only allow admins to edit their own organization's measurements

app/controllers/measurements_controller.rb

@@ -8,7 +8,9 @@ def index
 
  def show; end
 
- def edit; end
+ def edit
+ redirect_to measurements_path, alert: 'Not authorized to edit this measurement' unless current_org_measurement?
+ end
 
  def update
  if @measurement.update(measurement_params)
@@ -55,4 +57,8 @@ def measurement_params
  :measurement_type_id
  ).merge(organization_id: current_organization.id)
  end
+
+ def current_org_measurement?
+ @measurement.organization == current_organization
+ end
 end

spec/requests/measurements_controller_spec.rb

@@ -43,13 +43,29 @@
  end
 
  describe '#edit', :aggregate_failures do
- it 'should have response code 200 for admin user' do
- measurement_id = FactoryBot.create(:measurement).id
- user = create(:user, role: "admin")
+ it 'should have response code 200 for admin user editing for own organization' do
+ my_org = FactoryBot.create(:organization, id: 1, name: "My org")
+ user = create(:user, role: "admin", organization: my_org)
+ measurement = FactoryBot.create(:measurement, organization: my_org)
+
  sign_in user
- get edit_measurement_path(measurement_id)
 
- expect(response).to have_http_status(:success)
+ get edit_measurement_path(measurement)
+
+ expect(response).to have_http_status(200)
+ end
+
+ it 'should have response code 302 for admin user editing for other organization' do
+ my_org = FactoryBot.create(:organization, id: 1, name: "My org")
+ other_org = FactoryBot.create(:organization, id: 2, name: "Other org")
+ user = create(:user, role: "admin", organization: my_org)
+ measurement = FactoryBot.create(:measurement, organization: other_org)
+
+ sign_in user
+
+ get edit_measurement_path(measurement)
+
+ expect(response).to have_http_status(302)
  end
 
  it 'should have response code 302 for non-admin user' do