Section 8.7: Restrict destroy action to only people with permission

Ryan Bigg · Ryan Bigg · commit 3512c40732c2 · 2014-12-09T20:48:16.000+11:00
diff --git a/ticketee/app/controllers/tickets_controller.rb b/ticketee/app/controllers/tickets_controller.rb
@@ -38,6 +38,7 @@ def update
   end
 
   def destroy
+    authorize @project, :write?
     @ticket.destroy
     flash[:success] = "Ticket has been deleted."
 
diff --git a/ticketee/spec/controllers/tickets_controller_spec.rb b/ticketee/spec/controllers/tickets_controller_spec.rb
@@ -55,6 +55,12 @@ def assert_no_permission!
                        }
           assert_no_permission!
         end
+
+        it "cannot delete a ticket without permission" do
+          delete :destroy, { project_id: project.id, id: ticket.id }
+
+          assert_no_permission!
+        end
       end
     end
   end
diff --git a/ticketee/spec/features/deleting_tickets_spec.rb b/ticketee/spec/features/deleting_tickets_spec.rb
@@ -10,6 +10,7 @@
   before do
     login_as(user)
     define_permission!(user, "read", project)
+    define_permission!(user, "write", project)
     visit "/"
     click_link project.name
     click_link ticket.title
