Require admin flag for admin UPP requests (#4257)

* Check api_user, not api_user.user, for admin flag * Add admin flag to admin request
zooniverse · Oct 18, 2023 · b7707fb · b7707fb
1 parent 377fc00
commit b7707fb
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/app/controllers/api/v1/project_preferences_controller.rb b/app/controllers/api/v1/project_preferences_controller.rb
@@ -26,7 +26,7 @@ def find_upp_for_update_settings
   end
 
   def user_allowed?
-    @upp.project.owners_and_collaborators.include?(api_user.user) || api_user.user.is_admin?
+    @upp.project.owners_and_collaborators.include?(api_user.user) || api_user.is_admin?
   end
 
   def update_settings_response

diff --git a/spec/controllers/api/v1/project_preferences_controller_spec.rb b/spec/controllers/api/v1/project_preferences_controller_spec.rb
@@ -173,6 +173,7 @@
 
       it 'lets the admin update UPP settings' do
         default_request user_id: admin_user.id, scopes: scopes
+        settings_params[:admin] = true
         run_update
         expect(response.status).to eq(200)
       end