
|
||||
assert_not users(:jz).can_administer_board?(private_board)
|
||||
|
||||
# Creator cannot administer other people's boards
|
||||
assert_not users(:david).can_administer_board?(private_board)
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user