From 782e197d919c89ac339932fe987e91b43d085522 Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Sun, 21 Jun 2026 15:42:57 +1000
Subject: [PATCH] Fix access check form: use GET so results render

The access check form POSTed and re-rendered :new with a 200 HTML
response, which Turbo rejects ("Form responses must redirect to
another location"), so the result panel never appeared. Since the
check is a read-only query, switch to a GET form and fold the lookup
into the new action. Results are now bookmarkable via the URL.

Bump version to 0.16.2.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 app/controllers/admin/access_checks_controller.rb    |  7 +------
 app/views/admin/access_checks/new.html.erb           |  2 +-
 config/initializers/version.rb                       |  2 +-
 config/routes.rb                                     |  1 -
 .../admin/access_checks_controller_test.rb           | 12 ++++++------
 5 files changed, 9 insertions(+), 15 deletions(-)

diff --git a/app/controllers/admin/access_checks_controller.rb b/app/controllers/admin/access_checks_controller.rb
index de98195..039c58d 100644
--- a/app/controllers/admin/access_checks_controller.rb
+++ b/app/controllers/admin/access_checks_controller.rb
@@ -2,17 +2,12 @@ module Admin
   class AccessChecksController < BaseController
     def new
       load_options
-    end
-
-    def create
-      load_options
       @user = User.find_by(id: params[:user_id])
       @application = Application.find_by(id: params[:application_id])
-      return render :new unless @user && @application
+      return unless @user && @application
 
       @allowed = @application.user_allowed?(@user)
       @via = @user.groups & @application.allowed_groups
-      render :new
     end
 
     private
diff --git a/app/views/admin/access_checks/new.html.erb b/app/views/admin/access_checks/new.html.erb
index c3a5a7b..c84195f 100644
--- a/app/views/admin/access_checks/new.html.erb
+++ b/app/views/admin/access_checks/new.html.erb
@@ -5,7 +5,7 @@
 
 <div class="bg-white dark:bg-gray-800 shadow sm:rounded-lg">
   <div class="px-4 py-5 sm:p-6">
-    <%= form_with url: admin_access_path, method: :post, class: "space-y-4" do |form| %>
+    <%= form_with url: admin_access_path, method: :get, class: "space-y-4" do |form| %>
       <div class="grid grid-cols-1 gap-4 sm:grid-cols-2">
         <div>
           <%= form.label :user_id, "User", class: "block text-sm font-medium text-gray-700 dark:text-gray-300" %>
diff --git a/config/initializers/version.rb b/config/initializers/version.rb
index 4d0a548..12978eb 100644
--- a/config/initializers/version.rb
+++ b/config/initializers/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Clinch
-  VERSION = "0.16.1"
+  VERSION = "0.16.2"
 end
diff --git a/config/routes.rb b/config/routes.rb
index a208b34..1fc6759 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -96,7 +96,6 @@ Rails.application.routes.draw do
     end
     resources :groups
     get "access", to: "access_checks#new"
-    post "access", to: "access_checks#create"
   end
 
   # Render dynamic PWA files from app/views/pwa/* (remember to link manifest in application.html.erb)
diff --git a/test/controllers/admin/access_checks_controller_test.rb b/test/controllers/admin/access_checks_controller_test.rb
index cd56a8c..28ed83c 100644
--- a/test/controllers/admin/access_checks_controller_test.rb
+++ b/test/controllers/admin/access_checks_controller_test.rb
@@ -15,8 +15,8 @@ module Admin
       assert_match "alice@example.com", response.body
     end
 
-    test "create returns 'can access' with via group when user is in an allowed group" do
-      post admin_access_path, params: {
+    test "returns 'can access' with via group when user is in an allowed group" do
+      get admin_access_path, params: {
         user_id: users(:alice).id,
         application_id: @kavita.id
       }
@@ -25,9 +25,9 @@ module Admin
       assert_match "Administrators", response.body # alice is in admin_group; kavita has admin_group
     end
 
-    test "create returns 'cannot access' with reason when user shares no group with the app" do
+    test "returns 'cannot access' with reason when user shares no group with the app" do
       lonely = User.create!(email_address: "lonely@example.com", password: "password123", skip_auto_assign: true)
-      post admin_access_path, params: {
+      get admin_access_path, params: {
         user_id: lonely.id,
         application_id: @kavita.id
       }
@@ -36,8 +36,8 @@ module Admin
       assert_match "shares no group", response.body
     end
 
-    test "create renders form unchanged when ids are missing" do
-      post admin_access_path, params: {user_id: "", application_id: ""}
+    test "renders form unchanged when ids are missing" do
+      get admin_access_path, params: {user_id: "", application_id: ""}
       assert_response :success
       # No result panel should render. The panel-only phrases:
       refute_match "Granted via", response.body