From 229fc4d8668c2cfc6f3cc1425ef702743b30c00b Mon Sep 17 00:00:00 2001 From: baarkerlounger Date: Mon, 29 Nov 2021 16:50:55 +0000 Subject: [PATCH] No access to tasklist page for logs that aren't associated with your org --- app/controllers/case_logs_controller.rb | 8 ++- spec/requests/case_log_controller_spec.rb | 72 ++++++++++++++++------- 2 files changed, 58 insertions(+), 22 deletions(-) diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb index 42d80c6ca..771d54688 100644 --- a/app/controllers/case_logs_controller.rb +++ b/app/controllers/case_logs_controller.rb @@ -50,8 +50,12 @@ class CaseLogsController < ApplicationController def edit @form = FormHandler.instance.get_form("2021_2022") - @case_log = CaseLog.find(params[:id]) - render :edit + @case_log = current_user.case_logs.find_by(id: params[:id]) + if @case_log + render :edit + else + render file: "#{Rails.root}/public/404.html", status: 404 + end end def submit_form diff --git a/spec/requests/case_log_controller_spec.rb b/spec/requests/case_log_controller_spec.rb index 1b11b93b8..658148526 100644 --- a/spec/requests/case_log_controller_spec.rb +++ b/spec/requests/case_log_controller_spec.rb @@ -113,24 +113,25 @@ RSpec.describe CaseLogsController, type: :request do end describe "GET" do + let(:user) { FactoryBot.create(:user) } + let(:organisation) { user.organisation } + let(:other_organisation) { FactoryBot.create(:organisation) } + let!(:case_log) do + FactoryBot.create( + :case_log, + owning_organisation: organisation, + managing_organisation: organisation, + ) + end + let!(:unauthorized_case_log) do + FactoryBot.create( + :case_log, + owning_organisation: other_organisation, + managing_organisation: other_organisation, + ) + end + context "collection" do - let(:user) { FactoryBot.create(:user) } - let(:organisation) { user.organisation } - let(:other_organisation) { FactoryBot.create(:organisation) } - let!(:case_log) do - FactoryBot.create( - :case_log, - owning_organisation: organisation, - managing_organisation: organisation, - ) - end - let!(:unauthorized_case_log) do - FactoryBot.create( - :case_log, - owning_organisation: other_organisation, - managing_organisation: other_organisation, - ) - end let(:headers) { { "Accept" => "text/html" } } before do @@ -147,8 +148,8 @@ RSpec.describe CaseLogsController, type: :request do end context "member" do - let(:case_log) { FactoryBot.create(:case_log, :completed) } - let(:id) { case_log.id } + let(:completed_case_log) { FactoryBot.create(:case_log, :completed) } + let(:id) { completed_case_log.id } before do get "/case_logs/#{id}", headers: headers @@ -160,7 +161,7 @@ RSpec.describe CaseLogsController, type: :request do it "returns a serialized Case Log" do json_response = JSON.parse(response.body) - expect(json_response["status"]).to eq(case_log.status) + expect(json_response["status"]).to eq(completed_case_log.status) end context "invalid case log id" do @@ -170,6 +171,37 @@ RSpec.describe CaseLogsController, type: :request do expect(response).to have_http_status(:not_found) end end + + context "edit page" do + let(:headers) { { "Accept" => "text/html" } } + let(:form) { Form.new("spec/fixtures/forms/test_form.json") } + before do + allow(FormHandler.instance).to receive(:get_form).and_return(form) + end + + context "case logs that are owned or managed by your organisation" do + before do + sign_in user + get "/case_logs/#{case_log.id}", headers: headers, params: {} + end + + it "shows the tasklist for case logs you have access to" do + expect(response.body).to match("Tasklist for log") + expect(response.body).to match("#{case_log.id}") + end + end + + context "case logs that are not owned or managed by your organisation" do + before do + sign_in user + get "/case_logs/#{unauthorized_case_log.id}", headers: headers, params: {} + end + + it "does not show the tasklist for case logs you don't have access to" do + expect(response).to have_http_status(:not_found) + end + end + end end end