Authorize create_meetings to init a new occurrence

2026-06-13 19:20:00 +00:00 · 2026-05-29 11:12:21 +02:00
parent 37e7a1fba3
commit aacb201e0c
2 changed files with 30 additions and 0 deletions
@@ -124,6 +124,7 @@ module API
          route_param :start_time, type: DateTime, desc: "Occurrence start time (ISO 8601)" do
            namespace :init do
              post do
+                authorize_in_project(:create_meetings, project: @recurring_meeting.project)
                start_time = declared_params[:start_time]
                call = ::RecurringMeetings::InitOccurrenceService
                         .new(user: current_user, recurring_meeting: @recurring_meeting)
@@ -139,6 +139,35 @@ RSpec.describe "API v3 Recurring Meeting Occurrences", content_type: :json do
      response
      expect(recurring_meeting.meetings.not_templated.where(recurrence_start_time: start_time)).to exist
    end
+
+    context "without create_meetings permission" do
+      let(:permissions) { %i[view_meetings] }
+
+      before { response }
+
+      it_behaves_like "unauthorized access"
+    end
+
+    context "when restoring a cancelled occurrence with only view_meetings permission" do
+      let(:permissions) { %i[view_meetings] }
+      let!(:cancelled_occurrence) do
+        create(:meeting,
+               project:,
+               author: current_user,
+               recurring_meeting:,
+               start_time:,
+               recurrence_start_time: start_time,
+               state: :cancelled)
+      end
+
+      before { response }
+
+      it_behaves_like "unauthorized access"
+
+      it "does not restore the cancelled occurrence" do
+        expect(cancelled_occurrence.reload).to be_cancelled
+      end
+    end
  end

  describe "DELETE .../occurrences/:start_time" do