baarkerlounger
/
submit-social-housing-lettings-and-sales-data
mirror of https://github.com/communitiesuk/submit-social-housing-lettings-and-sales-data.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Consistently return not found for scoped auth

pull/143/head
baarkerlounger 4 years ago
parent
c268854279
commit
a6e5deff52
4 changed files with 152 additions and 117 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      app/controllers/organisations_controller.rb
  2. 2
      app/controllers/users_controller.rb
  3. 222
      spec/requests/organisations_controller_spec.rb
  4. 43
      spec/requests/user_controller_spec.rb

2
app/controllers/organisations_controller.rb
Unescape View File

@ -22,7 +22,7 @@ class OrganisationsController < ApplicationController
private
def authenticate_scope!
head :unauthorized if current_user.organisation != @organisation
head :not_found if current_user.organisation != @organisation
end
def find_resource

2
app/controllers/users_controller.rb
Unescape View File

@ -56,6 +56,6 @@ private
end
def authenticate_scope!
head :unauthorized if current_user != @user
head :not_found if current_user != @user
end
end

222
spec/requests/organisations_controller_spec.rb
Unescape View File

@ -5,161 +5,175 @@ RSpec.describe OrganisationsController, type: :request do
let(:unauthorised_organisation) { FactoryBot.create(:organisation) }
let(:headers) { { "Accept" => "text/html" } }
let(:page) { Capybara::Node::Simple.new(response.body) }
let(:user) { FactoryBot.create(:user, :data_coordinator) }
describe "#show" do
let(:user) { FactoryBot.create(:user, :data_coordinator) }
context "a not signed in user" do
it "does not let you see organisation details" do
get "/organisations/#{organisation.id}", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
context "organisation that the user belongs to" do
before do
sign_in user
get "/organisations/#{organisation.id}", headers: headers, params: {}
end
it "redirects to details" do
expect(response).to have_http_status(:redirect)
end
get "/organisations/#{organisation.id}/details", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
end
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}", headers: headers, params: {}
end
it "returns unauthorised from org route" do
expect(response).to have_http_status(:unauthorized)
end
it "does not let you see organisation users" do
get "/organisations/#{organisation.id}/users", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
end
end
context "As a data coordinator user" do
let(:user) { FactoryBot.create(:user, :data_coordinator) }
context "details tab" do
context "a signed in user" do
describe "#show" do
context "organisation that the user belongs to" do
before do
sign_in user
get "/organisations/#{organisation.id}/details", headers: headers, params: {}
end
it "shows the tab navigation" do
expected_html = "<nav class=\"app-tab-navigation\""
expect(response.body).to include(expected_html)
end
it "shows a summary list of org details" do
expected_html = "<dl class=\"govuk-summary-list\""
expect(response.body).to include(expected_html)
expect(response.body).to include(organisation.name)
get "/organisations/#{organisation.id}", headers: headers, params: {}
end
it "has a hidden header title" do
expected_html = "<h2 class=\"govuk-visually-hidden\"> Details"
expect(response.body).to include(expected_html)
it "redirects to details" do
expect(response).to have_http_status(:redirect)
end
end
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}/details", headers: headers, params: {}
get "/organisations/#{unauthorised_organisation.id}", headers: headers, params: {}
end
it "returns unauthorised from org details route" do
expect(response).to have_http_status(:unauthorized)
it "returns not found 404 from org route" do
expect(response).to have_http_status(:not_found)
end
end
end
context "users tab" do
context "organisation that the user belongs to" do
before do
sign_in user
get "/organisations/#{organisation.id}/users", headers: headers, params: {}
context "As a data coordinator user" do
context "details tab" do
context "organisation that the user belongs to" do
before do
sign_in user
get "/organisations/#{organisation.id}/details", headers: headers, params: {}
end
it "shows the tab navigation" do
expected_html = "<nav class=\"app-tab-navigation\""
expect(response.body).to include(expected_html)
end
it "shows a summary list of org details" do
expected_html = "<dl class=\"govuk-summary-list\""
expect(response.body).to include(expected_html)
expect(response.body).to include(organisation.name)
end
it "has a hidden header title" do
expected_html = "<h2 class=\"govuk-visually-hidden\"> Details"
expect(response.body).to include(expected_html)
end
end
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}/details", headers: headers, params: {}
end
it "returns not found 404 from org details route" do
expect(response).to have_http_status(:not_found)
end
end
end
it "shows the tab navigation" do
expected_html = "<nav class=\"app-tab-navigation\""
expect(response.body).to include(expected_html)
end
context "users tab" do
context "organisation that the user belongs to" do
before do
sign_in user
get "/organisations/#{organisation.id}/users", headers: headers, params: {}
end
it "shows a new user button" do
expect(page).to have_link("Invite user")
end
it "shows the tab navigation" do
expected_html = "<nav class=\"app-tab-navigation\""
expect(response.body).to include(expected_html)
end
it "shows a table of users" do
expected_html = "<table class=\"govuk-table\""
expect(response.body).to include(expected_html)
expect(response.body).to include(user.email)
end
it "shows a new user button" do
expect(page).to have_link("Invite user")
end
it "has a hidden header title" do
expected_html = "<h2 class=\"govuk-visually-hidden\"> Users"
expect(response.body).to include(expected_html)
end
end
it "shows a table of users" do
expected_html = "<table class=\"govuk-table\""
expect(response.body).to include(expected_html)
expect(response.body).to include(user.email)
end
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}/users", headers: headers, params: {}
it "has a hidden header title" do
expected_html = "<h2 class=\"govuk-visually-hidden\"> Users"
expect(response.body).to include(expected_html)
end
end
it "returns unauthorised from users page" do
expect(response).to have_http_status(:unauthorized)
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}/users", headers: headers, params: {}
end
it "returns not found 404 from users page" do
expect(response).to have_http_status(:not_found)
end
end
end
end
end
context "As a data provider user" do
let(:user) { FactoryBot.create(:user) }
context "As a data provider user" do
let(:user) { FactoryBot.create(:user) }
context "details tab" do
context "organisation that the user belongs to" do
before do
sign_in user
get "/organisations/#{organisation.id}/details", headers: headers, params: {}
end
context "details tab" do
context "organisation that the user belongs to" do
before do
sign_in user
get "/organisations/#{organisation.id}/details", headers: headers, params: {}
end
it "shows the tab navigation" do
expected_html = "<nav class=\"app-tab-navigation\""
expect(response.body).to include(expected_html)
end
it "shows the tab navigation" do
expected_html = "<nav class=\"app-tab-navigation\""
expect(response.body).to include(expected_html)
end
it "shows a summary list of org details" do
expected_html = "<dl class=\"govuk-summary-list\""
expect(response.body).to include(expected_html)
expect(response.body).to include(organisation.name)
end
it "shows a summary list of org details" do
expected_html = "<dl class=\"govuk-summary-list\""
expect(response.body).to include(expected_html)
expect(response.body).to include(organisation.name)
it "has a hidden header title" do
expected_html = "<h2 class=\"govuk-visually-hidden\"> Details"
expect(response.body).to include(expected_html)
end
end
it "has a hidden header title" do
expected_html = "<h2 class=\"govuk-visually-hidden\"> Details"
expect(response.body).to include(expected_html)
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}/details", headers: headers, params: {}
end
it "returns not found 404" do
expect(response).to have_http_status(:not_found)
end
end
end
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
context "users tab" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}/details", headers: headers, params: {}
get "/organisations/#{organisation.id}/users", headers: headers, params: {}
end
it "returns unauthorised" do
it "should return unauthorized 401" do
expect(response).to have_http_status(:unauthorized)
end
end
end
context "users tab" do
before do
sign_in user
get "/organisations/#{organisation.id}/users", headers: headers, params: {}
end
it "should return unauthorised 401" do
expect(response).to have_http_status(:unauthorized)
end
end
end
end

