From d2ba1079374143f55e86f90cd4c63d053ecf19d6 Mon Sep 17 00:00:00 2001 From: baarkerlounger Date: Mon, 29 Nov 2021 14:13:28 +0000 Subject: [PATCH] Case log index page only shows your organisations case logs --- app/controllers/case_logs_controller.rb | 4 +- spec/requests/case_log_controller_spec.rb | 65 +++++++++++++++++------ spec/support/controller_macros.rb | 7 --- 3 files changed, 52 insertions(+), 24 deletions(-) diff --git a/app/controllers/case_logs_controller.rb b/app/controllers/case_logs_controller.rb index 0f4ca0cab..f9b25bf8d 100644 --- a/app/controllers/case_logs_controller.rb +++ b/app/controllers/case_logs_controller.rb @@ -4,8 +4,8 @@ class CaseLogsController < ApplicationController before_action :authenticate_user!, unless: :json_api_request? def index - @completed_case_logs = CaseLog.completed - @in_progress_case_logs = CaseLog.not_completed + @completed_case_logs = current_user.completed_case_logs + @in_progress_case_logs = current_user.not_completed_case_logs end def create diff --git a/spec/requests/case_log_controller_spec.rb b/spec/requests/case_log_controller_spec.rb index f8956f5b0..69fadc562 100644 --- a/spec/requests/case_log_controller_spec.rb +++ b/spec/requests/case_log_controller_spec.rb @@ -113,27 +113,62 @@ RSpec.describe CaseLogsController, type: :request do end describe "GET" do - let(:case_log) { FactoryBot.create(:case_log, :completed) } - let(:id) { case_log.id } + context "collection" do + let(:user) { FactoryBot.create(:user) } + let(:organisation) { user.organisation } + let(:other_organisation) { FactoryBot.create(:organisation) } + let!(:case_log) do + FactoryBot.create( + :case_log, + owning_organisation: organisation, + managing_organisation: organisation, + ) + end + let!(:unauthorized_case_log) do + FactoryBot.create( + :case_log, + owning_organisation: other_organisation, + managing_organisation: other_organisation, + ) + end + let(:headers) { { "Accept" => "text/html" } } - before do - get "/case_logs/#{id}", headers: headers - end + before do + sign_in user + get "/case_logs", headers: headers, params: {} + end - it "returns http success" do - expect(response).to have_http_status(:success) + it "only shows case logs for your organisation" do + expected_case_row_log = "#{case_log.id}" + unauthorized_case_row_log = "#{unauthorized_case_log.id}" + expect(CGI.unescape_html(response.body)).to include(expected_case_row_log) + expect(CGI.unescape_html(response.body)).not_to include(unauthorized_case_row_log) + end end - it "returns a serialized Case Log" do - json_response = JSON.parse(response.body) - expect(json_response["status"]).to eq(case_log.status) - end + context "member" do + let(:case_log) { FactoryBot.create(:case_log, :completed) } + let(:id) { case_log.id } - context "invalid case log id" do - let(:id) { (CaseLog.order(:id).last&.id || 0) + 1 } + before do + get "/case_logs/#{id}", headers: headers + end - it "returns 404" do - expect(response).to have_http_status(:not_found) + it "returns http success" do + expect(response).to have_http_status(:success) + end + + it "returns a serialized Case Log" do + json_response = JSON.parse(response.body) + expect(json_response["status"]).to eq(case_log.status) + end + + context "invalid case log id" do + let(:id) { (CaseLog.order(:id).last&.id || 0) + 1 } + + it "returns 404" do + expect(response).to have_http_status(:not_found) + end end end end diff --git a/spec/support/controller_macros.rb b/spec/support/controller_macros.rb index 5111be2b5..813af85f1 100644 --- a/spec/support/controller_macros.rb +++ b/spec/support/controller_macros.rb @@ -1,11 +1,4 @@ module ControllerMacros - # def login_admin - # before(:each) do - # @request.env["devise.mapping"] = Devise.mappings[:admin] - # sign_in FactoryBot.create(:admin) # Using factory bot as an example - # end - # end - def login_user before(:each) do @request.env["devise.mapping"] = Devise.mappings[:user]