added backend check + tests

alihadimazeh · alihadimazeh · commit cc3336446fae · 2026-02-06T16:31:41.000-05:00
diff --git a/app/controllers/api/v1/recordings_controller.rb b/app/controllers/api/v1/recordings_controller.rb
@@ -69,6 +69,9 @@ def update_visibility
 
         return render_error status: :forbidden unless allowed_visibilities.include?(new_visibility)
 
+        protected_visibilities = [Recording::VISIBILITIES[:protected], Recording::VISIBILITIES[:public_protected]]
+        return render_error status: :forbidden if protected_visibilities.include?(new_visibility) && !@recording.protectable
+
         BigBlueButtonApi.new(provider: current_provider).update_recording_visibility(record_id: @recording.record_id, visibility: new_visibility)
 
         @recording.update!(visibility: new_visibility)
diff --git a/spec/controllers/recordings_controller_spec.rb b/spec/controllers/recordings_controller_spec.rb
@@ -236,6 +236,58 @@
       end
     end
 
+    context 'non-protectable recording' do
+      let(:recording) { create(:recording, room:, protectable: false) }
+
+      it 'returns :forbidden when setting visibility to Protected' do
+        expect_any_instance_of(BigBlueButtonApi).not_to receive(:update_recording_visibility)
+
+        expect do
+          post :update_visibility, params: { visibility: Recording::VISIBILITIES[:protected], id: recording.record_id }
+        end.not_to(change { recording.reload.visibility })
+
+        expect(response).to have_http_status(:forbidden)
+      end
+
+      it 'returns :forbidden when setting visibility to Public/Protected' do
+        expect_any_instance_of(BigBlueButtonApi).not_to receive(:update_recording_visibility)
+
+        expect do
+          post :update_visibility, params: { visibility: Recording::VISIBILITIES[:public_protected], id: recording.record_id }
+        end.not_to(change { recording.reload.visibility })
+
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
+
+    context 'protectable recording' do
+      let(:recording) { create(:recording, room:, protectable: true) }
+
+      it 'allows setting visibility to Protected' do
+        expect_any_instance_of(BigBlueButtonApi)
+          .to receive(:update_recording_visibility)
+          .with(record_id: recording.record_id, visibility: Recording::VISIBILITIES[:protected])
+
+        expect do
+          post :update_visibility, params: { visibility: Recording::VISIBILITIES[:protected], id: recording.record_id }
+        end.to(change { recording.reload.visibility })
+
+        expect(response).to have_http_status(:ok)
+      end
+
+      it 'allows setting visibility to Public/Protected' do
+        expect_any_instance_of(BigBlueButtonApi)
+          .to receive(:update_recording_visibility)
+          .with(record_id: recording.record_id, visibility: Recording::VISIBILITIES[:public_protected])
+
+        expect do
+          post :update_visibility, params: { visibility: Recording::VISIBILITIES[:public_protected], id: recording.record_id }
+        end.to(change { recording.reload.visibility })
+
+        expect(response).to have_http_status(:ok)
+      end
+    end
+
     context 'shared access' do
       let(:signed_in_user) { create(:user) }
       let(:recording) { create(:recording, room:, visibility: Recording::VISIBILITIES[:published]) }
