only allow RfCs to be reported when the user is allowed to see them

arkirchner · arkirchner · commit 79b24654bab9 · 2025-06-16T16:09:11.000+02:00
diff --git a/app/policies/request_for_comment_policy.rb b/app/policies/request_for_comment_policy.rb
@@ -42,7 +42,7 @@ def rfcs_with_my_comments?
   end
 
   def report?
-    report_receiver_configured? && !author?
+    report_receiver_configured? && show? && !author?
   end
 
   private
diff --git a/spec/policies/request_for_comment_policy_spec.rb b/spec/policies/request_for_comment_policy_spec.rb
@@ -317,6 +317,14 @@
       end
     end
 
+    it 'dose not allow reports when the RfC is not accessable' do
+      allow(policy).to receive(:show?).and_return(false) # rubocop:disable RSpec/SubjectStub
+
+      %i[admin external_user teacher].each do |factory_name|
+        expect(policy).not_to permit(create(factory_name), Comment.new)
+      end
+    end
+
     it 'dose not allow reports when no report email is configured' do
       codeocean_config = instance_double(CodeOcean::Config)
       allow(CodeOcean::Config).to receive(:new).with(:code_ocean).and_return(codeocean_config)
