From b2de0481836ec79dac8f89e3551d54ac510bfce2 Mon Sep 17 00:00:00 2001 From: baarkerlounger Date: Thu, 2 Dec 2021 17:46:01 +0000 Subject: [PATCH] Scope auth for org pages --- app/controllers/organisations_controller.rb | 5 + .../requests/organisations_controller_spec.rb | 167 ++++++++++++------ 2 files changed, 115 insertions(+), 57 deletions(-) diff --git a/app/controllers/organisations_controller.rb b/app/controllers/organisations_controller.rb index dcf1aa34a..5fe12e732 100644 --- a/app/controllers/organisations_controller.rb +++ b/app/controllers/organisations_controller.rb @@ -1,6 +1,7 @@ class OrganisationsController < ApplicationController before_action :authenticate_user! before_action :find_organisation + before_action :authenticate_scope! def show redirect_to details_organisation_path(@organisation) @@ -20,6 +21,10 @@ class OrganisationsController < ApplicationController private + def authenticate_scope! + head :unauthorized if current_user.organisation != @organisation + end + def find_organisation @organisation = Organisation.find(params[:id]) end diff --git a/spec/requests/organisations_controller_spec.rb b/spec/requests/organisations_controller_spec.rb index be49b8c9d..5e46d277d 100644 --- a/spec/requests/organisations_controller_spec.rb +++ b/spec/requests/organisations_controller_spec.rb @@ -2,19 +2,33 @@ require "rails_helper" RSpec.describe OrganisationsController, type: :request do let(:organisation) { user.organisation } + let(:unauthorised_organisation) { FactoryBot.create(:organisation) } let(:headers) { { "Accept" => "text/html" } } let(:page) { Capybara::Node::Simple.new(response.body) } describe "#show" do let(:user) { FactoryBot.create(:user, :data_coordinator) } - before do - sign_in user - get "/organisations/#{organisation.id}", headers: headers, params: {} + context "organisation that the user belongs to" do + before do + sign_in user + get "/organisations/#{organisation.id}", headers: headers, params: {} + end + + it "redirects to details" do + expect(response).to have_http_status(:redirect) + end end - it "redirects to details" do - expect(response).to have_http_status(:redirect) + context "organisation that are not in scope for the user, i.e. that they do not belong to" do + before do + sign_in user + get "/organisations/#{unauthorised_organisation.id}", headers: headers, params: {} + end + + it "returns unauthorised from org route" do + expect(response).to have_http_status(:unauthorized) + end end end @@ -22,52 +36,78 @@ RSpec.describe OrganisationsController, type: :request do let(:user) { FactoryBot.create(:user, :data_coordinator) } context "details tab" do - before do - sign_in user - get "/organisations/#{organisation.id}/details", headers: headers, params: {} + context "organisation that the user belongs to" do + before do + sign_in user + get "/organisations/#{organisation.id}/details", headers: headers, params: {} + end + + it "shows the tab navigation" do + expected_html = "