baarkerlounger
/
submit-social-housing-lettings-and-sales-data
mirror of https://github.com/communitiesuk/submit-social-housing-lettings-and-sales-data.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Scope auth for org pages

pull/143/head
baarkerlounger 4 years ago
parent
77a4ead073
commit
b2de048183
2 changed files with 115 additions and 57 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      app/controllers/organisations_controller.rb
  2. 53
      spec/requests/organisations_controller_spec.rb

5
app/controllers/organisations_controller.rb
Unescape View File

@ -1,6 +1,7 @@
class OrganisationsController < ApplicationController class OrganisationsController < ApplicationController
before_action :authenticate_user! before_action :authenticate_user!
before_action :find_organisation before_action :find_organisation
before_action :authenticate_scope!
def show def show
redirect_to details_organisation_path(@organisation) redirect_to details_organisation_path(@organisation)
@ -20,6 +21,10 @@ class OrganisationsController < ApplicationController
private private
def authenticate_scope!
head :unauthorized if current_user.organisation != @organisation
end
def find_organisation def find_organisation
@organisation = Organisation.find(params[:id]) @organisation = Organisation.find(params[:id])
end end

53
spec/requests/organisations_controller_spec.rb
Unescape View File

@ -2,12 +2,14 @@ require "rails_helper"
RSpec.describe OrganisationsController, type: :request do RSpec.describe OrganisationsController, type: :request do
let(:organisation) { user.organisation } let(:organisation) { user.organisation }
let(:unauthorised_organisation) { FactoryBot.create(:organisation) }
let(:headers) { { "Accept" => "text/html" } } let(:headers) { { "Accept" => "text/html" } }
let(:page) { Capybara::Node::Simple.new(response.body) } let(:page) { Capybara::Node::Simple.new(response.body) }
describe "#show" do describe "#show" do
let(:user) { FactoryBot.create(:user, :data_coordinator) } let(:user) { FactoryBot.create(:user, :data_coordinator) }
context "organisation that the user belongs to" do
before do before do
sign_in user sign_in user
get "/organisations/#{organisation.id}", headers: headers, params: {} get "/organisations/#{organisation.id}", headers: headers, params: {}
@ -18,10 +20,23 @@ RSpec.describe OrganisationsController, type: :request do
end end
end end
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}", headers: headers, params: {}
end
it "returns unauthorised from org route" do
expect(response).to have_http_status(:unauthorized)
end
end
end
context "As a data coordinator user" do context "As a data coordinator user" do
let(:user) { FactoryBot.create(:user, :data_coordinator) } let(:user) { FactoryBot.create(:user, :data_coordinator) }
context "details tab" do context "details tab" do
context "organisation that the user belongs to" do
before do before do
sign_in user sign_in user
get "/organisations/#{organisation.id}/details", headers: headers, params: {} get "/organisations/#{organisation.id}/details", headers: headers, params: {}
@ -44,7 +59,20 @@ RSpec.describe OrganisationsController, type: :request do
end end
end end
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}/details", headers: headers, params: {}
end
it "returns unauthorised from org details route" do
expect(response).to have_http_status(:unauthorized)
end
end
end
context "users tab" do context "users tab" do
context "organisation that the user belongs to" do
before do before do
sign_in user sign_in user
get "/organisations/#{organisation.id}/users", headers: headers, params: {} get "/organisations/#{organisation.id}/users", headers: headers, params: {}
@ -70,12 +98,25 @@ RSpec.describe OrganisationsController, type: :request do
expect(response.body).to include(expected_html) expect(response.body).to include(expected_html)
end end
end end
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}/users", headers: headers, params: {}
end
it "returns unauthorised from users page" do
expect(response).to have_http_status(:unauthorized)
end
end
end
end end
context "As a data provider user" do context "As a data provider user" do
let(:user) { FactoryBot.create(:user) } let(:user) { FactoryBot.create(:user) }
context "details tab" do context "details tab" do
context "organisation that the user belongs to" do
before do before do
sign_in user sign_in user
get "/organisations/#{organisation.id}/details", headers: headers, params: {} get "/organisations/#{organisation.id}/details", headers: headers, params: {}
@ -98,6 +139,18 @@ RSpec.describe OrganisationsController, type: :request do
end end
end end
context "organisation that are not in scope for the user, i.e. that they do not belong to" do
before do
sign_in user
get "/organisations/#{unauthorised_organisation.id}/details", headers: headers, params: {}
end
it "returns unauthorised" do
expect(response).to have_http_status(:unauthorized)
end
end
end
context "users tab" do context "users tab" do
before do before do
sign_in user sign_in user

Write Preview
Loading…
Cancel
Save