diff --git a/app/controllers/boards_controller.rb b/app/controllers/boards_controller.rb index 481e519e3..4bff8dde4 100644 --- a/app/controllers/boards_controller.rb +++ b/app/controllers/boards_controller.rb @@ -2,7 +2,7 @@ class BoardsController < ApplicationController include FilterScoped before_action :set_board, except: %i[ new create ] - before_action :ensure_permission_to_change_all_access, only: %i[ update ] + before_action :ensure_permission_to_change_accesses, only: %i[ update ] def show if @filter.used?(ignore_boards: true) @@ -48,16 +48,24 @@ class BoardsController < ApplicationController @board = Current.user.boards.find params[:id] end - def ensure_permission_to_change_all_access - if all_access_changed? && !Current.user.can_administer_board?(@board) + def ensure_permission_to_change_accesses + if trying_to_change_accesses? && !Current.user.can_administer_board?(@board) head :forbidden end end + def trying_to_change_accesses? + all_access_changed? || grantees_changed? + end + def all_access_changed? params[:board]&.key?(:all_access) end + def grantees_changed? + params.key?(:user_ids) + end + def show_filtered_cards @filter.board_ids = [ @board.id ] set_page_and_extract_portion_from @filter.cards @@ -83,8 +91,4 @@ class BoardsController < ApplicationController def grantee_ids params.fetch :user_ids, [] end - - def grantees_changed? - params.key?(:user_ids) - end end diff --git a/app/helpers/accesses_helper.rb b/app/helpers/accesses_helper.rb index b44bf321d..01aa57b7c 100644 --- a/app/helpers/accesses_helper.rb +++ b/app/helpers/accesses_helper.rb @@ -10,10 +10,10 @@ module AccessesHelper toggle_class_toggle_class: "toggler--toggled" }, & end - def access_toggles_for(users, selected:) + def access_toggles_for(users, selected:, disabled: false) render partial: "boards/access_toggle", collection: users, as: :user, - locals: { selected: selected }, + locals: { selected: selected, disabled: disabled }, cached: ->(user) { [ user, selected ] } end diff --git a/app/views/boards/_access_toggle.erb b/app/views/boards/_access_toggle.erb index 01bcb3bc4..6d9541f3a 100644 --- a/app/views/boards/_access_toggle.erb +++ b/app/views/boards/_access_toggle.erb @@ -14,7 +14,7 @@ diff --git a/app/views/boards/edit/_users.html.erb b/app/views/boards/edit/_users.html.erb index 63b7bf9e8..3214a2f2c 100644 --- a/app/views/boards/edit/_users.html.erb +++ b/app/views/boards/edit/_users.html.erb @@ -33,7 +33,7 @@ <% end %> diff --git a/test/controllers/boards_controller_test.rb b/test/controllers/boards_controller_test.rb index 18a74f304..cba9c1d0c 100644 --- a/test/controllers/boards_controller_test.rb +++ b/test/controllers/boards_controller_test.rb @@ -108,4 +108,20 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest assert_response :forbidden assert_equal original_all_access, board.reload.all_access end + + test "non-admin cannot change individual user accesses on board they don't own" do + Session.destroy_all + sign_in_as :jz + + board = boards(:writebook) + original_users = board.users.sort + + patch board_path(board), params: { + board: { name: board.name }, + user_ids: [ users(:jz).id ] + } + + assert_response :forbidden + assert_equal original_users, board.reload.users.sort + end end