Forbid destroying of non-public projects

floehopper · floehopper · commit d1f34c2632b6 · 2025-05-23T17:13:04.000+01:00
This `Api::PublicProjectsController` is focussed on managing "public"
projects, i.e. those that have no `Project#user_id` set. I think it's
sensible to protect against the `destroy` action being used to update a
non-public project, because it makes the code easier to reason about.
diff --git a/app/controllers/api/public_projects_controller.rb b/app/controllers/api/public_projects_controller.rb
@@ -5,7 +5,7 @@ class PublicProjectsController < ApiController
     before_action :authorize_user
     before_action :restrict_project_type, only: %i[create]
     before_action :load_project, only: %i[update destroy]
-    before_action :restrict_to_public_projects, only: %i[update]
+    before_action :restrict_to_public_projects, only: %i[update destroy]
 
     def create
       authorize! :create, :public_project
diff --git a/spec/features/public_project/destroying_a_public_project_spec.rb b/spec/features/public_project/destroying_a_public_project_spec.rb
@@ -4,7 +4,8 @@
 
 RSpec.describe 'Destroying a public project', type: :request do
   let(:destroyer) { build(:experience_cs_admin_user) }
-  let(:project) { create(:project, locale: 'en', project_type: Project::Types::SCRATCH) }
+  let(:user_id) { nil }
+  let(:project) { create(:project, locale: 'en', project_type: Project::Types::SCRATCH, user_id:) }
   let(:headers) { { Authorization: UserProfileMock::TOKEN } }
 
   before do
@@ -35,6 +36,15 @@
     end
   end
 
+  context 'when project is not public' do
+    let(:user_id) { SecureRandom.uuid }
+
+    it 'responds 403 Forbidden' do
+      delete("/api/public_projects/#{project.identifier}?project_type=scratch", headers:)
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+
   it 'responds 404 Not Found when project is not found' do
     delete('/api/public_projects/another-identifier?project_type=scratch', headers:)
     expect(response).to have_http_status(:not_found)
diff --git a/spec/requests/public_projects/destroy_spec.rb b/spec/requests/public_projects/destroy_spec.rb
@@ -5,7 +5,7 @@
 RSpec.describe 'Destroy public project requests' do
   let(:locale) { 'fr' }
   let(:project_loader) { instance_double(ProjectLoader) }
-  let(:project) { create(:project, locale: 'en', project_type: Project::Types::SCRATCH) }
+  let(:project) { create(:project, locale: 'en', project_type: Project::Types::SCRATCH, user_id: nil) }
   let(:destroyer) { build(:experience_cs_admin_user) }
 
   context 'when auth is correct' do
