From 5a7d248309261c23520f14cff5f2aff956921efa Mon Sep 17 00:00:00 2001
From: baarkerlounger <db@slothlife.xyz>
Date: Thu, 2 Dec 2021 18:16:00 +0000
Subject: [PATCH] Scope user methods

---
 app/controllers/organisations_controller.rb |   4 +-
 app/controllers/users_controller.rb         |  16 +++-
 spec/requests/user_controller_spec.rb       | 100 +++++++++++++++++---
 3 files changed, 100 insertions(+), 20 deletions(-)

diff --git a/app/controllers/organisations_controller.rb b/app/controllers/organisations_controller.rb
index 5fe12e732..9e2c49484 100644
--- a/app/controllers/organisations_controller.rb
+++ b/app/controllers/organisations_controller.rb
@@ -1,6 +1,6 @@
 class OrganisationsController < ApplicationController
   before_action :authenticate_user!
-  before_action :find_organisation
+  before_action :find_resource
   before_action :authenticate_scope!
 
   def show
@@ -25,7 +25,7 @@ private
     head :unauthorized if current_user.organisation != @organisation
   end
 
-  def find_organisation
+  def find_resource
     @organisation = Organisation.find(params[:id])
   end
 end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 30afa501b..a0792620c 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -2,12 +2,14 @@ class UsersController < ApplicationController
   include Devise::Controllers::SignInOut
   include Helpers::Email
   before_action :authenticate_user!
+  before_action :find_resource, except: [:new, :create]
+  before_action :authenticate_scope!, except: [:new, :create]
 
   def update
-    if current_user.update(user_params)
-      bypass_sign_in current_user
+    if @user.update(user_params)
+      bypass_sign_in @user
       flash[:notice] = I18n.t("devise.passwords.updated")
-      redirect_to user_path(current_user)
+      redirect_to user_path(@user)
     end
   end
 
@@ -48,4 +50,12 @@ private
   def user_params
     params.require(:user).permit(:email, :name, :password, :role)
   end
+
+  def find_resource
+    @user = User.find(params[:id])
+  end
+
+  def authenticate_scope!
+    head :unauthorized if current_user != @user
+  end
 end
diff --git a/spec/requests/user_controller_spec.rb b/spec/requests/user_controller_spec.rb
index bccd2dd31..b9e007416 100644
--- a/spec/requests/user_controller_spec.rb
+++ b/spec/requests/user_controller_spec.rb
@@ -3,39 +3,109 @@ require_relative "../support/devise"
 
 RSpec.describe UsersController, type: :request do
   let(:user) { FactoryBot.create(:user) }
+  let(:unauthorised_user) { FactoryBot.create(:user) }
   let(:headers) { { "Accept" => "text/html" } }
   let(:page) { Capybara::Node::Simple.new(response.body) }
 
   describe "#show" do
-    before do
-      sign_in user
-      get "/users/#{user.id}", headers: headers, params: {}
+    context "current user is user" do
+      before do
+        sign_in user
+        get "/users/#{user.id}", headers: headers, params: {}
+      end
+
+      it "show the user details" do
+        expect(page).to have_content("Your account")
+      end
     end
 
-    it "show the user details" do
-      expect(page).to have_content("Your account")
+    context "current user is another user" do
+      before do
+        sign_in user
+        get "/users/#{unauthorised_user.id}", headers: headers, params: {}
+      end
+
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
     end
   end
 
   describe "#edit" do
-    before do
-      sign_in user
-      get "/users/#{user.id}/edit", headers: headers, params: {}
+    context "current user is user" do
+      before do
+        sign_in user
+        get "/users/#{user.id}/edit", headers: headers, params: {}
+      end
+
+      it "show the edit personal details page" do
+        expect(page).to have_content("Change your personal details")
+      end
     end
 
-    it "show the edit personal details page" do
-      expect(page).to have_content("Change your personal details")
+    context "current user is another user" do
+      before do
+        sign_in user
+        get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {}
+      end
+
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
     end
   end
 
   describe "#edit_password" do
-    before do
-      sign_in user
-      get "/users/#{user.id}/password/edit", headers: headers, params: {}
+    context "current user is user" do
+      before do
+        sign_in user
+        get "/users/#{user.id}/password/edit", headers: headers, params: {}
+      end
+
+      it "show the edit password page" do
+        expect(page).to have_content("Change your password")
+      end
+    end
+
+    context "current user is another user" do
+      before do
+        sign_in user
+        get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {}
+      end
+
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
     end
+  end
+
+  describe "#update" do
+    let(:new_value) { "new test name" }
+    let(:params) { { id: user.id, user: { name: new_value } } }
+
+    context "current user is user" do
+      before do
+        sign_in user
+        patch "/users/#{user.id}", headers: headers, params: params
+      end
+
+      it "updates the user" do
+        user.reload
+        expect(user.name).to eq(new_value)
+      end
+    end
+
+    context "current user is another user" do
+      let(:params) { { id: unauthorised_user.id, user: { name: new_value } } }
+
+      before do
+        sign_in user
+        patch "/users/#{unauthorised_user.id}", headers: headers, params: params
+      end
 
-    it "show the edit password page" do
-      expect(page).to have_content("Change your password")
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
     end
   end
 end