From 28d2753c53bf45d07404ad748adb2029b6a0658a Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Wed, 22 Sep 2021 00:32:39 -0500
Subject: [PATCH] BURs: don't allow builders to edit or reject BURs by other
 users.

Only admins can edit or reject BURs by other users now. The BUR creator
can still edit or reject their own BURs.
---
 app/policies/bulk_update_request_policy.rb         |  2 +-
 .../bulk_update_requests_controller_test.rb        | 14 ++++++++++----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/app/policies/bulk_update_request_policy.rb b/app/policies/bulk_update_request_policy.rb
index bc25fa886..83c91d947 100644
--- a/app/policies/bulk_update_request_policy.rb
+++ b/app/policies/bulk_update_request_policy.rb
@@ -4,7 +4,7 @@ class BulkUpdateRequestPolicy < ApplicationPolicy
   end
 
   def update?
-    unbanned? && (user.is_builder? || record.user_id == user.id)
+    unbanned? && (user.is_admin? || record.user_id == user.id)
   end
 
   def approve?
diff --git a/test/functional/bulk_update_requests_controller_test.rb b/test/functional/bulk_update_requests_controller_test.rb
index 709b4b9d2..af94b1c2f 100644
--- a/test/functional/bulk_update_requests_controller_test.rb
+++ b/test/functional/bulk_update_requests_controller_test.rb
@@ -48,12 +48,18 @@ class BulkUpdateRequestsControllerTest < ActionDispatch::IntegrationTest
     end
 
     context "#update" do
-      should "allow builders to update other people's requests" do
-        put_auth bulk_update_request_path(@bulk_update_request.id), create(:builder_user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
+      should "allow admins to update other people's requests" do
+        put_auth bulk_update_request_path(@bulk_update_request.id), create(:admin_user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
         assert_response :redirect
         assert_equal("create alias zzz -> 222", @bulk_update_request.reload.script)
       end
 
+      should "not allow builders to update other people's requests" do
+        put_auth bulk_update_request_path(@bulk_update_request.id), create(:builder_user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
+        assert_response 403
+        assert_equal("create alias aaa -> bbb", @bulk_update_request.reload.script)
+      end
+
       should "not allow members to update other people's requests" do
         put_auth bulk_update_request_path(@bulk_update_request.id), create(:user), params: {bulk_update_request: {script: "create alias zzz -> 222" }}
         assert_response 403
@@ -111,10 +117,10 @@ class BulkUpdateRequestsControllerTest < ActionDispatch::IntegrationTest
         end
       end
 
-      context "for another member" do
+      context "for another Builder" do
         should "fail" do
           assert_difference("BulkUpdateRequest.count", 0) do
-            delete_auth bulk_update_request_path(@bulk_update_request), create(:user)
+            delete_auth bulk_update_request_path(@bulk_update_request), create(:builder_user)
             assert_response 403
           end
         end