Merge pull request #1841 from basecamp/fix-access-control-issues

Allow only the owner of a reaction to delete it

Author: monorkin

app/controllers/cards/comments/reactions_controller.rb

@@ -15,7 +15,12 @@ def create
 
   def destroy
     @reaction = @comment.reactions.find(params[:id])
-    @reaction.destroy
+
+    if Current.user != @reaction.reacter
+      head :forbidden
+    else
+      @reaction.destroy
+    end
   end
 
   private

test/controllers/cards/comments/reactions_controller_test.rb

@@ -2,7 +2,7 @@
 
 class Cards::Comments::ReactionsControllerTest < ActionDispatch::IntegrationTest
   setup do
-    sign_in_as :jz
+    sign_in_as :david
     @comment = comments(:logo_agreement_jz)
     @card = @comment.card
   end
@@ -15,10 +15,19 @@ class Cards::Comments::ReactionsControllerTest < ActionDispatch::IntegrationTest
   end
 
   test "destroy" do
-    reaction = reactions(:kevin)
+    reaction = reactions(:david)
     assert_difference -> { @comment.reactions.count }, -1 do
       delete card_comment_reaction_path(@comment.card, @comment, reaction, format: :turbo_stream)
       assert_turbo_stream action: :remove, target: dom_id(reaction)
     end
   end
+
+  test "non-owner cannot destroy reaction" do
+    reaction = reactions(:kevin)
+
+    assert_no_difference -> { @comment.reactions.count } do
+      delete card_comment_reaction_path(@comment.card, @comment, reaction, format: :turbo_stream)
+      assert_response :forbidden
+    end
+  end
 end