Fix IDOR in Requests and Donations controllers (5509)

app/controllers/donations_controller.rb

@@ -3,7 +3,7 @@ class DonationsController < ApplicationController
   before_action :authorize_admin, only: [:destroy]
 
   def print
-    @donation = Donation.find(params[:id])
+    @donation = current_organization.donations.find(params[:id])
     respond_to do |format|
       format.any do
         pdf = DonationPdf.new(current_organization, @donation)
@@ -53,7 +53,7 @@ def new
   end
 
   def edit
-    @donation = Donation.find(params[:id])
+    @donation = current_organization.donations.find(params[:id])
     @donation.line_items.build
     @changes_disallowed = SnapshotEvent.intervening(@donation).present?
     @audit_performed_and_finalized = Audit.finalized_since?(@donation, @donation.storage_location_id) &&
@@ -63,12 +63,12 @@ def edit
   end
 
   def show
-    @donation = Donation.includes(line_items: :item).find(params[:id])
+    @donation = current_organization.donations.includes(line_items: :item).find(params[:id])
     @line_items = @donation.line_items
   end
 
   def update
-    @donation = Donation.find(params[:id])
+    @donation = current_organization.donations.find(params[:id])
     @original_source = @donation.source
     ItemizableUpdateService.call(itemizable: @donation,
       params: donation_params,

app/controllers/requests_controller.rb

@@ -28,7 +28,7 @@ def index
   end
 
   def show
-    @request = Request.find(params[:id])
+    @request = current_organization.requests.find(params[:id])
     @item_requests = @request.item_requests.includes(:item)
 
     @inventory = View::Inventory.new(@request.organization_id)
@@ -42,7 +42,7 @@ def show
   # and will move the user to the new distribution page with a
   # pre-filled distribution containing all the requested items.
   def start
-    request = Request.find(params[:id])
+    request = current_organization.requests.find(params[:id])
     begin
       request.status_started!
       flash[:notice] = "Request started"

spec/requests/donations_requests_spec.rb

@@ -277,6 +277,36 @@
       end
     end
 
+    describe "when accessing a donation from another organization" do
+      let(:other_organization) { create(:organization) }
+      let(:other_donation) { create(:donation, organization: other_organization, comment: "Original comment") }
+
+      it "returns not found for show" do
+        get donation_path(id: other_donation.id)
+
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it "returns not found for edit" do
+        get edit_donation_path(id: other_donation.id)
+
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it "returns not found for print" do
+        get print_donation_path(id: other_donation.id)
+
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it "returns not found for update and does not change donation" do
+        put donation_path(id: other_donation.id, donation: {comment: "Changed comment"})
+
+        expect(response).to have_http_status(:not_found)
+        expect(other_donation.reload.comment).to eq("Original comment")
+      end
+    end
+
     describe "GET #edit" do
       it 'should not allow edits if there is an intervening snapshot' do
         donation = FactoryBot.create(:donation,

spec/requests/requests_requests_spec.rb

@@ -77,8 +77,24 @@
         end
       end
 
+      context 'When the request belongs to another organization' do
+        let(:other_organization) { create(:organization) }
+        let(:other_request) { create(:request, organization: other_organization) }
+
+        it 'responds with not found' do
+          get request_path(other_request)
+
+          expect(response).to have_http_status(:not_found)
+        end
+      end
+
       context 'When organization has a default storage location' do
-        let(:request) { create(:request, organization: create(:organization, default_storage_location: 1)) }
+        let(:storage_location) { create(:storage_location, organization: organization) }
+        let(:request) do
+          organization.update!(default_storage_location: storage_location.id)
+          create(:request, organization: organization)
+        end
+
         it 'shows the column Default storage location inventory' do
           get request_path(request)
 
@@ -168,6 +184,19 @@
           expect(response).to have_http_status(:not_found)
         end
       end
+
+      context 'When the request belongs to another organization' do
+        let(:other_organization) { create(:organization) }
+        let(:other_request) { create(:request, organization: other_organization) }
+
+        it 'responds with not found and does not change status' do
+          expect do
+            post start_request_path(other_request)
+          end.not_to change { other_request.reload.status }
+
+          expect(response).to have_http_status(:not_found)
+        end
+      end
     end
   end
 end