Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: check org membership before displaying report #4650

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions app/controllers/application_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@ def authorize_user
current_user.has_role?(Role::PARTNER, current_partner)
end

def authorize_org_user
verboten!('That screen is not available. Please switch to the correct role and try again.') unless current_user.has_role?(Role::SUPER_ADMIN) ||
current_user.has_role?(Role::ORG_USER, current_organization)
end

def authorize_admin
verboten! unless current_user.has_role?(Role::SUPER_ADMIN) ||
current_user.has_role?(Role::ORG_ADMIN, current_organization)
Expand Down Expand Up @@ -97,9 +102,9 @@ def not_found!
end
end

def verboten!
def verboten!(message = 'Access Denied.')
respond_to do |format|
format.html { redirect_to dashboard_path_from_current_role, flash: { error: "Access Denied." } }
format.html { redirect_to dashboard_path_from_current_role, flash: { error: message } }
format.json { render body: nil, status: :forbidden }
end
end
Expand Down
7 changes: 1 addition & 6 deletions app/controllers/organizations_controller.rb
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Provides limited R/W to a scope-limited organization resource (member-routes-only)
class OrganizationsController < ApplicationController
before_action :authorize_admin, except: [:show]
before_action :authorize_user, only: [:show]
before_action :authorize_org_user, only: [:show]

def show
@organization = current_organization
Expand Down Expand Up @@ -80,11 +80,6 @@ def remove_user

private

def authorize_user
verboten! unless current_user.has_role?(Role::SUPER_ADMIN) ||
current_user.has_role?(Role::ORG_USER, current_organization)
end

def organization_params
request_type_formatter(params)

Expand Down
1 change: 1 addition & 0 deletions app/controllers/reports/annual_reports_controller.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
class Reports::AnnualReportsController < ApplicationController
before_action :validate_show_params, only: [:show, :recalculate]
before_action :authorize_org_user

def index
# 2813_update_annual_report -- changed to earliest_reporting_year
Expand Down
1 change: 1 addition & 0 deletions app/controllers/reports_controller.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
class ReportsController < ApplicationController
before_action :setup_date_range_picker
before_action :authorize_org_user

def donations_summary
@donations = current_organization.donations.during(helpers.selected_range)
Expand Down
3 changes: 3 additions & 0 deletions spec/controllers/reports_controller_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
RSpec.describe ReportsController do
let(:organization) { create(:organization) }
end