Allow only people who can administer a board to delete it
This commit is contained in:
@@ -2,7 +2,7 @@ class BoardsController < ApplicationController
|
||||
include FilterScoped
|
||||
|
||||
before_action :set_board, except: %i[ new create ]
|
||||
before_action :ensure_permission_to_admin_board, only: %i[ update ]
|
||||
before_action :ensure_permission_to_admin_board, only: %i[ update destroy ]
|
||||
|
||||
def show
|
||||
if @filter.used?(ignore_boards: true)
|
||||
|
||||
@@ -136,4 +136,13 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
|
||||
assert_response :forbidden
|
||||
assert_equal original_name, board.reload.name
|
||||
end
|
||||
|
||||
test "non-admin cannot destroy board they don't own" do
|
||||
logout_and_sign_in_as :jz
|
||||
|
||||
board = boards(:writebook)
|
||||
delete board_path(board)
|
||||
|
||||
assert_response :forbidden
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user