Fixed a bug where logged in users could not access a school with a school permission key

2026-03-24 17:04:43 +00:00 · 2026-01-06 17:24:45 -05:00
parent 9ca6572d9b
commit 6b5308360e
2 changed files with 31 additions and 12 deletions
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -1,6 +1,20 @@
 class Ability
  include CanCan::Ability

+  def school_permission_key_check(school_permission_key)
+    # Can read school if tournament is public or a valid school permission key is provided
+    can :read, School do |school|
+      school.tournament.is_public ||
+      (school_permission_key.present? && school.permission_key == school_permission_key)
+    end
+
+    # Can manage school if a valid school permission key is provided
+    # school_permission_key comes from app/controllers/application_controller.rb
+    can :manage, School do |school|
+      (school_permission_key.present? && school.permission_key == school_permission_key)
+    end
+  end
+
  def initialize(user, school_permission_key = nil)
    if user
      # LOGGED IN USER PERMISSIONS
@@ -46,6 +60,8 @@ class Ability
        school.tournament.delegates.map(&:user_id).include?(user.id) ||
        school.tournament.user_id == user.id
      end
+
+      school_permission_key_check(school_permission_key)
    else
      # NON LOGGED IN USER PERMISSIONS

@@ -58,18 +74,7 @@ class Ability

      # SCHOOL PERMISSIONS
      # wrestler permissions are included with school permissions 
-
-      # Can read school if tournament is public or a valid school permission key is provided
-      can :read, School do |school|
-        school.tournament.is_public ||
-        (school_permission_key.present? && school.permission_key == school_permission_key)
-      end
-
-      # Can read school if a valid school permission key is provided
-      # school_permission_key comes from app/controllers/application_controller.rb
-      can :manage, School do |school|
-        (school_permission_key.present? && school.permission_key == school_permission_key)
-      end
+      school_permission_key_check(school_permission_key)
    end
  end
 end
--- a/test/controllers/schools_controller_test.rb
+++ b/test/controllers/schools_controller_test.rb
@@ -373,12 +373,26 @@ Some Guy
    success
  end

+  test "logged in user without delegation can get show page when using valid school_permission_key" do
+    sign_in_non_owner
+    @tournament.update(is_public: false)
+    get_show(school_permission_key: @school_permission_key)
+    success
+  end
+
  test "non logged in user cannot get show page when using invalid school_permission_key" do
    @tournament.update(is_public: false)
    get_show(school_permission_key: "invalid-key")
    redirect
  end

+  test "logged in user without delegation can edit school with valid school_permission_key" do
+    sign_in_non_owner
+    @tournament.update(is_public: false)
+    get_edit(school_permission_key: @school_permission_key)
+    success
+  end
+
  test "non logged in user can edit school with valid school_permission_key" do
    @tournament.update(is_public: false)
    get_edit(school_permission_key: @school_permission_key)