From dcd094fca28b3a9524a33f1900eb4e8b4c3c79cc Mon Sep 17 00:00:00 2001 From: Cassandra Wallace Date: Sun, 15 Mar 2026 12:30:04 +0200 Subject: [PATCH] Scope requests and donations to current org (#5509) --- app/controllers/donations_controller.rb | 8 +++--- app/controllers/requests_controller.rb | 4 +-- spec/requests/donations_requests_spec.rb | 30 +++++++++++++++++++++++ spec/requests/requests_requests_spec.rb | 31 +++++++++++++++++++++++- 4 files changed, 66 insertions(+), 7 deletions(-) diff --git a/app/controllers/donations_controller.rb b/app/controllers/donations_controller.rb index 74580065f6..01cd3a9000 100644 --- a/app/controllers/donations_controller.rb +++ b/app/controllers/donations_controller.rb @@ -3,7 +3,7 @@ class DonationsController < ApplicationController before_action :authorize_admin, only: [:destroy] def print - @donation = Donation.find(params[:id]) + @donation = current_organization.donations.find(params[:id]) respond_to do |format| format.any do pdf = DonationPdf.new(current_organization, @donation) @@ -53,7 +53,7 @@ def new end def edit - @donation = Donation.find(params[:id]) + @donation = current_organization.donations.find(params[:id]) @donation.line_items.build @changes_disallowed = SnapshotEvent.intervening(@donation).present? @audit_performed_and_finalized = Audit.finalized_since?(@donation, @donation.storage_location_id) && @@ -63,12 +63,12 @@ def edit end def show - @donation = Donation.includes(line_items: :item).find(params[:id]) + @donation = current_organization.donations.includes(line_items: :item).find(params[:id]) @line_items = @donation.line_items end def update - @donation = Donation.find(params[:id]) + @donation = current_organization.donations.find(params[:id]) @original_source = @donation.source ItemizableUpdateService.call(itemizable: @donation, params: donation_params, diff --git a/app/controllers/requests_controller.rb b/app/controllers/requests_controller.rb index 63ed5884c9..ce5677da0c 100644 --- a/app/controllers/requests_controller.rb +++ b/app/controllers/requests_controller.rb @@ -28,7 +28,7 @@ def index end def show - @request = Request.find(params[:id]) + @request = current_organization.requests.find(params[:id]) @item_requests = @request.item_requests.includes(:item) @inventory = View::Inventory.new(@request.organization_id) @@ -42,7 +42,7 @@ def show # and will move the user to the new distribution page with a # pre-filled distribution containing all the requested items. def start - request = Request.find(params[:id]) + request = current_organization.requests.find(params[:id]) begin request.status_started! flash[:notice] = "Request started" diff --git a/spec/requests/donations_requests_spec.rb b/spec/requests/donations_requests_spec.rb index e6b5fc983e..2fbe4100e5 100644 --- a/spec/requests/donations_requests_spec.rb +++ b/spec/requests/donations_requests_spec.rb @@ -277,6 +277,36 @@ end end + describe "when accessing a donation from another organization" do + let(:other_organization) { create(:organization) } + let(:other_donation) { create(:donation, organization: other_organization, comment: "Original comment") } + + it "returns not found for show" do + get donation_path(id: other_donation.id) + + expect(response).to have_http_status(:not_found) + end + + it "returns not found for edit" do + get edit_donation_path(id: other_donation.id) + + expect(response).to have_http_status(:not_found) + end + + it "returns not found for print" do + get print_donation_path(id: other_donation.id) + + expect(response).to have_http_status(:not_found) + end + + it "returns not found for update and does not change donation" do + put donation_path(id: other_donation.id, donation: {comment: "Changed comment"}) + + expect(response).to have_http_status(:not_found) + expect(other_donation.reload.comment).to eq("Original comment") + end + end + describe "GET #edit" do it 'should not allow edits if there is an intervening snapshot' do donation = FactoryBot.create(:donation, diff --git a/spec/requests/requests_requests_spec.rb b/spec/requests/requests_requests_spec.rb index 1bf52876bf..d66472924b 100644 --- a/spec/requests/requests_requests_spec.rb +++ b/spec/requests/requests_requests_spec.rb @@ -77,8 +77,24 @@ end end + context 'When the request belongs to another organization' do + let(:other_organization) { create(:organization) } + let(:other_request) { create(:request, organization: other_organization) } + + it 'responds with not found' do + get request_path(other_request) + + expect(response).to have_http_status(:not_found) + end + end + context 'When organization has a default storage location' do - let(:request) { create(:request, organization: create(:organization, default_storage_location: 1)) } + let(:storage_location) { create(:storage_location, organization: organization) } + let(:request) do + organization.update!(default_storage_location: storage_location.id) + create(:request, organization: organization) + end + it 'shows the column Default storage location inventory' do get request_path(request) @@ -168,6 +184,19 @@ expect(response).to have_http_status(:not_found) end end + + context 'When the request belongs to another organization' do + let(:other_organization) { create(:organization) } + let(:other_request) { create(:request, organization: other_organization) } + + it 'responds with not found and does not change status' do + expect do + post start_request_path(other_request) + end.not_to change { other_request.reload.status } + + expect(response).to have_http_status(:not_found) + end + end end end end