Scope user methods

4 years ago · 5a7d248309
3 changed files with 100 additions and 20 deletions
--- a/app/controllers/organisations_controller.rb
+++ b/app/controllers/organisations_controller.rb
@ -1,6 +1,6 @@
 class OrganisationsController < ApplicationController
  before_action :authenticate_user!
-  before_action :find_organisation
+  before_action :find_resource
  before_action :authenticate_scope!

  def show
@ -25,7 +25,7 @@ private
    head :unauthorized if current_user.organisation != @organisation
  end

-  def find_organisation
+  def find_resource
    @organisation = Organisation.find(params[:id])
  end
 end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -2,12 +2,14 @@ class UsersController < ApplicationController
  include Devise::Controllers::SignInOut
  include Helpers::Email
  before_action :authenticate_user!
+  before_action :find_resource, except: [:new, :create]
+  before_action :authenticate_scope!, except: [:new, :create]

  def update
-    if current_user.update(user_params)
-      bypass_sign_in current_user
+    if @user.update(user_params)
+      bypass_sign_in @user
      flash[:notice] = I18n.t("devise.passwords.updated")
-      redirect_to user_path(current_user)
+      redirect_to user_path(@user)
    end
  end

@ -48,4 +50,12 @@ private
  def user_params
    params.require(:user).permit(:email, :name, :password, :role)
  end
+
+  def find_resource
+    @user = User.find(params[:id])
+  end
+
+  def authenticate_scope!
+    head :unauthorized if current_user != @user
+  end
 end
--- a/spec/requests/user_controller_spec.rb
+++ b/spec/requests/user_controller_spec.rb
@ -3,10 +3,12 @@ require_relative "../support/devise"

 RSpec.describe UsersController, type: :request do
  let(:user) { FactoryBot.create(:user) }
+  let(:unauthorised_user) { FactoryBot.create(:user) }
  let(:headers) { { "Accept" => "text/html" } }
  let(:page) { Capybara::Node::Simple.new(response.body) }

  describe "#show" do
+    context "current user is user" do
      before do
        sign_in user
        get "/users/#{user.id}", headers: headers, params: {}
@ -17,7 +19,20 @@ RSpec.describe UsersController, type: :request do
      end
    end

+    context "current user is another user" do
+      before do
+        sign_in user
+        get "/users/#{unauthorised_user.id}", headers: headers, params: {}
+      end
+
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
  describe "#edit" do
+    context "current user is user" do
      before do
        sign_in user
        get "/users/#{user.id}/edit", headers: headers, params: {}
@ -28,7 +43,20 @@ RSpec.describe UsersController, type: :request do
      end
    end

+    context "current user is another user" do
+      before do
+        sign_in user
+        get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {}
+      end
+
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
  describe "#edit_password" do
+    context "current user is user" do
      before do
        sign_in user
        get "/users/#{user.id}/password/edit", headers: headers, params: {}
@ -38,4 +66,46 @@ RSpec.describe UsersController, type: :request do
        expect(page).to have_content("Change your password")
      end
    end
+
+    context "current user is another user" do
+      before do
+        sign_in user
+        get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {}
+      end
+
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
+
+  describe "#update" do
+    let(:new_value) { "new test name" }
+    let(:params) { { id: user.id, user: { name: new_value } } }
+
+    context "current user is user" do
+      before do
+        sign_in user
+        patch "/users/#{user.id}", headers: headers, params: params
+      end
+
+      it "updates the user" do
+        user.reload
+        expect(user.name).to eq(new_value)
+      end
+    end
+
+    context "current user is another user" do
+      let(:params) { { id: unauthorised_user.id, user: { name: new_value } } }
+
+      before do
+        sign_in user
+        patch "/users/#{unauthorised_user.id}", headers: headers, params: params
+      end
+
+      it "returns unauthorised 401" do
+        expect(response).to have_http_status(:unauthorized)
+      end
+    end
+  end
 end