From 06fb2821c17ced7c9508b4f9c8489667ead4e540 Mon Sep 17 00:00:00 2001 From: Nisanth Yaganti Date: Tue, 29 Oct 2024 13:37:33 -0400 Subject: [PATCH] fixing pundit policies on product shoppings controller (#2807) Co-authored-by: Sri Harsha --- .../insured/product_shoppings_controller.rb | 13 +++++++++++-- app/policies/hbx_enrollment_policy.rb | 12 ++++++++++++ .../shop/product_shoppings_controller_spec.rb | 12 ++++++------ 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/app/controllers/insured/product_shoppings_controller.rb b/app/controllers/insured/product_shoppings_controller.rb index 6e5d79727f9..86bf50d283d 100644 --- a/app/controllers/insured/product_shoppings_controller.rb +++ b/app/controllers/insured/product_shoppings_controller.rb @@ -8,6 +8,7 @@ class ProductShoppingsController < ApplicationController # rubocop:disable Metrics/CyclomaticComplexity def continuous_show + authorize @hbx_enrollment # TODO: Use permit params attr = strong_params.to_h.deep_symbolize_keys @context = Organizers::FetchProductsForShoppingEnrollment.call(health: attr[:health], dental: attr[:dental], cart: attr[:cart], @@ -45,6 +46,8 @@ def continuous_show # rubocop:enable Metrics/CyclomaticComplexity def thankyou + authorize @hbx_enrollment + @context = {} params[:cart].each do |k, v| context = Organizers::PrepareForCheckout.call(params: v, person: @person, event: params[:event]) @@ -69,6 +72,8 @@ def thankyou end def checkout + authorize @hbx_enrollment + @context = {} params.except("_method", "authenticity_token", "controller", "action", "waiver_context").each do |key, value| context = Organizers::Checkout.call(params: value, previous_enrollment_id: session[:pre_hbx_enrollment_id]) @@ -103,6 +108,8 @@ def checkout end def receipt + authorize @hbx_enrollment + @context = {} params.except("_method", "authenticity_token", "controller", "action", "waiver_context").each do |key, value| context = Organizers::Receipt.call(params: value, previous_enrollment_id: session[:pre_hbx_enrollment_id]) @@ -124,6 +131,8 @@ def receipt end def waiver_thankyou + authorize @hbx_enrollment + # TODO: Use permit params attrs = params.permit!.to_h.deep_symbolize_keys enr_details = attrs.slice(:health, :dental) @@ -150,6 +159,8 @@ def waiver_thankyou end def waiver_checkout + authorize @hbx_enrollment + @context = {} params.except("_method", "authenticity_token", "controller", "action").each do |key, value| context = Organizers::WaiveEnrollment.call(hbx_enrollment_id: value[:enrollment_id], waiver_reason: value[:waiver_reason]) @@ -201,8 +212,6 @@ def set_hbx_enrollment @hbx_enrollment = HbxEnrollment.find(params[:cart][:health][:id]) if params[:cart] && params[:cart][:health] @hbx_enrollment = HbxEnrollment.find(params[:dental][:enrollment_id]) if params[:dental] @hbx_enrollment = HbxEnrollment.find(params[:cart][:dental][:id]) if params[:cart] && params[:cart][:dental] - - authorize @hbx_enrollment, :complete_plan_shopping? end def sanatize_params(param) diff --git a/app/policies/hbx_enrollment_policy.rb b/app/policies/hbx_enrollment_policy.rb index e9b8eb9f495..a0928c57493 100644 --- a/app/policies/hbx_enrollment_policy.rb +++ b/app/policies/hbx_enrollment_policy.rb @@ -51,6 +51,18 @@ def complete_plan_shopping? create? end + def continuous_show? + create? + end + + def waiver_thankyou? + create? + end + + def waiver_checkout? + create? + end + private # # Returns the family associated with the current enrollment. diff --git a/spec/controllers/insured/shop/product_shoppings_controller_spec.rb b/spec/controllers/insured/shop/product_shoppings_controller_spec.rb index 74e0ea1e5f1..2dc4ef8affc 100644 --- a/spec/controllers/insured/shop/product_shoppings_controller_spec.rb +++ b/spec/controllers/insured/shop/product_shoppings_controller_spec.rb @@ -125,7 +125,7 @@ get :continuous_show, params: params expect(response).to redirect_to(root_path) - expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)") + expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.continuous_show?, (Pundit policy)") end end @@ -188,7 +188,7 @@ get :thankyou, params: params expect(response).to redirect_to(root_path) - expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)") + expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.thankyou?, (Pundit policy)") end end end @@ -232,7 +232,7 @@ post :checkout, params: params expect(response).to redirect_to(root_path) - expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)") + expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.checkout?, (Pundit policy)") end end end @@ -270,7 +270,7 @@ get :receipt, params: params expect(response).to redirect_to(root_path) - expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)") + expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.receipt?, (Pundit policy)") end end end @@ -310,7 +310,7 @@ get :waiver_thankyou, params: params expect(response).to redirect_to(root_path) - expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)") + expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.waiver_thankyou?, (Pundit policy)") end end @@ -385,7 +385,7 @@ post :waiver_checkout, params: params expect(response).to redirect_to(root_path) - expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.complete_plan_shopping?, (Pundit policy)") + expect(flash[:error]).to eq("Access not allowed for hbx_enrollment_policy.waiver_checkout?, (Pundit policy)") end end end