From 9c77ad6029cbdb620fe99edae681842910150654 Mon Sep 17 00:00:00 2001 From: Jorge Manrubia Date: Wed, 12 Nov 2025 11:41:46 +0100 Subject: [PATCH] Admins can't edit the board in general --- app/controllers/boards_controller.rb | 14 +++----------- test/controllers/boards_controller_test.rb | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/app/controllers/boards_controller.rb b/app/controllers/boards_controller.rb index 4bff8dde4..70383e139 100644 --- a/app/controllers/boards_controller.rb +++ b/app/controllers/boards_controller.rb @@ -2,7 +2,7 @@ class BoardsController < ApplicationController include FilterScoped before_action :set_board, except: %i[ new create ] - before_action :ensure_permission_to_change_accesses, only: %i[ update ] + before_action :ensure_permission_to_admin_board, only: %i[ update ] def show if @filter.used?(ignore_boards: true) @@ -48,20 +48,12 @@ class BoardsController < ApplicationController @board = Current.user.boards.find params[:id] end - def ensure_permission_to_change_accesses - if trying_to_change_accesses? && !Current.user.can_administer_board?(@board) + def ensure_permission_to_admin_board + unless Current.user.can_administer_board?(@board) head :forbidden end end - def trying_to_change_accesses? - all_access_changed? || grantees_changed? - end - - def all_access_changed? - params[:board]&.key?(:all_access) - end - def grantees_changed? params.key?(:user_ids) end diff --git a/test/controllers/boards_controller_test.rb b/test/controllers/boards_controller_test.rb index 14f573780..41cbb557e 100644 --- a/test/controllers/boards_controller_test.rb +++ b/test/controllers/boards_controller_test.rb @@ -122,4 +122,18 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest assert_response :forbidden assert_equal original_users, board.reload.users.sort end + + test "non-admin cannot change board name on board they don't own" do + logout_and_sign_in_as :jz + + board = boards(:writebook) + original_name = board.name + + patch board_path(board), params: { + board: { name: "Hacked Board Name" } + } + + assert_response :forbidden + assert_equal original_name, board.reload.name + end end