diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb
index 0f4ca0cab..f9b25bf8d 100644
--- a/app/controllers/case_logs_controller.rb
+++ b/app/controllers/case_logs_controller.rb
@@ -4,8 +4,8 @@ class CaseLogsController < ApplicationController
before_action :authenticate_user!, unless: :json_api_request?
def index
- @completed_case_logs = CaseLog.completed
- @in_progress_case_logs = CaseLog.not_completed
+ @completed_case_logs = current_user.completed_case_logs
+ @in_progress_case_logs = current_user.not_completed_case_logs
end
def create
diff --git a/spec/requests/case_log_controller_spec.rb b/spec/requests/case_log_controller_spec.rb
index f8956f5b0..69fadc562 100644
--- a/spec/requests/case_log_controller_spec.rb
+++ b/spec/requests/case_log_controller_spec.rb
@@ -113,27 +113,62 @@ RSpec.describe CaseLogsController, type: :request do
end
describe "GET" do
- let(:case_log) { FactoryBot.create(:case_log, :completed) }
- let(:id) { case_log.id }
+ context "collection" do
+ let(:user) { FactoryBot.create(:user) }
+ let(:organisation) { user.organisation }
+ let(:other_organisation) { FactoryBot.create(:organisation) }
+ let!(:case_log) do
+ FactoryBot.create(
+ :case_log,
+ owning_organisation: organisation,
+ managing_organisation: organisation,
+ )
+ end
+ let!(:unauthorized_case_log) do
+ FactoryBot.create(
+ :case_log,
+ owning_organisation: other_organisation,
+ managing_organisation: other_organisation,
+ )
+ end
+ let(:headers) { { "Accept" => "text/html" } }
- before do
- get "/case_logs/#{id}", headers: headers
- end
+ before do
+ sign_in user
+ get "/case_logs", headers: headers, params: {}
+ end
- it "returns http success" do
- expect(response).to have_http_status(:success)
+ it "only shows case logs for your organisation" do
+ expected_case_row_log = "#{case_log.id}"
+ unauthorized_case_row_log = "#{unauthorized_case_log.id}"
+ expect(CGI.unescape_html(response.body)).to include(expected_case_row_log)
+ expect(CGI.unescape_html(response.body)).not_to include(unauthorized_case_row_log)
+ end
end
- it "returns a serialized Case Log" do
- json_response = JSON.parse(response.body)
- expect(json_response["status"]).to eq(case_log.status)
- end
+ context "member" do
+ let(:case_log) { FactoryBot.create(:case_log, :completed) }
+ let(:id) { case_log.id }
- context "invalid case log id" do
- let(:id) { (CaseLog.order(:id).last&.id || 0) + 1 }
+ before do
+ get "/case_logs/#{id}", headers: headers
+ end
- it "returns 404" do
- expect(response).to have_http_status(:not_found)
+ it "returns http success" do
+ expect(response).to have_http_status(:success)
+ end
+
+ it "returns a serialized Case Log" do
+ json_response = JSON.parse(response.body)
+ expect(json_response["status"]).to eq(case_log.status)
+ end
+
+ context "invalid case log id" do
+ let(:id) { (CaseLog.order(:id).last&.id || 0) + 1 }
+
+ it "returns 404" do
+ expect(response).to have_http_status(:not_found)
+ end
end
end
end
diff --git a/spec/support/controller_macros.rb b/spec/support/controller_macros.rb
index 5111be2b5..813af85f1 100644
--- a/spec/support/controller_macros.rb
+++ b/spec/support/controller_macros.rb
@@ -1,11 +1,4 @@
module ControllerMacros
- # def login_admin
- # before(:each) do
- # @request.env["devise.mapping"] = Devise.mappings[:admin]
- # sign_in FactoryBot.create(:admin) # Using factory bot as an example
- # end
- # end
-
def login_user
before(:each) do
@request.env["devise.mapping"] = Devise.mappings[:user]