Forbid updating of non-public projects

floehopper · floehopper · commit 2b6f331811ed · 2025-05-23T11:42:33.000+01:00
This `Api::PublicProjectsController` is focussed on managing "public"
projects, i.e. those that have no `Project#user_id` set. I think it's
sensible to protect against the `update` action being used to update a
non-public project, because it makes the code easier to reason about.
diff --git a/app/controllers/api/public_projects_controller.rb b/app/controllers/api/public_projects_controller.rb
@@ -5,6 +5,7 @@ class PublicProjectsController < ApiController
     before_action :authorize_user
     before_action :restrict_project_type, only: %i[create]
     before_action :load_project, only: %i[update]
+    before_action :restrict_to_public_projects, only: %i[update]
 
     def create
       authorize! :create, :public_project
@@ -52,5 +53,11 @@ def restrict_project_type
 
       raise CanCan::AccessDenied.new("#{project_type} not yet supported", :create, :public_project)
     end
+
+    def restrict_to_public_projects
+      return if @project.user_id.blank?
+
+      raise CanCan::AccessDenied.new('Cannot update non-public project', :update, :public_project)
+    end
   end
 end
diff --git a/spec/features/public_project/updating_a_public_project_spec.rb b/spec/features/public_project/updating_a_public_project_spec.rb
@@ -4,7 +4,8 @@
 
 RSpec.describe 'Updating a public project', type: :request do
   let(:creator) { build(:experience_cs_admin_user) }
-  let(:project) { create(:project, locale: 'en', project_type: Project::Types::SCRATCH) }
+  let(:user_id) { nil }
+  let(:project) { create(:project, locale: 'en', project_type: Project::Types::SCRATCH, user_id:) }
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
   let(:params) { { project: { name: 'New name' } } }
 
@@ -43,6 +44,15 @@
     expect(response).to have_http_status(:unauthorized)
   end
 
+  context 'when project is not public' do
+    let(:user_id) { SecureRandom.uuid }
+
+    it 'responds 403 Forbidden' do
+      put("/api/public_projects/#{project.identifier}?project_type=scratch", headers:, params:)
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
   it 'responds 404 Not Found when project is not found' do
     put('/api/public_projects/another-identifier?project_type=scratch', headers:, params:)
     expect(response).to have_http_status(:not_found)
diff --git a/spec/requests/public_projects/update_spec.rb b/spec/requests/public_projects/update_spec.rb
@@ -5,7 +5,7 @@
 RSpec.describe 'Update public project requests' do
   let(:locale) { 'fr' }
   let(:project_loader) { instance_double(ProjectLoader) }
-  let(:project) { create(:project, locale: 'en', project_type: Project::Types::SCRATCH) }
+  let(:project) { create(:project, locale: 'en', project_type: Project::Types::SCRATCH, user_id: nil) }
   let(:creator) { build(:experience_cs_admin_user) }
   let(:params) { { project: { name: 'New name' } } }
 
