From 111a3106b949dd16821f2c00fa0e331cee3c38af Mon Sep 17 00:00:00 2001 From: Marc Anguera Insa Date: Sun, 23 Mar 2025 17:08:17 +0100 Subject: [PATCH 1/2] Only admins of org could access to /petitions/manage --- app/controllers/petitions_controller.rb | 4 ++++ app/policies/petition_policy.rb | 11 +++++++++++ spec/controllers/petitions_controller_spec.rb | 15 +++++++++++++-- 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 app/policies/petition_policy.rb diff --git a/app/controllers/petitions_controller.rb b/app/controllers/petitions_controller.rb index d39d8839..091d09aa 100644 --- a/app/controllers/petitions_controller.rb +++ b/app/controllers/petitions_controller.rb @@ -18,6 +18,8 @@ def create def update petition = Petition.find params[:id] + authorize petition + status = params[:status] if petition.update(status: status) @@ -31,6 +33,8 @@ def update end def manage + authorize Petition + @status = params[:status] || Petition::DEFAULT_STATUS @users = User.joins(:petitions).where(petitions: { organization_id: current_organization.id, status: @status }).page(params[:page]).per(20) end diff --git a/app/policies/petition_policy.rb b/app/policies/petition_policy.rb new file mode 100644 index 00000000..5871bb8f --- /dev/null +++ b/app/policies/petition_policy.rb @@ -0,0 +1,11 @@ +class PetitionPolicy < ApplicationPolicy + alias_method :petition, :record + + def update? + user.superadmin? || user.admins?(petition.organization) + end + + def manage? + user.superadmin? || user.admins?(organization) + end +end diff --git a/spec/controllers/petitions_controller_spec.rb b/spec/controllers/petitions_controller_spec.rb index 82c20c89..27c034b2 100644 --- a/spec/controllers/petitions_controller_spec.rb +++ b/spec/controllers/petitions_controller_spec.rb @@ -2,6 +2,7 @@ let!(:organization) { Fabricate(:organization) } let(:user) { Fabricate(:user) } let!(:admin) { Fabricate(:member, organization: organization, manager: true) } + let!(:non_admin) { Fabricate(:member, organization: organization, manager: false) } describe 'POST #create' do before { login(user) } @@ -40,14 +41,24 @@ describe 'GET #manage' do before do allow(controller).to receive(:current_organization) { organization } - login(admin.user) end let!(:petition) { Petition.create(user: user, organization: organization) } - it 'populates a list of users with pending petitions' do + it 'as an admin: populates a list of users with pending petitions' do + login(admin.user) + get :manage expect(assigns(:users)).to include(user) end + + it 'as non-admin: not authorized' do + login(non_admin.user) + + get :manage + + expect(response).to redirect_to(root_path) + expect(flash[:error]).to eq('You are not authorized to perform this action.') + end end end From b1702c2cf5b9b25ce397b92c717e75050c4b17a6 Mon Sep 17 00:00:00 2001 From: Marc Anguera Insa Date: Sun, 23 Mar 2025 17:11:19 +0100 Subject: [PATCH 2/2] some times there is no member (@user = member.user) --- app/policies/petition_policy.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/policies/petition_policy.rb b/app/policies/petition_policy.rb index 5871bb8f..677900ed 100644 --- a/app/policies/petition_policy.rb +++ b/app/policies/petition_policy.rb @@ -2,10 +2,10 @@ class PetitionPolicy < ApplicationPolicy alias_method :petition, :record def update? - user.superadmin? || user.admins?(petition.organization) + user&.superadmin? || user&.admins?(petition.organization) end def manage? - user.superadmin? || user.admins?(organization) + user&.superadmin? || user&.admins?(organization) end end