From 6b5308360eb074bb90fd442fa8d1183a343f5922 Mon Sep 17 00:00:00 2001 From: Jacob Cody Wimer Date: Tue, 6 Jan 2026 17:24:45 -0500 Subject: [PATCH] Fixed a bug where logged in users could not access a school with a school permission key --- app/models/ability.rb | 29 ++++++++++++--------- test/controllers/schools_controller_test.rb | 14 ++++++++++ 2 files changed, 31 insertions(+), 12 deletions(-) diff --git a/app/models/ability.rb b/app/models/ability.rb index 46462c9..b389751 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -1,6 +1,20 @@ class Ability include CanCan::Ability + def school_permission_key_check(school_permission_key) + # Can read school if tournament is public or a valid school permission key is provided + can :read, School do |school| + school.tournament.is_public || + (school_permission_key.present? && school.permission_key == school_permission_key) + end + + # Can manage school if a valid school permission key is provided + # school_permission_key comes from app/controllers/application_controller.rb + can :manage, School do |school| + (school_permission_key.present? && school.permission_key == school_permission_key) + end + end + def initialize(user, school_permission_key = nil) if user # LOGGED IN USER PERMISSIONS @@ -46,6 +60,8 @@ class Ability school.tournament.delegates.map(&:user_id).include?(user.id) || school.tournament.user_id == user.id end + + school_permission_key_check(school_permission_key) else # NON LOGGED IN USER PERMISSIONS @@ -58,18 +74,7 @@ class Ability # SCHOOL PERMISSIONS # wrestler permissions are included with school permissions - - # Can read school if tournament is public or a valid school permission key is provided - can :read, School do |school| - school.tournament.is_public || - (school_permission_key.present? && school.permission_key == school_permission_key) - end - - # Can read school if a valid school permission key is provided - # school_permission_key comes from app/controllers/application_controller.rb - can :manage, School do |school| - (school_permission_key.present? && school.permission_key == school_permission_key) - end + school_permission_key_check(school_permission_key) end end end diff --git a/test/controllers/schools_controller_test.rb b/test/controllers/schools_controller_test.rb index ee4216c..ce39c0a 100644 --- a/test/controllers/schools_controller_test.rb +++ b/test/controllers/schools_controller_test.rb @@ -373,12 +373,26 @@ Some Guy success end + test "logged in user without delegation can get show page when using valid school_permission_key" do + sign_in_non_owner + @tournament.update(is_public: false) + get_show(school_permission_key: @school_permission_key) + success + end + test "non logged in user cannot get show page when using invalid school_permission_key" do @tournament.update(is_public: false) get_show(school_permission_key: "invalid-key") redirect end + test "logged in user without delegation can edit school with valid school_permission_key" do + sign_in_non_owner + @tournament.update(is_public: false) + get_edit(school_permission_key: @school_permission_key) + success + end + test "non logged in user can edit school with valid school_permission_key" do @tournament.update(is_public: false) get_edit(school_permission_key: @school_permission_key)