Skip to content

Commit cac0ca1

Browse files
authored
Scope the single-board case to just the creator's boards (#1880)
1 parent 49139b7 commit cac0ca1

File tree

2 files changed

+16
-1
lines changed

2 files changed

+16
-1
lines changed

app/models/filter/resources.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ def boards
2424

2525
def board_titles
2626
if boards.none?
27-
Board.one? ? [ Board.first.name ] : [ "all boards" ]
27+
creator.boards.one? ? [ creator.boards.first.name ] : [ "all boards" ]
2828
else
2929
boards.map(&:name)
3030
end

test/models/filter_test.rb

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -165,4 +165,19 @@ class FilterTest < ActiveSupport::TestCase
165165
assert users(:david).filters.new(board_ids: [ boards(:writebook).id ]).used?
166166
assert_not users(:david).filters.new(board_ids: [ boards(:writebook).id ]).used?(ignore_boards: true)
167167
end
168+
169+
test "board titles are scoped to creator's account" do
170+
# Give mike (initech) access to the board in his account
171+
boards(:miltons_wish_list).accesses.grant_to(users(:mike))
172+
assert_equal 1, users(:mike).boards.count
173+
174+
# Filter with no boards selected should show the single board name from mike's account
175+
filter = users(:mike).filters.new(creator: users(:mike))
176+
assert_equal [ "Milton's Wish List" ], filter.board_titles
177+
178+
# Should NOT leak board names from other accounts (37s has multiple boards)
179+
assert Board.where.not(account: accounts(:initech)).exists?
180+
assert_not_includes filter.board_titles, "Writebook"
181+
assert_not_includes filter.board_titles, "Private board"
182+
end
168183
end

0 commit comments

Comments
 (0)