From 5c0cd70f089b0a26da2e7933daa4773e42bc84f7 Mon Sep 17 00:00:00 2001
From: JG <moarpheus@gmail.com>
Date: Tue, 5 Jul 2022 10:16:58 +0100
Subject: [PATCH] testing creating schem for a different org for coordinator

---
 app/controllers/locations_controller.rb    |  7 +++++++
 spec/requests/locations_controller_spec.rb | 10 ++++++++++
 2 files changed, 17 insertions(+)

diff --git a/app/controllers/locations_controller.rb b/app/controllers/locations_controller.rb
index 84afc3c57..0eeec0c7b 100644
--- a/app/controllers/locations_controller.rb
+++ b/app/controllers/locations_controller.rb
@@ -3,6 +3,7 @@ class LocationsController < ApplicationController
   before_action :authenticate_scope!
   before_action :find_location, except: %i[new create]
   before_action :find_scheme
+  before_action :authenticate_action!
 
   def new
     @location = Location.new
@@ -42,6 +43,12 @@ private
     head :unauthorized and return unless current_user.data_coordinator? || current_user.support?
   end
 
+  def authenticate_action!
+    if %w[new create details update].include?(action_name) && !((current_user.organisation == @scheme.organisation) || current_user.support?)
+      render_not_found and return
+    end
+  end
+
   def location_params
     required_params = params.require(:location).permit(:postcode, :name, :total_units, :type_of_unit, :wheelchair_adaptation, :add_another_location).merge(scheme_id: @scheme.id)
     required_params[:postcode] = required_params[:postcode].gsub(" ", "").encode("ASCII", "UTF-8", invalid: :replace, undef: :replace, replace: "") if required_params[:postcode]
diff --git a/spec/requests/locations_controller_spec.rb b/spec/requests/locations_controller_spec.rb
index 8cce906a5..5839d3eb4 100644
--- a/spec/requests/locations_controller_spec.rb
+++ b/spec/requests/locations_controller_spec.rb
@@ -103,6 +103,16 @@ RSpec.describe LocationsController, type: :request do
         expect(Location.last.wheelchair_adaptation).to eq("No")
       end
 
+      context "when trying to add location to a scheme that belongs to another organisation" do
+        let(:another_scheme)  { FactoryBot.create(:scheme) }
+        let(:params) { { location: { name: "Test", total_units: "5", type_of_unit: "Bungalow", wheelchair_adaptation: "No", add_another_location: "No", postcode: "ZZ1 1ZZ" } } }
+
+        it "displays the new page with an error message" do
+          post "/schemes/#{another_scheme.id}/location/create", params: params
+          expect(response).to have_http_status(:not_found)
+        end
+      end
+
       context "when required organisation id param is missing" do
         let(:params) { { location: { name: "Test", total_units: "5", type_of_unit: "Bungalow", wheelchair_adaptation: "No", add_another_location: "No" } } }