Submit form access

4 years ago · 11eb4caec3
2 changed files with 41 additions and 9 deletions
--- a/app/controllers/case_logs_controller.rb
+++ b/app/controllers/case_logs_controller.rb
@ -60,7 +60,8 @@ class CaseLogsController < ApplicationController

  def submit_form
    form = FormHandler.instance.get_form("2021_2022")
-    @case_log = CaseLog.find(params[:id])
+    @case_log = current_user.case_logs.find_by(id: params[:id])
+    if @case_log
      page = form.get_page(params[:case_log][:page])
      responses_for_page = responses_for_page(page)
      if @case_log.update(responses_for_page) && @case_log.has_no_unresolved_soft_errors?
@ -70,6 +71,9 @@ class CaseLogsController < ApplicationController
        subsection = form.subsection_for_page(page)
        render "form/page", locals: { form: form, page: page, subsection: subsection.label }, status: :unprocessable_entity
      end
+    else
+      render file: "#{Rails.root}/public/404.html", status: 404
+    end
  end

  def destroy
--- a/spec/requests/case_log_controller_spec.rb
+++ b/spec/requests/case_log_controller_spec.rb
@ -389,7 +389,14 @@ RSpec.describe CaseLogsController, type: :request do
  describe "Submit Form" do
    let(:user) { FactoryBot.create(:user) }
    let(:form) { Form.new("spec/fixtures/forms/test_form.json") }
-    let(:case_log) { FactoryBot.create(:case_log, :in_progress) }
+    let(:organisation) { user.organisation }
+    let(:case_log) do
+      FactoryBot.create(
+        :case_log,
+        owning_organisation: organisation,
+        managing_organisation: organisation,
+      )
+    end
    let(:page_id) { "person_1_age" }
    let(:params) do
      {
@ -439,5 +446,26 @@ RSpec.describe CaseLogsController, type: :request do
        expect(case_log.age2).to be nil
      end
    end
+
+    context "case logs that are not owned or managed by your organisation" do
+      let(:answer) { 25 }
+      let(:other_organisation) { FactoryBot.create(:organisation) }
+      let(:unauthorized_case_log) do
+        FactoryBot.create(
+          :case_log,
+          owning_organisation: other_organisation,
+          managing_organisation: other_organisation,
+        )
+      end
+
+      before do
+        sign_in user
+        post "/case_logs/#{unauthorized_case_log.id}/form", params: params
+      end
+
+      it "does not let you post form answers to case logs you don't have access to" do
+        expect(response).to have_http_status(:not_found)
+      end
+    end
  end
 end