Regular users can only see apps which they watch

Jared Pace
1 parent a98eadac
Showing 3 changed files with 28 additions and 7 deletions Show diff stats
app/controllers/apps_controller.rb
app/models/app.rb
spec/controllers/apps_controller_spec.rb
@@ -7,7 +7,7 @@ class AppsController &lt; ApplicationController
   end
  
   def show
-    @app = App.find(params[:id])
+    @app = current_user.admin? ? App.find(params[:id]) : current_user.apps.find_by_id!(params[:id])
     @errs  = @app.errs.paginate
   end
  
@@ -20,6 +20,11 @@ class App
   accepts_nested_attributes_for :watchers, :allow_destroy => true,
     :reject_if => proc { |attrs| attrs.all? { |k, v| v.blank? } }
  
+  # Mongoid Bug: find(id) on association proxies returns an Enumerator
+  def self.find_by_id!(app_id)
+    where(:id => app_id).first || raise(Mongoid::Errors::DocumentNotFound.new(self,key))
+  end
+  
   def self.find_by_api_key!(key)
     where(:api_key => key).first || raise(Mongoid::Errors::DocumentNotFound.new(self,key))
   end
@@ -5,7 +5,7 @@ describe AppsController do
   it_requires_authentication
   it_requires_admin_privileges :for => {:new => :get, :edit => :get, :create => :post, :update => :put, :destroy => :delete}
  
-  describe "GET /apps", :focused => true do
+  describe "GET /apps" do
     context 'when logged in as an admin' do
       it 'finds all apps' do
         sign_in Factory(:admin)
@@ -32,11 +32,27 @@ describe AppsController do
   end
  
   describe "GET /apps/:id" do
-    it 'finds the app' do
-      sign_in Factory(:user)
-      app = Factory(:app)
-      get :show, :id => app.id
-      assigns(:app).should == app
+    context 'logged in as an admin' do
+      it 'finds the app' do
+        sign_in Factory(:admin)
+        app = Factory(:app)
+        get :show, :id => app.id
+        assigns(:app).should == app
+      end
+    end
+    
+    context 'logged in as a user' do
+      it 'finds the app if the user is watching it' do
+        
+      end
+      
+      it 'does not find the app if the user is not watching it' do
+        sign_in Factory(:user)
+        app = Factory(:app)
+        lambda { 
+          get :show, :id => app.id
+        }.should raise_error(Mongoid::Errors::DocumentNotFound)
+      end
     end
   end
...	...	@@ -7,7 +7,7 @@ class AppsController < ApplicationController
7	7	end
8	8
9	9	def show
10		- @app = App.find(params[:id])
	10	+ @app = current_user.admin? ? App.find(params[:id]) : current_user.apps.find_by_id!(params[:id])
11	11	@errs = @app.errs.paginate
12	12	end
13	13
...	...
...	...	@@ -20,6 +20,11 @@ class App
20	20	accepts_nested_attributes_for :watchers, :allow_destroy => true,
21	21	:reject_if => proc { \|attrs\| attrs.all? { \|k, v\| v.blank? } }
22	22
	23	+ # Mongoid Bug: find(id) on association proxies returns an Enumerator
	24	+ def self.find_by_id!(app_id)
	25	+ where(:id => app_id).first \|\| raise(Mongoid::Errors::DocumentNotFound.new(self,key))
	26	+ end
	27	+
23	28	def self.find_by_api_key!(key)
24	29	where(:api_key => key).first \|\| raise(Mongoid::Errors::DocumentNotFound.new(self,key))
25	30	end
...	...
...	...	@@ -5,7 +5,7 @@ describe AppsController do
5	5	it_requires_authentication
6	6	it_requires_admin_privileges :for => {:new => :get, :edit => :get, :create => :post, :update => :put, :destroy => :delete}
7	7
8		- describe "GET /apps", :focused => true do
	8	+ describe "GET /apps" do
9	9	context 'when logged in as an admin' do
10	10	it 'finds all apps' do
11	11	sign_in Factory(:admin)
...	...	@@ -32,11 +32,27 @@ describe AppsController do
32	32	end
33	33
34	34	describe "GET /apps/:id" do
35		- it 'finds the app' do
36		- sign_in Factory(:user)
37		- app = Factory(:app)
38		- get :show, :id => app.id
39		- assigns(:app).should == app
	35	+ context 'logged in as an admin' do
	36	+ it 'finds the app' do
	37	+ sign_in Factory(:admin)
	38	+ app = Factory(:app)
	39	+ get :show, :id => app.id
	40	+ assigns(:app).should == app
	41	+ end
	42	+ end
	43	+
	44	+ context 'logged in as a user' do
	45	+ it 'finds the app if the user is watching it' do
	46	+
	47	+ end
	48	+
	49	+ it 'does not find the app if the user is not watching it' do
	50	+ sign_in Factory(:user)
	51	+ app = Factory(:app)
	52	+ lambda {
	53	+ get :show, :id => app.id
	54	+ }.should raise_error(Mongoid::Errors::DocumentNotFound)
	55	+ end
40	56	end
41	57	end
42	58
...	...