diff --git a/app/controllers/organisations_controller.rb b/app/controllers/organisations_controller.rb index 9e2c49484..a9081dd3f 100644 --- a/app/controllers/organisations_controller.rb +++ b/app/controllers/organisations_controller.rb @@ -22,7 +22,7 @@ class OrganisationsController < ApplicationController private def authenticate_scope! - head :unauthorized if current_user.organisation != @organisation + head :not_found if current_user.organisation != @organisation end def find_resource diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 45a075f80..9ebdae068 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -56,6 +56,6 @@ private end def authenticate_scope! - head :unauthorized if current_user != @user + head :not_found if current_user != @user end end diff --git a/spec/requests/organisations_controller_spec.rb b/spec/requests/organisations_controller_spec.rb index 5e46d277d..8782aa3e2 100644 --- a/spec/requests/organisations_controller_spec.rb +++ b/spec/requests/organisations_controller_spec.rb @@ -5,161 +5,175 @@ RSpec.describe OrganisationsController, type: :request do let(:unauthorised_organisation) { FactoryBot.create(:organisation) } let(:headers) { { "Accept" => "text/html" } } let(:page) { Capybara::Node::Simple.new(response.body) } + let(:user) { FactoryBot.create(:user, :data_coordinator) } - describe "#show" do - let(:user) { FactoryBot.create(:user, :data_coordinator) } + context "a not signed in user" do + it "does not let you see organisation details" do + get "/organisations/#{organisation.id}", headers: headers, params: {} + expect(response).to redirect_to("/users/sign-in") - context "organisation that the user belongs to" do - before do - sign_in user - get "/organisations/#{organisation.id}", headers: headers, params: {} - end - - it "redirects to details" do - expect(response).to have_http_status(:redirect) - end + get "/organisations/#{organisation.id}/details", headers: headers, params: {} + expect(response).to redirect_to("/users/sign-in") end - context "organisation that are not in scope for the user, i.e. that they do not belong to" do - before do - sign_in user - get "/organisations/#{unauthorised_organisation.id}", headers: headers, params: {} - end - - it "returns unauthorised from org route" do - expect(response).to have_http_status(:unauthorized) - end + it "does not let you see organisation users" do + get "/organisations/#{organisation.id}/users", headers: headers, params: {} + expect(response).to redirect_to("/users/sign-in") end end - context "As a data coordinator user" do - let(:user) { FactoryBot.create(:user, :data_coordinator) } - - context "details tab" do + context "a signed in user" do + describe "#show" do context "organisation that the user belongs to" do before do sign_in user - get "/organisations/#{organisation.id}/details", headers: headers, params: {} - end - - it "shows the tab navigation" do - expected_html = "