Allow only people who can administer a board to delete it

This commit is contained in:
Stanko K.R.
2025-12-03 10:56:05 +01:00
parent 297f727199
commit 702865873d
2 changed files with 10 additions and 1 deletions
+1 -1
View File
@@ -2,7 +2,7 @@ class BoardsController < ApplicationController
include FilterScoped
before_action :set_board, except: %i[ new create ]
before_action :ensure_permission_to_admin_board, only: %i[ update ]
before_action :ensure_permission_to_admin_board, only: %i[ update destroy ]
def show
if @filter.used?(ignore_boards: true)
@@ -136,4 +136,13 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
assert_response :forbidden
assert_equal original_name, board.reload.name
end
test "non-admin cannot destroy board they don't own" do
logout_and_sign_in_as :jz
board = boards(:writebook)
delete board_path(board)
assert_response :forbidden
end
end