Correctly check permissions in locales controller
We were using `authorize_resource`, passing it an unnamed parameter. When that happens, CanCanCan only checks permissions to read that resource. But, in this case, we want to check the permission to update that resource before the `update` action. Most of the time, it doesn't really matter, but, for example, in our demo we're going to restrict the locales configuration so locales cannot be updated on the main tenant (but they can be updated on other tenants).
This commit is contained in:
Javi Martín
17
spec/controllers/admin/locales_controller_spec.rb
Normal file
17
spec/controllers/admin/locales_controller_spec.rb
Normal file
@@ -0,0 +1,17 @@
|
||||
require "rails_helper"
|
||||
|
||||
describe Admin::LocalesController do
|
||||
describe "PATCH update" do
|
||||
it "checks permissions to update locales settings" do
|
||||
user = create(:administrator).user
|
||||
restricted_ability = user.ability.tap { |ability| ability.cannot :update, Setting::LocalesSettings }
|
||||
|
||||
sign_in user
|
||||
allow(controller).to receive(:current_ability).and_return(restricted_ability)
|
||||
patch :update, params: { setting_locales_settings: { default: :es, enabled: [:en, :fr] }}
|
||||
|
||||
expect(response).to redirect_to "/"
|
||||
expect(Setting.default_locale).to eq :en
|
||||
end
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user