Make sure only admins or collection creators can toggle the individual access settings

This commit is contained in:
Jorge Manrubia
2025-11-05 16:04:25 +01:00
parent 193cc26a98
commit de8e861712
5 changed files with 32 additions and 12 deletions
+11 -7
View File
@@ -2,7 +2,7 @@ class BoardsController < ApplicationController
include FilterScoped
before_action :set_board, except: %i[ new create ]
before_action :ensure_permission_to_change_all_access, only: %i[ update ]
before_action :ensure_permission_to_change_accesses, only: %i[ update ]
def show
if @filter.used?(ignore_boards: true)
@@ -48,16 +48,24 @@ class BoardsController < ApplicationController
@board = Current.user.boards.find params[:id]
end
def ensure_permission_to_change_all_access
if all_access_changed? && !Current.user.can_administer_board?(@board)
def ensure_permission_to_change_accesses
if trying_to_change_accesses? && !Current.user.can_administer_board?(@board)
head :forbidden
end
end
def trying_to_change_accesses?
all_access_changed? || grantees_changed?
end
def all_access_changed?
params[:board]&.key?(:all_access)
end
def grantees_changed?
params.key?(:user_ids)
end
def show_filtered_cards
@filter.board_ids = [ @board.id ]
set_page_and_extract_portion_from @filter.cards
@@ -83,8 +91,4 @@ class BoardsController < ApplicationController
def grantee_ids
params.fetch :user_ids, []
end
def grantees_changed?
params.key?(:user_ids)
end
end
+2 -2
View File
@@ -10,10 +10,10 @@ module AccessesHelper
toggle_class_toggle_class: "toggler--toggled" }, &
end
def access_toggles_for(users, selected:)
def access_toggles_for(users, selected:, disabled: false)
render partial: "boards/access_toggle",
collection: users, as: :user,
locals: { selected: selected },
locals: { selected: selected, disabled: disabled },
cached: ->(user) { [ user, selected ] }
end
+1 -1
View File
@@ -14,7 +14,7 @@
<label class="switch toggler__visible-when-off flex-item-no-shrink">
<% checkbox_data = { toggle_class_target: "checkbox" } %>
<% checkbox_data[:boards_form_target] = "meCheckbox" if user == Current.user %>
<%= check_box_tag "user_ids[]", user.id, selected, class: "switch__input", id: nil, data: checkbox_data %>
<%= check_box_tag "user_ids[]", user.id, selected, class: "switch__input", id: nil, data: checkbox_data, disabled: disabled %>
<span class="switch__btn round"></span>
<span class="for-screen-reader">Give <%= user.name %> access</span>
</label>
+2 -2
View File
@@ -33,7 +33,7 @@
</div>
<ul class="settings__user-list" data-filter-target="list">
<%= access_toggles_for selected_users, selected: true %>
<%= access_toggles_for unselected_users, selected: false %>
<%= access_toggles_for selected_users, selected: true, disabled: !Current.user.can_administer_board?(board) %>
<%= access_toggles_for unselected_users, selected: false, disabled: !Current.user.can_administer_board?(board) %>
</ul>
<% end %>
@@ -108,4 +108,20 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
assert_response :forbidden
assert_equal original_all_access, board.reload.all_access
end
test "non-admin cannot change individual user accesses on board they don't own" do
Session.destroy_all
sign_in_as :jz
board = boards(:writebook)
original_users = board.users.sort
patch board_path(board), params: {
board: { name: board.name },
user_ids: [ users(:jz).id ]
}
assert_response :forbidden
assert_equal original_users, board.reload.users.sort
end
end