Make sure only admins or collection creators can toggle the individual access settings

This commit is contained in:
Jorge Manrubia
2025-11-05 16:04:25 +01:00
parent 193cc26a98
commit de8e861712
5 changed files with 32 additions and 12 deletions
@@ -108,4 +108,20 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
assert_response :forbidden
assert_equal original_all_access, board.reload.all_access
end
test "non-admin cannot change individual user accesses on board they don't own" do
Session.destroy_all
sign_in_as :jz
board = boards(:writebook)
original_users = board.users.sort
patch board_path(board), params: {
board: { name: board.name },
user_ids: [ users(:jz).id ]
}
assert_response :forbidden
assert_equal original_users, board.reload.users.sort
end
end