43
spec/requests/user_controller_spec.rb
Unescape View File

@ -6,6 +6,30 @@ RSpec.describe UsersController, type: :request do
let(:unauthorised_user) { FactoryBot.create(:user) }
let(:headers) { { "Accept" => "text/html" } }
let(:page) { Capybara::Node::Simple.new(response.body) }
let(:new_value) { "new test name" }
let(:params) { { id: user.id, user: { name: new_value } } }
context "a not signed in user" do
it "does not let you see user details" do
get "/users/#{user.id}", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
end
it "does not let you edit user details" do
get "/users/#{user.id}/edit", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
end
it "does not let you edit user passwords" do
get "/users/#{user.id}/password/edit", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
end
it "does not let you update user details" do
patch "/case-logs/#{user.id}", params: {}
expect(response).to redirect_to("/users/sign-in")
end
end
describe "#show" do
context "current user is user" do
@ -25,8 +49,8 @@ RSpec.describe UsersController, type: :request do
get "/users/#{unauthorised_user.id}", headers: headers, params: {}
end
it "returns unauthorised 401" do
expect(response).to have_http_status(:unauthorized)
it "returns not found 404" do
expect(response).to have_http_status(:not_found)
end
end
end
@ -49,8 +73,8 @@ RSpec.describe UsersController, type: :request do
get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {}
end
it "returns unauthorised 401" do
expect(response).to have_http_status(:unauthorized)
it "returns not found 404" do
expect(response).to have_http_status(:not_found)
end
end
end
@ -73,16 +97,13 @@ RSpec.describe UsersController, type: :request do
get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {}
end
it "returns unauthorised 401" do
expect(response).to have_http_status(:unauthorized)
it "returns not found 404" do
expect(response).to have_http_status(:not_found)
end
end
end
describe "#update" do
let(:new_value) { "new test name" }
let(:params) { { id: user.id, user: { name: new_value } } }
context "current user is user" do
before do
sign_in user
@ -103,8 +124,8 @@ RSpec.describe UsersController, type: :request do
patch "/users/#{unauthorised_user.id}", headers: headers, params: params
end
it "returns unauthorised 401" do
expect(response).to have_http_status(:unauthorized)
it "returns not found 404" do
expect(response).to have_http_status(:not_found)
end
end
end

Write Preview
Loading…
Cancel
Save