Admins can't edit the board in general
This commit is contained in:
@@ -2,7 +2,7 @@ class BoardsController < ApplicationController
|
||||
include FilterScoped
|
||||
|
||||
before_action :set_board, except: %i[ new create ]
|
||||
before_action :ensure_permission_to_change_accesses, only: %i[ update ]
|
||||
before_action :ensure_permission_to_admin_board, only: %i[ update ]
|
||||
|
||||
def show
|
||||
if @filter.used?(ignore_boards: true)
|
||||
@@ -48,20 +48,12 @@ class BoardsController < ApplicationController
|
||||
@board = Current.user.boards.find params[:id]
|
||||
end
|
||||
|
||||
def ensure_permission_to_change_accesses
|
||||
if trying_to_change_accesses? && !Current.user.can_administer_board?(@board)
|
||||
def ensure_permission_to_admin_board
|
||||
unless Current.user.can_administer_board?(@board)
|
||||
head :forbidden
|
||||
end
|
||||
end
|
||||
|
||||
def trying_to_change_accesses?
|
||||
all_access_changed? || grantees_changed?
|
||||
end
|
||||
|
||||
def all_access_changed?
|
||||
params[:board]&.key?(:all_access)
|
||||
end
|
||||
|
||||
def grantees_changed?
|
||||
params.key?(:user_ids)
|
||||
end
|
||||
|
||||
@@ -122,4 +122,18 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
|
||||
assert_response :forbidden
|
||||
assert_equal original_users, board.reload.users.sort
|
||||
end
|
||||
|
||||
test "non-admin cannot change board name on board they don't own" do
|
||||
logout_and_sign_in_as :jz
|
||||
|
||||
board = boards(:writebook)
|
||||
original_name = board.name
|
||||
|
||||
patch board_path(board), params: {
|
||||
board: { name: "Hacked Board Name" }
|
||||
}
|
||||
|
||||
assert_response :forbidden
|
||||
assert_equal original_name, board.reload.name
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user