Do not allow deleting someone elses list

lnu-norge · Jun 20, 2024 · 0bcaf63 · 0bcaf63
1 parent 467bb59
commit 0bcaf63
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 10 deletions.
diff --git a/app/controllers/concerns/access_to_personal_space_list_verifiable.rb b/app/controllers/concerns/access_to_personal_space_list_verifiable.rb
@@ -14,6 +14,14 @@ def verify_that_user_has_access_to_personal_space_list
     no_access
   end
 
+  def verify_that_user_is_owner_or_admin
+    return no_access if @personal_space_list.blank?
+    return if @personal_space_list&.user_id == current_user.id
+    return if current_user.admin?
+
+    no_access
+  end
+
   def set_as_shared_with_me
     return if @personal_space_list.already_shared_with_user(user: current_user)
 

diff --git a/app/controllers/personal_space_lists_controller.rb b/app/controllers/personal_space_lists_controller.rb
@@ -6,7 +6,8 @@ class PersonalSpaceListsController < BaseControllers::AuthenticateController
   before_action :set_personal_space_list, only: %i[show edit update destroy]
   before_action :new_personal_space_list, only: [:create]
   before_action :add_spaces_to_list, only: [:create, :update]
-  before_action :verify_that_user_has_access_to_personal_space_list, except: %i[new create index]
+  before_action :verify_that_user_has_access_to_personal_space_list, except: %i[new create index destroy]
+  before_action :verify_that_user_is_owner_or_admin, only: %i[destroy]
 
   after_action :activate_or_deactivate_list_based_on_params, only: [:create, :update]
 

diff --git a/app/views/personal_space_lists/edit.html.erb b/app/views/personal_space_lists/edit.html.erb
@@ -7,17 +7,16 @@
 
   <main class="mt-6 mb-12">
     <%= render "form", personal_space_list: @personal_space_list %>
-
   </main>
 
-  <hr />
-
+  <% if @personal_space_list.user == current_user %>
+    <hr />
 
-  <%= button_to personal_space_list_path(@personal_space_list),
-                method: :delete,
-                data: { confirm: "Sikker på at du vil slette?" },
-                class: "link inline-flex gap-1" do %>
-    <%= inline_svg "delete" %> Slett listen
+    <%= button_to personal_space_list_path(@personal_space_list),
+                  method: :delete,
+                  data: { confirm: "Sikker på at du vil slette?" },
+                  class: "link inline-flex gap-1" do %>
+      <%= inline_svg "delete" %> Slett listen
+    <% end %>
   <% end %>
-
 </div>
diff --git a/spec/requests/personal_space_lists/shared_with_publics_controller_spec.rb b/spec/requests/personal_space_lists/shared_with_publics_controller_spec.rb
@@ -57,6 +57,18 @@
     expect(user.personal_space_lists_shared_with_mes.reload.count).to eq(0)
   end
 
+  it "cannot delete someone elses list, even if it is shared" do
+    delete personal_space_list_path(someone_elses_space_list)
+    someone_elses_space_list.reload
+    expect(someone_elses_space_list).to be_truthy
+
+    someone_elses_space_list.start_sharing
+
+    delete personal_space_list_path(someone_elses_space_list)
+    someone_elses_space_list.reload
+    expect(someone_elses_space_list).to be_truthy
+  end
+
   it "can add and remove spaces in someone elses shared list, but only when shared" do
     post add_to_personal_space_list_space_path(personal_space_list_id: someone_elses_space_list.id, id: space.id)
     expect(someone_elses_space_list.reload.spaces.count).to eq(0)