Scope user methods

4 years ago · 5a7d248309
3 changed files with 100 additions and 20 deletions
--- a/app/controllers/organisations_controller.rb
+++ b/app/controllers/organisations_controller.rb
@ -1,6 +1,6 @@
 class OrganisationsController < ApplicationController
  before_action :authenticate_user!
-  before_action :find_organisation
+  before_action :find_resource
  before_action :authenticate_scope!

  def show
@ -25,7 +25,7 @@ private
    head :unauthorized if current_user.organisation != @organisation
  end

-  def find_organisation
+  def find_resource
    @organisation = Organisation.find(params[:id])
  end
 end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -2,12 +2,14 @@ class UsersController < ApplicationController
  include Devise::Controllers::SignInOut
  include Helpers::Email
  before_action :authenticate_user!
+  before_action :find_resource, except: [:new, :create]
+  before_action :authenticate_scope!, except: [:new, :create]

  def update
-    if current_user.update(user_params)
-      bypass_sign_in current_user
+    if @user.update(user_params)
+      bypass_sign_in @user
      flash[:notice] = I18n.t("devise.passwords.updated")
-      redirect_to user_path(current_user)
+      redirect_to user_path(@user)
    end
  end

@ -48,4 +50,12 @@ private
  def user_params
    params.require(:user).permit(:email, :name, :password, :role)
  end
+
+  def find_resource
+    @user = User.find(params[:id])
+  end
+
+  def authenticate_scope!
+    head :unauthorized if current_user != @user
+  end
 end
--- a/spec/requests/user_controller_spec.rb
+++ b/spec/requests/user_controller_spec.rb
@ -3,39 +3,109 @@ require_relative "../support/devise"

 RSpec.describe UsersController, type: :request do
  let(:user) { FactoryBot.create(:user) }
+  let(:unauthorised_user) { FactoryBot.create(:user) }
  let(:headers) { { "Accept" => "text/html" } }
  let(:page) { Capybara::Node::Simple.new(response.body) }

  describe "#show" do
-    before do
-      sign_in user
-      get "/users/#{user.id}", headers: headers, params: {}
+    context "current user is user" do
+      before do
+        sign_in user
+        get "/users/#{user.id}", headers: headers, params: {}
+      end
+
+      it "show the user details" do
+        expect(page).to have_content("Your account")
+      end
    end

-    it "show the user details" do
-      expect(page).to have_content("Your account")
+    context "current user is another user" do
+      before do
+        sign_in user
+        get "/users/#{unauthorised_user.id}", headers: headers, params: {}
+      end
+
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
    end
  end

  describe "#edit" do
-    before do
-      sign_in user
-      get "/users/#{user.id}/edit", headers: headers, params: {}
+    context "current user is user" do
+      before do
+        sign_in user
+        get "/users/#{user.id}/edit", headers: headers, params: {}
+      end
+
+      it "show the edit personal details page" do
+        expect(page).to have_content("Change your personal details")
+      end
    end

-    it "show the edit personal details page" do
-      expect(page).to have_content("Change your personal details")
+    context "current user is another user" do
+      before do
+        sign_in user
+        get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {}
+      end
+
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
    end
  end

  describe "#edit_password" do
-    before do
-      sign_in user
-      get "/users/#{user.id}/password/edit", headers: headers, params: {}
+    context "current user is user" do
+      before do
+        sign_in user
+        get "/users/#{user.id}/password/edit", headers: headers, params: {}
+      end
+
+      it "show the edit password page" do
+        expect(page).to have_content("Change your password")
+      end
+    end
+
+    context "current user is another user" do
+      before do
+        sign_in user
+        get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {}
+      end
+
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
    end
+  end
+
+  describe "#update" do
+    let(:new_value) { "new test name" }
+    let(:params) { { id: user.id, user: { name: new_value } } }
+
+    context "current user is user" do
+      before do
+        sign_in user
+        patch "/users/#{user.id}", headers: headers, params: params
+      end
+
+      it "updates the user" do
+        user.reload
+        expect(user.name).to eq(new_value)
+      end
+    end
+
+    context "current user is another user" do
+      let(:params) { { id: unauthorised_user.id, user: { name: new_value } } }
+
+      before do
+        sign_in user
+        patch "/users/#{unauthorised_user.id}", headers: headers, params: params
+      end

-    it "show the edit password page" do
-      expect(page).to have_content("Change your password")
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
    end
  end
 end