Merge remote-tracking branch 'upstream/pull/5012'

openstreetmap · Jul 24, 2024 · f643b66 · f643b66
2 parents eb0f95b + 580daf0
commit f643b66
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 3 deletions.
diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb
@@ -42,7 +42,8 @@ def initialize(user)
         can [:new, :show, :create, :destroy], :oauth2_authorization
         can [:edit, :update, :destroy], :account
         can [:show], :dashboard
-        can [:new, :create, :edit, :update, :subscribe, :unsubscribe], DiaryEntry
+        can [:new, :create, :subscribe, :unsubscribe], DiaryEntry
+        can :update, DiaryEntry, :user => user
         can [:create], DiaryComment
         can [:make_friend, :remove_friend], Friendship
         can [:new, :create, :reply, :show, :inbox, :outbox, :muted, :mark, :unmute, :destroy], Message

diff --git a/app/controllers/diary_entries_controller.rb b/app/controllers/diary_entries_controller.rb
@@ -125,7 +125,7 @@ def update
     @title = t "diary_entries.edit.title"
     @diary_entry = DiaryEntry.find(params[:id])
 
-    if current_user != @diary_entry.user ||
+    if cannot?(:update, @diary_entry) ||
        (params[:diary_entry] && @diary_entry.update(entry_params))
       redirect_to diary_entry_path(@diary_entry.user, @diary_entry)
     else

diff --git a/app/views/diary_entries/_diary_entry.html.erb b/app/views/diary_entries/_diary_entry.html.erb
@@ -23,7 +23,7 @@
         </li>
       <% end %>
 
-      <% if current_user && current_user == diary_entry.user %>
+      <% if can?(:edit, diary_entry) %>
         <li><%= link_to t(".edit_link"), edit_diary_entry_path(diary_entry.user, diary_entry) %></li>
       <% end %>
 

diff --git a/test/controllers/diary_entries_controller_test.rb b/test/controllers/diary_entries_controller_test.rb
@@ -336,6 +336,29 @@ def test_edit_i18n
     assert_select "span[class=translation_missing]", false, "Missing translation in edit diary entry"
   end
 
+  def test_update
+    user = create(:user)
+    other_user = create(:user)
+    diary_entry = create(:diary_entry, :language_code => "en", :user => user, :title => "Original Title")
+
+    put diary_entry_path(user, diary_entry, :diary_entry => { :title => "Updated Title" })
+    assert_response :forbidden
+    diary_entry.reload
+    assert_equal "Original Title", diary_entry.title
+
+    session_for(other_user)
+    put diary_entry_path(user, diary_entry, :diary_entry => { :title => "Updated Title" })
+    assert_redirected_to diary_entry_path(user, diary_entry)
+    diary_entry.reload
+    assert_equal "Original Title", diary_entry.title
+
+    session_for(user)
+    put diary_entry_path(user, diary_entry, :diary_entry => { :title => "Updated Title" })
+    assert_redirected_to diary_entry_path(user, diary_entry)
+    diary_entry.reload
+    assert_equal "Updated Title", diary_entry.title
+  end
+
   def test_index_all
     diary_entry = create(:diary_entry)
     geo_entry = create(:diary_entry, :latitude => 51.50763, :longitude => -0.10781)