From b7729401b4568479dc2028b494ffa46a909fcd6a Mon Sep 17 00:00:00 2001 From: Jorge Manrubia Date: Wed, 12 Nov 2025 11:33:41 +0100 Subject: [PATCH] Only admins can edit entropy --- app/controllers/account/entropies_controller.rb | 2 ++ test/controllers/accounts/entropies_controller_test.rb | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/app/controllers/account/entropies_controller.rb b/app/controllers/account/entropies_controller.rb index f45f3ef5f..00d195584 100644 --- a/app/controllers/account/entropies_controller.rb +++ b/app/controllers/account/entropies_controller.rb @@ -1,4 +1,6 @@ class Account::EntropiesController < ApplicationController + before_action :ensure_admin + def update Account.sole.entropy.update!(entropy_params) redirect_to account_settings_path, notice: "Account updated" diff --git a/test/controllers/accounts/entropies_controller_test.rb b/test/controllers/accounts/entropies_controller_test.rb index 9fda2c1ed..ef23851de 100644 --- a/test/controllers/accounts/entropies_controller_test.rb +++ b/test/controllers/accounts/entropies_controller_test.rb @@ -12,4 +12,11 @@ class Account::EntropiesControllerTest < ActionDispatch::IntegrationTest assert_redirected_to account_settings_path end + + test "update requires admin" do + logout_and_sign_in_as :david + + put account_entropy_path, params: { entropy: { auto_postpone_period: 1.day } } + assert_response :forbidden + end end