From 580daf06bd291766a23e8411559f088341792135 Mon Sep 17 00:00:00 2001 From: Anton Khorev Date: Tue, 23 Jul 2024 18:22:46 +0300 Subject: [PATCH 1/1] Check diary entry edit/update ability using CanCanCan --- app/abilities/ability.rb | 3 ++- app/controllers/diary_entries_controller.rb | 2 +- app/views/diary_entries/_diary_entry.html.erb | 2 +- .../diary_entries_controller_test.rb | 23 +++++++++++++++++++ 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index a0eea302f..907712328 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -42,7 +42,8 @@ class Ability can [:new, :show, :create, :destroy], :oauth2_authorization can [:edit, :update, :destroy], :account can [:show], :dashboard - can [:new, :create, :edit, :update, :subscribe, :unsubscribe], DiaryEntry + can [:new, :create, :subscribe, :unsubscribe], DiaryEntry + can :update, DiaryEntry, :user => user can [:create], DiaryComment can [:make_friend, :remove_friend], Friendship can [:new, :create, :reply, :show, :inbox, :outbox, :muted, :mark, :unmute, :destroy], Message diff --git a/app/controllers/diary_entries_controller.rb b/app/controllers/diary_entries_controller.rb index 1a888547d..eaf6ddf9c 100644 --- a/app/controllers/diary_entries_controller.rb +++ b/app/controllers/diary_entries_controller.rb @@ -125,7 +125,7 @@ class DiaryEntriesController < ApplicationController @title = t "diary_entries.edit.title" @diary_entry = DiaryEntry.find(params[:id]) - if current_user != @diary_entry.user || + if cannot?(:update, @diary_entry) || (params[:diary_entry] && @diary_entry.update(entry_params)) redirect_to diary_entry_path(@diary_entry.user, @diary_entry) else diff --git a/app/views/diary_entries/_diary_entry.html.erb b/app/views/diary_entries/_diary_entry.html.erb index d4ee530d7..62e701d14 100644 --- a/app/views/diary_entries/_diary_entry.html.erb +++ b/app/views/diary_entries/_diary_entry.html.erb @@ -23,7 +23,7 @@ <% end %> - <% if current_user && current_user == diary_entry.user %> + <% if can?(:edit, diary_entry) %>
  • <%= link_to t(".edit_link"), edit_diary_entry_path(diary_entry.user, diary_entry) %>
    • <% end %> diff --git a/test/controllers/diary_entries_controller_test.rb b/test/controllers/diary_entries_controller_test.rb index 9acd72c67..bb6c25781 100644 --- a/test/controllers/diary_entries_controller_test.rb +++ b/test/controllers/diary_entries_controller_test.rb @@ -336,6 +336,29 @@ class DiaryEntriesControllerTest < ActionDispatch::IntegrationTest assert_select "span[class=translation_missing]", false, "Missing translation in edit diary entry" end + def test_update + user = create(:user) + other_user = create(:user) + diary_entry = create(:diary_entry, :language_code => "en", :user => user, :title => "Original Title") + + put diary_entry_path(user, diary_entry, :diary_entry => { :title => "Updated Title" }) + assert_response :forbidden + diary_entry.reload + assert_equal "Original Title", diary_entry.title + + session_for(other_user) + put diary_entry_path(user, diary_entry, :diary_entry => { :title => "Updated Title" }) + assert_redirected_to diary_entry_path(user, diary_entry) + diary_entry.reload + assert_equal "Original Title", diary_entry.title + + session_for(user) + put diary_entry_path(user, diary_entry, :diary_entry => { :title => "Updated Title" }) + assert_redirected_to diary_entry_path(user, diary_entry) + diary_entry.reload + assert_equal "Updated Title", diary_entry.title + end + def test_index_all diary_entry = create(:diary_entry) geo_entry = create(:diary_entry, :latitude => 51.50763, :longitude => -0.10781) -- 2.39.5