Do not allow to show non-shared searches

Signed-off-by: Miquel Sabaté Solà <mikisabate@gmail.com>
mssola · Jul 22, 2024 · 8d95460 · 8d95460
1 parent 972f45d
commit 8d95460
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/app/controllers/shared_searches_controller.rb b/app/controllers/shared_searches_controller.rb
@@ -8,6 +8,6 @@ def index
   end
 
   def show
-    @search = Search.find(params[:search_id])
+    @search = Search.where(shared: true).find(params[:search_id])
   end
 end
diff --git a/test/controllers/shared_searches_controller_test.rb b/test/controllers/shared_searches_controller_test.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class SharedSearchesControllerTest < ActionDispatch::IntegrationTest
+  # We need the session to be initialized as a signed in user.
+  setup { post sessions_url, params: { username: users(:user).username, password: '12341234' } }
+
+  test 'does not allow to show searches which have not been shared' do
+    get search_shared_url(searches(:search1).id)
+    assert_equal @response.code.to_i, 404
+
+    searches(:search1).update!(shared: true)
+
+    get search_shared_url(searches(:search1).id)
+    assert_equal @response.code.to_i, 200
+  end
+end