Case log index page only shows your organisations case logs

app/controllers/case_logs_controller.rb

@@ -4,8 +4,8 @@ class CaseLogsController < ApplicationController
   before_action :authenticate_user!, unless: :json_api_request?
 
   def index
-    @completed_case_logs = CaseLog.completed
-    @in_progress_case_logs = CaseLog.not_completed
+    @completed_case_logs = current_user.completed_case_logs
+    @in_progress_case_logs = current_user.not_completed_case_logs
   end
 
   def create

spec/requests/case_log_controller_spec.rb

@@ -113,27 +113,62 @@ RSpec.describe CaseLogsController, type: :request do
   end
 
   describe "GET" do
-    let(:case_log) { FactoryBot.create(:case_log, :completed) }
-    let(:id) { case_log.id }
+    context "collection" do
+      let(:user) { FactoryBot.create(:user) }
+      let(:organisation) { user.organisation }
+      let(:other_organisation) { FactoryBot.create(:organisation) }
+      let!(:case_log) do
+        FactoryBot.create(
+          :case_log,
+          owning_organisation: organisation,
+          managing_organisation: organisation,
+        )
+      end
+      let!(:unauthorized_case_log) do
+        FactoryBot.create(
+          :case_log,
+          owning_organisation: other_organisation,
+          managing_organisation: other_organisation,
+        )
+      end
+      let(:headers) { { "Accept" => "text/html" } }
 
-    before do
-      get "/case_logs/#{id}", headers: headers
-    end
+      before do
+        sign_in user
+        get "/case_logs", headers: headers, params: {}
+      end
 
-    it "returns http success" do
-      expect(response).to have_http_status(:success)
+      it "only shows case logs for your organisation" do
+        expected_case_row_log = "<a class=\"govuk-link\" href=\"/case_logs/#{case_log.id}\">#{case_log.id}</a>"
+        unauthorized_case_row_log = "<a class=\"govuk-link\" href=\"/case_logs/#{unauthorized_case_log.id}\">#{unauthorized_case_log.id}</a>"
+        expect(CGI.unescape_html(response.body)).to include(expected_case_row_log)
+        expect(CGI.unescape_html(response.body)).not_to include(unauthorized_case_row_log)
+      end
     end
 
-    it "returns a serialized Case Log" do
-      json_response = JSON.parse(response.body)
-      expect(json_response["status"]).to eq(case_log.status)
-    end
+    context "member" do
+      let(:case_log) { FactoryBot.create(:case_log, :completed) }
+      let(:id) { case_log.id }
 
-    context "invalid case log id" do
-      let(:id) { (CaseLog.order(:id).last&.id || 0) + 1 }
+      before do
+        get "/case_logs/#{id}", headers: headers
+      end
 
-      it "returns 404" do
-        expect(response).to have_http_status(:not_found)
+      it "returns http success" do
+        expect(response).to have_http_status(:success)
+      end
+
+      it "returns a serialized Case Log" do
+        json_response = JSON.parse(response.body)
+        expect(json_response["status"]).to eq(case_log.status)
+      end
+
+      context "invalid case log id" do
+        let(:id) { (CaseLog.order(:id).last&.id || 0) + 1 }
+
+        it "returns 404" do
+          expect(response).to have_http_status(:not_found)
+        end
       end
     end
   end

spec/support/controller_macros.rb

@@ -1,11 +1,4 @@
 module ControllerMacros
-  # def login_admin
-  #   before(:each) do
-  #     @request.env["devise.mapping"] = Devise.mappings[:admin]
-  #     sign_in FactoryBot.create(:admin) # Using factory bot as an example
-  #   end
-  # end
-
   def login_user
     before(:each) do
       @request.env["devise.mapping"] = Devise.mappings[:user]