Make sure only admins or collection creators can toggle the individual access settings
This commit is contained in:
@@ -108,4 +108,20 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
|
||||
assert_response :forbidden
|
||||
assert_equal original_all_access, board.reload.all_access
|
||||
end
|
||||
|
||||
test "non-admin cannot change individual user accesses on board they don't own" do
|
||||
Session.destroy_all
|
||||
sign_in_as :jz
|
||||
|
||||
board = boards(:writebook)
|
||||
original_users = board.users.sort
|
||||
|
||||
patch board_path(board), params: {
|
||||
board: { name: board.name },
|
||||
user_ids: [ users(:jz).id ]
|
||||
}
|
||||
|
||||
assert_response :forbidden
|
||||
assert_equal original_users, board.reload.users.sort
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user