Authenticate scope

3 years ago · 15e4c3eed3
2 changed files with 47 additions and 15 deletions
--- a/app/controllers/merge_requests_controller.rb
+++ b/app/controllers/merge_requests_controller.rb
@ -1,6 +1,7 @@
 class MergeRequestsController < ApplicationController
-  before_action :authenticate_user!
  before_action :find_resource, only: %i[update organisations update_organisations remove_merging_organisation]
+  before_action :authenticate_user!
+  before_action :authenticate_scope!, except: [:create]

  def create
    @merge_request = MergeRequest.create!(merge_request_params)
@ -72,4 +73,10 @@ private
  def previous_template
    :organisations
  end
+
+  def authenticate_scope!
+    if current_user.organisation != @merge_request.requesting_organisation && !current_user.support?
+      render_not_found
+    end
+  end
 end
--- a/spec/requests/merge_requests_controller_spec.rb
+++ b/spec/requests/merge_requests_controller_spec.rb
@ -8,6 +8,7 @@ RSpec.describe MergeRequestsController, type: :request do
  let(:user) { FactoryBot.create(:user, :data_coordinator) }
  let(:support_user) { FactoryBot.create(:user, :support, organisation:) }
  let(:merge_request) { MergeRequest.create!(requesting_organisation: organisation) }
+  let(:other_merge_request) { MergeRequest.create!(requesting_organisation: other_organisation) }

  context "when user is signed in with a data coordinator user" do
    before do
@ -17,6 +18,7 @@ RSpec.describe MergeRequestsController, type: :request do
    describe "#organisations" do
      let(:params) { { merge_request: { requesting_organisation_id: "9" } } }

+      context "when creating a new merge request" do
        before do
          organisation.update!(name: "Test Org")
          post "/merge-request", headers:, params:
@ -40,6 +42,29 @@ RSpec.describe MergeRequestsController, type: :request do
        end
      end

+      context "when viewing existing merge request" do
+        before do
+          organisation.update!(name: "Test Org")
+          get "/merge-request/#{merge_request.id}/organisations", headers:, params:
+        end
+
+        it "shows merge request with requesting organisation" do
+          expect(page).to have_content("Which organisations are merging?")
+          expect(page).to have_content("Test Org")
+        end
+      end
+
+      context "when viewing existing merge request of a different (unauthorised) organisation" do
+        before do
+          get "/merge-request/#{other_merge_request.id}/organisations", headers:, params:
+        end
+
+        it "shows merge request with requesting organisation" do
+          expect(response).to have_http_status(:not_found)
+        end
+      end
+    end
+
    describe "#update_organisations" do
      let(:params) { { merge_request: { merging_organisation: other_organisation.id } } }