Skip to content

Commit caef25d

Browse files
committed
Add check that form ID is for group
1 parent 0cd7b57 commit caef25d

File tree

2 files changed

+18
-5
lines changed

2 files changed

+18
-5
lines changed

app/controllers/group_forms_controller.rb

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -27,18 +27,16 @@ def create
2727
end
2828

2929
def edit
30-
@group_form = GroupForm.find_by(form_id: params[:id])
31-
authorize @group_form
30+
render template: "errors/not_found", status: :not_found unless set_group_form
3231

3332
@form = FormRepository.find(form_id: params[:id])
34-
3533
@group_select = Forms::GroupSelect.new(group: @group, form: @form)
3634
@group_select_presenter = Forms::GroupSelectPresenter.call(group: @group, groups: @group_select.groups, form: @form)
3735
end
3836

3937
def update
40-
@group_form = GroupForm.find_by(form_id: params[:id])
41-
authorize @group_form
38+
render template: "errors/not_found", status: :not_found unless set_group_form
39+
4240
@form = Form.find(params[:id])
4341
@group_select = Forms::GroupSelect.new(group_select_params.merge(form: @form))
4442

@@ -80,4 +78,10 @@ def group_select_params
8078
def name_input_params
8179
params.require(:forms_name_input).permit(:name)
8280
end
81+
82+
def set_group_form
83+
@group_form = GroupForm.find_by(form_id: params[:id])
84+
authorize @group_form
85+
@group_form.group_id == @group.id
86+
end
8387
end

spec/requests/group_forms_controller_spec.rb

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,15 @@
6767

6868
expect(response).to have_http_status :ok
6969
end
70+
71+
context "when the url is for a form that doesn't belong to the group" do
72+
it "returns 404 response" do
73+
other_group = create(:group, organisation: organisation_admin_user.organisation)
74+
get edit_group_form_url(other_group, id: form.id)
75+
76+
expect(response).to have_http_status :not_found
77+
end
78+
end
7079
end
7180

7281
describe "PATCH /update" do

0 commit comments

Comments
 (0)