baarkerlounger
/
submit-social-housing-lettings-and-sales-data
mirror of https://github.com/communitiesuk/submit-social-housing-lettings-and-sales-data.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Consistently return not found for scoped auth

pull/143/head
baarkerlounger 4 years ago
parent
c268854279
commit
a6e5deff52
4 changed files with 152 additions and 117 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      app/controllers/organisations_controller.rb
  2. 2
      app/controllers/users_controller.rb
  3. 40
      spec/requests/organisations_controller_spec.rb
  4. 43
      spec/requests/user_controller_spec.rb

2
app/controllers/organisations_controller.rb
Unescape View File

@ -22,7 +22,7 @@ class OrganisationsController < ApplicationController
private private
def authenticate_scope! def authenticate_scope!
head :unauthorized if current_user.organisation != @organisation head :not_found if current_user.organisation != @organisation
end end
def find_resource def find_resource

2
app/controllers/users_controller.rb
Unescape View File

@ -56,6 +56,6 @@ private
end end
def authenticate_scope! def authenticate_scope!
head :unauthorized if current_user != @user head :not_found if current_user != @user
end end
end end

40
spec/requests/organisations_controller_spec.rb
Unescape View File

@ -5,10 +5,25 @@ RSpec.describe OrganisationsController, type: :request do
let(:unauthorised_organisation) { FactoryBot.create(:organisation) } let(:unauthorised_organisation) { FactoryBot.create(:organisation) }
let(:headers) { { "Accept" => "text/html" } } let(:headers) { { "Accept" => "text/html" } }
let(:page) { Capybara::Node::Simple.new(response.body) } let(:page) { Capybara::Node::Simple.new(response.body) }
describe "#show" do
let(:user) { FactoryBot.create(:user, :data_coordinator) } let(:user) { FactoryBot.create(:user, :data_coordinator) }
context "a not signed in user" do
it "does not let you see organisation details" do
get "/organisations/#{organisation.id}", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
get "/organisations/#{organisation.id}/details", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
end
it "does not let you see organisation users" do
get "/organisations/#{organisation.id}/users", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
end
end
context "a signed in user" do
describe "#show" do
context "organisation that the user belongs to" do context "organisation that the user belongs to" do
before do before do
sign_in user sign_in user
@ -26,15 +41,13 @@ RSpec.describe OrganisationsController, type: :request do
get "/organisations/#{unauthorised_organisation.id}", headers: headers, params: {} get "/organisations/#{unauthorised_organisation.id}", headers: headers, params: {}
end end
it "returns unauthorised from org route" do it "returns not found 404 from org route" do
expect(response).to have_http_status(:unauthorized) expect(response).to have_http_status(:not_found)
end end
end end
end end
context "As a data coordinator user" do context "As a data coordinator user" do
let(:user) { FactoryBot.create(:user, :data_coordinator) }
context "details tab" do context "details tab" do
context "organisation that the user belongs to" do context "organisation that the user belongs to" do
before do before do
@ -65,8 +78,8 @@ RSpec.describe OrganisationsController, type: :request do
get "/organisations/#{unauthorised_organisation.id}/details", headers: headers, params: {} get "/organisations/#{unauthorised_organisation.id}/details", headers: headers, params: {}
end end
it "returns unauthorised from org details route" do it "returns not found 404 from org details route" do
expect(response).to have_http_status(:unauthorized) expect(response).to have_http_status(:not_found)
end end
end end
end end
@ -105,8 +118,8 @@ RSpec.describe OrganisationsController, type: :request do
get "/organisations/#{unauthorised_organisation.id}/users", headers: headers, params: {} get "/organisations/#{unauthorised_organisation.id}/users", headers: headers, params: {}
end end
it "returns unauthorised from users page" do it "returns not found 404 from users page" do
expect(response).to have_http_status(:unauthorized) expect(response).to have_http_status(:not_found)
end end
end end
end end
@ -145,8 +158,8 @@ RSpec.describe OrganisationsController, type: :request do
get "/organisations/#{unauthorised_organisation.id}/details", headers: headers, params: {} get "/organisations/#{unauthorised_organisation.id}/details", headers: headers, params: {}
end end
it "returns unauthorised" do it "returns not found 404" do
expect(response).to have_http_status(:unauthorized) expect(response).to have_http_status(:not_found)
end end
end end
end end
@ -157,9 +170,10 @@ RSpec.describe OrganisationsController, type: :request do
get "/organisations/#{organisation.id}/users", headers: headers, params: {} get "/organisations/#{organisation.id}/users", headers: headers, params: {}
end end
it "should return unauthorised 401" do it "should return unauthorized 401" do
expect(response).to have_http_status(:unauthorized) expect(response).to have_http_status(:unauthorized)
end end
end end
end end
end
end end

43
spec/requests/user_controller_spec.rb
Unescape View File

@ -6,6 +6,30 @@ RSpec.describe UsersController, type: :request do
let(:unauthorised_user) { FactoryBot.create(:user) } let(:unauthorised_user) { FactoryBot.create(:user) }
let(:headers) { { "Accept" => "text/html" } } let(:headers) { { "Accept" => "text/html" } }
let(:page) { Capybara::Node::Simple.new(response.body) } let(:page) { Capybara::Node::Simple.new(response.body) }
let(:new_value) { "new test name" }
let(:params) { { id: user.id, user: { name: new_value } } }
context "a not signed in user" do
it "does not let you see user details" do
get "/users/#{user.id}", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
end
it "does not let you edit user details" do
get "/users/#{user.id}/edit", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
end
it "does not let you edit user passwords" do
get "/users/#{user.id}/password/edit", headers: headers, params: {}
expect(response).to redirect_to("/users/sign-in")
end
it "does not let you update user details" do
patch "/case-logs/#{user.id}", params: {}
expect(response).to redirect_to("/users/sign-in")
end
end
describe "#show" do describe "#show" do
context "current user is user" do context "current user is user" do
@ -25,8 +49,8 @@ RSpec.describe UsersController, type: :request do
get "/users/#{unauthorised_user.id}", headers: headers, params: {} get "/users/#{unauthorised_user.id}", headers: headers, params: {}
end end
it "returns unauthorised 401" do it "returns not found 404" do
expect(response).to have_http_status(:unauthorized) expect(response).to have_http_status(:not_found)
end end
end end
end end
@ -49,8 +73,8 @@ RSpec.describe UsersController, type: :request do
get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {} get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {}
end end
it "returns unauthorised 401" do it "returns not found 404" do
expect(response).to have_http_status(:unauthorized) expect(response).to have_http_status(:not_found)
end end
end end
end end
@ -73,16 +97,13 @@ RSpec.describe UsersController, type: :request do
get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {} get "/users/#{unauthorised_user.id}/edit", headers: headers, params: {}
end end
it "returns unauthorised 401" do it "returns not found 404" do
expect(response).to have_http_status(:unauthorized) expect(response).to have_http_status(:not_found)
end end
end end
end end
describe "#update" do describe "#update" do
let(:new_value) { "new test name" }
let(:params) { { id: user.id, user: { name: new_value } } }
context "current user is user" do context "current user is user" do
before do before do
sign_in user sign_in user
@ -103,8 +124,8 @@ RSpec.describe UsersController, type: :request do
patch "/users/#{unauthorised_user.id}", headers: headers, params: params patch "/users/#{unauthorised_user.id}", headers: headers, params: params
end end
it "returns unauthorised 401" do it "returns not found 404" do
expect(response).to have_http_status(:unauthorized) expect(response).to have_http_status(:not_found)
end end
end end
end end

Write Preview
Loading…
Cancel
Save