Avoid removing other proposals map locations

It was possible to remove a map location from a different proposal (even one created by a different author) by modifying the hidden `id` parameter in the form. So we're making sure the map location we destroy is the one associated to the proposal we're updating. Since we're now using the `@proposal` instance variable in the `destroy_map_location_association` method, we're calling that method after loading the resource with cancancan.
2023-03-07 18:38:50 +01:00
parent eaf28ef6fb
commit 65ed778226
4 changed files with 33 additions and 7 deletions
--- a/spec/controllers/proposals_controller_spec.rb
+++ b/spec/controllers/proposals_controller_spec.rb
@@ -8,4 +8,27 @@ describe ProposalsController do
      expect { get :index }.to raise_exception(FeatureFlags::FeatureDisabled)
    end
  end
+
+  describe "PATCH update" do
+    before { InvisibleCaptcha.timestamp_enabled = false }
+    after { InvisibleCaptcha.timestamp_enabled = true }
+
+    it "does not delete other proposal's map location" do
+      proposal = create(:proposal)
+      other_proposal = create(:proposal, :with_map_location)
+
+      sign_in(proposal.author)
+
+      patch :update, params: {
+        proposal: {
+          map_location_attributes: { id: other_proposal.map_location.id },
+          responsible_name: "Skinny Fingers"
+        },
+        id: proposal.id
+      }
+
+      expect(proposal.reload.responsible_name).to eq "Skinny Fingers"
+      expect(other_proposal.reload.map_location).not_to be nil
+    end
+  end
 end