diff --git a/app/controllers/boards_controller.rb b/app/controllers/boards_controller.rb index 1e4233696..ff7c35ec0 100644 --- a/app/controllers/boards_controller.rb +++ b/app/controllers/boards_controller.rb @@ -2,7 +2,7 @@ class BoardsController < ApplicationController include FilterScoped before_action :set_board, except: %i[ new create ] - before_action :ensure_permission_to_admin_board, only: %i[ update ] + before_action :ensure_permission_to_admin_board, only: %i[ update destroy ] def show if @filter.used?(ignore_boards: true) diff --git a/test/controllers/boards_controller_test.rb b/test/controllers/boards_controller_test.rb index 3729f09c7..816a2e7b3 100644 --- a/test/controllers/boards_controller_test.rb +++ b/test/controllers/boards_controller_test.rb @@ -136,4 +136,13 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest assert_response :forbidden assert_equal original_name, board.reload.name end + + test "non-admin cannot destroy board they don't own" do + logout_and_sign_in_as :jz + + board = boards(:writebook) + delete board_path(board) + + assert_response :forbidden + end end