From e67cdd986f8281f84f1ea241ac9e35ed5b4fa1b2 Mon Sep 17 00:00:00 2001 From: Jorge Manrubia Date: Wed, 12 Nov 2025 11:30:29 +0100 Subject: [PATCH] Only admins can manage join codes --- app/controllers/account/join_codes_controller.rb | 1 + .../accounts/join_codes_controller_test.rb | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/app/controllers/account/join_codes_controller.rb b/app/controllers/account/join_codes_controller.rb index 026c692f9..562ffaa0d 100644 --- a/app/controllers/account/join_codes_controller.rb +++ b/app/controllers/account/join_codes_controller.rb @@ -1,5 +1,6 @@ class Account::JoinCodesController < ApplicationController before_action :set_join_code + before_action :ensure_admin, only: %i[ update destroy ] def show end diff --git a/test/controllers/accounts/join_codes_controller_test.rb b/test/controllers/accounts/join_codes_controller_test.rb index 438904d2a..ee80e4193 100644 --- a/test/controllers/accounts/join_codes_controller_test.rb +++ b/test/controllers/accounts/join_codes_controller_test.rb @@ -23,4 +23,18 @@ class Account::JoinCodesControllerTest < ActionDispatch::IntegrationTest assert_equal 5, Account::JoinCode.sole.usage_limit assert_redirected_to account_join_code_path end + + test "update requires admin" do + logout_and_sign_in_as :david + + put account_join_code_path, params: { account_join_code: { usage_limit: 5 } } + assert_response :forbidden + end + + test "destroy requires admin" do + logout_and_sign_in_as :david + + delete account_join_code_path + assert_response :forbidden + end end