Only admins of org could access to /petitions/manage (#787)

2025-03-23 17:24:11 +01:00
parent b7ef4a6a95
commit c4699c63aa
3 changed files with 28 additions and 2 deletions
--- a/app/controllers/petitions_controller.rb
+++ b/app/controllers/petitions_controller.rb
@ -18,6 +18,8 @@ class PetitionsController < ApplicationController

  def update
    petition = Petition.find params[:id]
+    authorize petition
+
    status = params[:status]

    if petition.update(status: status)
@ -31,6 +33,8 @@ class PetitionsController < ApplicationController
  end

  def manage
+    authorize Petition
+
    @status = params[:status] || Petition::DEFAULT_STATUS
    @users = User.joins(:petitions).where(petitions: { organization_id: current_organization.id, status: @status }).page(params[:page]).per(20)
  end
--- a/app/policies/petition_policy.rb
+++ b/app/policies/petition_policy.rb
@ -0,0 +1,11 @@
+class PetitionPolicy < ApplicationPolicy
+  alias_method :petition, :record
+
+  def update?
+    user&.superadmin? || user&.admins?(petition.organization)
+  end
+
+  def manage?
+    user&.superadmin? || user&.admins?(organization)
+  end
+end
--- a/spec/controllers/petitions_controller_spec.rb
+++ b/spec/controllers/petitions_controller_spec.rb
@ -2,6 +2,7 @@ RSpec.describe PetitionsController do
  let!(:organization) { Fabricate(:organization) }
  let(:user) { Fabricate(:user) }
  let!(:admin) { Fabricate(:member, organization: organization, manager: true) }
+  let!(:non_admin) { Fabricate(:member, organization: organization, manager: false) }

  describe 'POST #create' do
    before { login(user) }
@ -40,14 +41,24 @@ RSpec.describe PetitionsController do
  describe 'GET #manage' do
    before do
      allow(controller).to receive(:current_organization) { organization }
-      login(admin.user)
    end
    let!(:petition) { Petition.create(user: user, organization: organization) }

-    it 'populates a list of users with pending petitions' do
+    it 'as an admin: populates a list of users with pending petitions' do
+      login(admin.user)
+
      get :manage

      expect(assigns(:users)).to include(user)
    end
+
+    it 'as non-admin: not authorized' do
+      login(non_admin.user)
+
+      get :manage
+
+      expect(response).to redirect_to(root_path)
+      expect(flash[:error]).to eq('You are not authorized to perform this action.')
+    end
  end
 end