Make sure only admins or collection creators can toggle the individual access settings
This commit is contained in:
@@ -2,7 +2,7 @@ class BoardsController < ApplicationController
|
||||
include FilterScoped
|
||||
|
||||
before_action :set_board, except: %i[ new create ]
|
||||
before_action :ensure_permission_to_change_all_access, only: %i[ update ]
|
||||
before_action :ensure_permission_to_change_accesses, only: %i[ update ]
|
||||
|
||||
def show
|
||||
if @filter.used?(ignore_boards: true)
|
||||
@@ -48,16 +48,24 @@ class BoardsController < ApplicationController
|
||||
@board = Current.user.boards.find params[:id]
|
||||
end
|
||||
|
||||
def ensure_permission_to_change_all_access
|
||||
if all_access_changed? && !Current.user.can_administer_board?(@board)
|
||||
def ensure_permission_to_change_accesses
|
||||
if trying_to_change_accesses? && !Current.user.can_administer_board?(@board)
|
||||
head :forbidden
|
||||
end
|
||||
end
|
||||
|
||||
def trying_to_change_accesses?
|
||||
all_access_changed? || grantees_changed?
|
||||
end
|
||||
|
||||
def all_access_changed?
|
||||
params[:board]&.key?(:all_access)
|
||||
end
|
||||
|
||||
def grantees_changed?
|
||||
params.key?(:user_ids)
|
||||
end
|
||||
|
||||
def show_filtered_cards
|
||||
@filter.board_ids = [ @board.id ]
|
||||
set_page_and_extract_portion_from @filter.cards
|
||||
@@ -83,8 +91,4 @@ class BoardsController < ApplicationController
|
||||
def grantee_ids
|
||||
params.fetch :user_ids, []
|
||||
end
|
||||
|
||||
def grantees_changed?
|
||||
params.key?(:user_ids)
|
||||
end
|
||||
end
|
||||
|
||||
@@ -10,10 +10,10 @@ module AccessesHelper
|
||||
toggle_class_toggle_class: "toggler--toggled" }, &
|
||||
end
|
||||
|
||||
def access_toggles_for(users, selected:)
|
||||
def access_toggles_for(users, selected:, disabled: false)
|
||||
render partial: "boards/access_toggle",
|
||||
collection: users, as: :user,
|
||||
locals: { selected: selected },
|
||||
locals: { selected: selected, disabled: disabled },
|
||||
cached: ->(user) { [ user, selected ] }
|
||||
end
|
||||
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
<label class="switch toggler__visible-when-off flex-item-no-shrink">
|
||||
<% checkbox_data = { toggle_class_target: "checkbox" } %>
|
||||
<% checkbox_data[:boards_form_target] = "meCheckbox" if user == Current.user %>
|
||||
<%= check_box_tag "user_ids[]", user.id, selected, class: "switch__input", id: nil, data: checkbox_data %>
|
||||
<%= check_box_tag "user_ids[]", user.id, selected, class: "switch__input", id: nil, data: checkbox_data, disabled: disabled %>
|
||||
<span class="switch__btn round"></span>
|
||||
<span class="for-screen-reader">Give <%= user.name %> access</span>
|
||||
</label>
|
||||
|
||||
@@ -33,7 +33,7 @@
|
||||
</div>
|
||||
|
||||
<ul class="settings__user-list" data-filter-target="list">
|
||||
<%= access_toggles_for selected_users, selected: true %>
|
||||
<%= access_toggles_for unselected_users, selected: false %>
|
||||
<%= access_toggles_for selected_users, selected: true, disabled: !Current.user.can_administer_board?(board) %>
|
||||
<%= access_toggles_for unselected_users, selected: false, disabled: !Current.user.can_administer_board?(board) %>
|
||||
</ul>
|
||||
<% end %>
|
||||
|
||||
@@ -108,4 +108,20 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
|
||||
assert_response :forbidden
|
||||
assert_equal original_all_access, board.reload.all_access
|
||||
end
|
||||
|
||||
test "non-admin cannot change individual user accesses on board they don't own" do
|
||||
Session.destroy_all
|
||||
sign_in_as :jz
|
||||
|
||||
board = boards(:writebook)
|
||||
original_users = board.users.sort
|
||||
|
||||
patch board_path(board), params: {
|
||||
board: { name: board.name },
|
||||
user_ids: [ users(:jz).id ]
|
||||
}
|
||||
|
||||
assert_response :forbidden
|
||||
assert_equal original_users, board.reload.users.sort
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user