Correctly check permissions in locales controller

We were using `authorize_resource`, passing it an unnamed parameter. When that happens, CanCanCan only checks permissions to read that resource. But, in this case, we want to check the permission to update that resource before the `update` action. Most of the time, it doesn't really matter, but, for example, in our demo we're going to restrict the locales configuration so locales cannot be updated on the main tenant (but they can be updated on other tenants).
2024-06-25 18:23:49 +02:00
parent 5b9fab0387
commit 8c8c99eb2c
2 changed files with 18 additions and 1 deletions
--- a/app/controllers/admin/locales_controller.rb
+++ b/app/controllers/admin/locales_controller.rb
@@ -1,6 +1,6 @@
 class Admin::LocalesController < Admin::BaseController
  before_action :set_locales_settings
-  authorize_resource :locales_settings
+  authorize_resource instance_name: :locales_settings, class: "Setting::LocalesSettings"

  def show
  end
--- a/spec/controllers/admin/locales_controller_spec.rb
+++ b/spec/controllers/admin/locales_controller_spec.rb
@@ -0,0 +1,17 @@
+require "rails_helper"
+
+describe Admin::LocalesController do
+  describe "PATCH update" do
+    it "checks permissions to update locales settings" do
+      user = create(:administrator).user
+      restricted_ability = user.ability.tap { |ability| ability.cannot :update, Setting::LocalesSettings }
+
+      sign_in user
+      allow(controller).to receive(:current_ability).and_return(restricted_ability)
+      patch :update, params: { setting_locales_settings: { default: :es, enabled: [:en, :fr] }}
+
+      expect(response).to redirect_to "/"
+      expect(Setting.default_locale).to eq :en
+    end
+  end
+end