Ensure only admins/creators can publish boards

This commit is contained in:
Jorge Manrubia
2025-11-12 11:48:35 +01:00
parent 39c88cf188
commit 872537f02c
5 changed files with 43 additions and 7 deletions
@@ -8,12 +8,6 @@ class Boards::EntropiesController < ApplicationController
end
private
def ensure_permission_to_admin_board
unless Current.user.can_administer_board?(@board)
head :forbidden
end
end
def entropy_params
params.expect(board: [ :auto_postpone_period ])
end
@@ -1,6 +1,8 @@
class Boards::PublicationsController < ApplicationController
include BoardScoped
before_action :ensure_permission_to_admin_board
def create
@board.publish
end
+6
View File
@@ -9,4 +9,10 @@ module BoardScoped
def set_board
@board = Current.user.boards.find(params[:board_id])
end
def ensure_permission_to_admin_board
unless Current.user.can_administer_board?(@board)
head :forbidden
end
end
end
@@ -13,4 +13,15 @@ class Boards::EntropiesControllerTest < ActionDispatch::IntegrationTest
assert_turbo_stream action: :replace, target: dom_id(@board, :entropy)
end
test "update requires board admin permission" do
logout_and_sign_in_as :jz
original_period = @board.entropy.auto_postpone_period
put board_entropy_path(@board, format: :turbo_stream), params: { board: { auto_postpone_period: 1.day } }
assert_response :forbidden
assert_equal original_period, @board.entropy.reload.auto_postpone_period
end
end
@@ -21,9 +21,32 @@ class Boards::PublicationsControllerTest < ActionDispatch::IntegrationTest
assert @board.published?
assert_changes -> { @board.reload.published? }, from: true, to: false do
delete board_publication_path(@board, format: :turbo_streamn)
delete board_publication_path(@board, format: :turbo_stream)
end
assert_turbo_stream action: :replace, target: dom_id(@board, :publication)
end
test "publish requires board admin permission" do
logout_and_sign_in_as :jz
assert_not @board.published?
post board_publication_path(@board, format: :turbo_stream)
assert_response :forbidden
assert_not @board.reload.published?
end
test "unpublish requires board admin permission" do
logout_and_sign_in_as :jz
@board.publish
assert @board.published?
delete board_publication_path(@board, format: :turbo_stream)
assert_response :forbidden
assert @board.reload.published?
end
end