Admins can't edit the board in general

This commit is contained in:
Jorge Manrubia
2025-11-12 11:41:46 +01:00
parent 9903a37243
commit 9c77ad6029
2 changed files with 17 additions and 11 deletions
+3 -11
View File
@@ -2,7 +2,7 @@ class BoardsController < ApplicationController
include FilterScoped
before_action :set_board, except: %i[ new create ]
before_action :ensure_permission_to_change_accesses, only: %i[ update ]
before_action :ensure_permission_to_admin_board, only: %i[ update ]
def show
if @filter.used?(ignore_boards: true)
@@ -48,20 +48,12 @@ class BoardsController < ApplicationController
@board = Current.user.boards.find params[:id]
end
def ensure_permission_to_change_accesses
if trying_to_change_accesses? && !Current.user.can_administer_board?(@board)
def ensure_permission_to_admin_board
unless Current.user.can_administer_board?(@board)
head :forbidden
end
end
def trying_to_change_accesses?
all_access_changed? || grantees_changed?
end
def all_access_changed?
params[:board]&.key?(:all_access)
end
def grantees_changed?
params.key?(:user_ids)
end
@@ -122,4 +122,18 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
assert_response :forbidden
assert_equal original_users, board.reload.users.sort
end
test "non-admin cannot change board name on board they don't own" do
logout_and_sign_in_as :jz
board = boards(:writebook)
original_name = board.name
patch board_path(board), params: {
board: { name: "Hacked Board Name" }
}
assert_response :forbidden
assert_equal original_name, board.reload.name
end
end