testing creating schem for a different org for coordinator

3 years ago · 5c0cd70f08
2 changed files with 17 additions and 0 deletions
--- a/app/controllers/locations_controller.rb
+++ b/app/controllers/locations_controller.rb
@ -3,6 +3,7 @@ class LocationsController < ApplicationController
  before_action :authenticate_scope!
  before_action :find_location, except: %i[new create]
  before_action :find_scheme
+  before_action :authenticate_action!

  def new
    @location = Location.new
@ -42,6 +43,12 @@ private
    head :unauthorized and return unless current_user.data_coordinator? || current_user.support?
  end

+  def authenticate_action!
+    if %w[new create details update].include?(action_name) && !((current_user.organisation == @scheme.organisation) || current_user.support?)
+      render_not_found and return
+    end
+  end
+
  def location_params
    required_params = params.require(:location).permit(:postcode, :name, :total_units, :type_of_unit, :wheelchair_adaptation, :add_another_location).merge(scheme_id: @scheme.id)
    required_params[:postcode] = required_params[:postcode].gsub(" ", "").encode("ASCII", "UTF-8", invalid: :replace, undef: :replace, replace: "") if required_params[:postcode]
--- a/spec/requests/locations_controller_spec.rb
+++ b/spec/requests/locations_controller_spec.rb
@ -103,6 +103,16 @@ RSpec.describe LocationsController, type: :request do
        expect(Location.last.wheelchair_adaptation).to eq("No")
      end

+      context "when trying to add location to a scheme that belongs to another organisation" do
+        let(:another_scheme)  { FactoryBot.create(:scheme) }
+        let(:params) { { location: { name: "Test", total_units: "5", type_of_unit: "Bungalow", wheelchair_adaptation: "No", add_another_location: "No", postcode: "ZZ1 1ZZ" } } }
+
+        it "displays the new page with an error message" do
+          post "/schemes/#{another_scheme.id}/location/create", params: params
+          expect(response).to have_http_status(:not_found)
+        end
+      end
+
      context "when required organisation id param is missing" do
        let(:params) { { location: { name: "Test", total_units: "5", type_of_unit: "Bungalow", wheelchair_adaptation: "No", add_another_location: "No" } } }