Section 8.6.2: Restrict ticket updating to only those who have write permission on the project

Ryan Bigg · Ryan Bigg · commit d4983b0d518d · 2014-12-09T20:39:00.000+11:00
diff --git a/ticketee/app/controllers/tickets_controller.rb b/ticketee/app/controllers/tickets_controller.rb
@@ -22,7 +22,12 @@ def create
     end
   end
 
+  def edit
+    authorize @project, :write?
+  end
+
   def update
+    authorize @project, :write?
     if @ticket.update(ticket_params)
       flash[:success] = "Ticket has been updated."
       redirect_to [@project, @ticket]
diff --git a/ticketee/spec/controllers/tickets_controller_spec.rb b/ticketee/spec/controllers/tickets_controller_spec.rb
@@ -42,6 +42,19 @@ def assert_no_permission!
           post :create, project_id: project.id
           assert_no_permission!
         end
+
+        it "cannot edit a ticket without permission" do
+          get :edit, { project_id: project.id, id: ticket.id }
+          assert_no_permission!
+        end
+
+        it "cannot update a ticket without permission" do
+          put :update, { project_id: project.id,
+                         id: ticket.id,
+                         ticket: {}
+                       }
+          assert_no_permission!
+        end
       end
     end
   end
diff --git a/ticketee/spec/features/editing_tickets_spec.rb b/ticketee/spec/features/editing_tickets_spec.rb
@@ -9,6 +9,7 @@
 
   before do
     define_permission!(user, "read", project)
+    define_permission!(user, "write", project)
     login_as(user)
 
     visit "/"
