Test coverage for Orders#show

andrzejkrzywda · andrzejkrzywda · commit 54c8b37c1519 · 2026-01-01T21:49:10.000-05:00
diff --git a/apps/rails_application/.mutant.yml b/apps/rails_application/.mutant.yml
@@ -23,6 +23,8 @@ matcher:
     - Invoices*
     - Shipments*
     - VatRates*
+    - OrdersController#show
+    - OrdersController#order_belongs_to_different_store?
   ignore:
     - Coupons::Configuration#call
     - Orders::Configuration#call
diff --git a/apps/rails_application/app/controllers/orders_controller.rb b/apps/rails_application/app/controllers/orders_controller.rb
@@ -4,12 +4,14 @@ def index
   end
 
   def show
-    @order = Orders.find_order(params[:id])
-
+    @order = Orders.find_order(params.fetch(:id))
     return not_found unless @order
-    return not_found if @order.store_id && @order.store_id != current_store_id
 
-    @order_header = OrderHeader.find_by_uid(params[:id])
+    if order_belongs_to_different_store?
+      not_found
+    else
+      @order_header = OrderHeader.find_by_uid(params.fetch(:id))
+    end
   end
 
   def new
@@ -122,6 +124,11 @@ def cancel
 
   private
 
+  def order_belongs_to_different_store?
+    return false unless @order.store_id
+    !(@order.store_id == current_store_id)
+  end
+
   def authorize_payment(order_id)
     command_bus.call(authorize_payment_cmd(order_id))
   end
diff --git a/apps/rails_application/test/controllers/orders_controller_test.rb b/apps/rails_application/test/controllers/orders_controller_test.rb
@@ -0,0 +1,58 @@
+require "test_helper"
+
+class OrdersControllerTest < ActionDispatch::IntegrationTest
+  cover "OrdersController#show"
+
+  def setup
+    @store_id_a = SecureRandom.uuid
+    @store_id_b = SecureRandom.uuid
+    post "/admin/stores", params: { store_id: @store_id_a, name: "Store A" }
+    post "/admin/stores", params: { store_id: @store_id_b, name: "Store B" }
+  end
+
+  def test_show_returns_not_found_when_order_does_not_exist
+    post "/switch_store", params: { store_id: @store_id_a }
+    get "/orders/#{SecureRandom.uuid}"
+
+    assert_response(:not_found)
+  end
+
+  def test_show_returns_not_found_when_order_belongs_to_different_store
+    post "/switch_store", params: { store_id: @store_id_b }
+    get "/orders/new"
+    follow_redirect!
+    order_id = request.path.split('/')[2]
+
+    post "/switch_store", params: { store_id: @store_id_a }
+    get "/orders/#{order_id}"
+
+    assert_response(:not_found)
+  end
+
+  def test_show_allows_access_to_order_without_store_id
+    order_id = SecureRandom.uuid
+    event_store.publish(Pricing::OfferDrafted.new(data: { order_id: order_id }))
+
+    post "/switch_store", params: { store_id: @store_id_a }
+    get "/orders/#{order_id}"
+
+    assert_response(:success)
+  end
+
+  def test_show_allows_access_to_order_in_current_store
+    post "/switch_store", params: { store_id: @store_id_a }
+    get "/orders/new"
+    follow_redirect!
+    order_id = request.path.split('/')[2]
+
+    get "/orders/#{order_id}"
+
+    assert_response(:success)
+  end
+
+  private
+
+  def event_store
+    Rails.configuration.event_store
+  end
+end
