From 749d1d00311385f18b8464eb0c9e6893c468402e Mon Sep 17 00:00:00 2001
From: Eugene Burmakin <iamfrey@gmail.com>
Date: Sat, 25 Oct 2025 19:38:38 +0200
Subject: [PATCH] Add authorization for updating location sharing in
 FamiliesController

---
 app/controllers/families_controller.rb | 2 ++
 app/policies/family_policy.rb          | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/app/controllers/families_controller.rb b/app/controllers/families_controller.rb
index 5ce52f56..c0ccade3 100644
--- a/app/controllers/families_controller.rb
+++ b/app/controllers/families_controller.rb
@@ -77,6 +77,8 @@ class FamiliesController < ApplicationController
   end
 
   def update_location_sharing
+    authorize @family, :update_location_sharing?
+
     result = Families::UpdateLocationSharing.new(
       user: current_user,
       enabled: params[:enabled],
diff --git a/app/policies/family_policy.rb b/app/policies/family_policy.rb
index b644de53..882aab13 100644
--- a/app/policies/family_policy.rb
+++ b/app/policies/family_policy.rb
@@ -34,6 +34,10 @@ class FamilyPolicy < ApplicationPolicy
     user.family == record && user.family_owner?
   end
 
+  def update_location_sharing?
+    user.family == record && user.family_owner?
+  end
+
   private
 
   def family_owner_with_members?