Vat rates - controller level security

andrzejkrzywda · andrzejkrzywda · commit acbfed370f18 · 2025-12-25T10:46:10.000-05:00
diff --git a/rails_application/app/controllers/available_vat_rates_controller.rb b/rails_application/app/controllers/available_vat_rates_controller.rb
@@ -34,10 +34,16 @@ def create
   end
 
   def index
-    @available_vat_rates = VatRates::AvailableVatRate.all
+    @available_vat_rates = VatRates.available_vat_rates_for_store(current_store_id)
   end
 
   def destroy
+    vat_rate = VatRates::AvailableVatRate.find_by(code: params[:vat_rate_code], store_id: current_store_id)
+
+    unless vat_rate
+      return redirect_to available_vat_rates_path, alert: "VAT rate does not exist"
+    end
+
     remove_available_vat_rate(params[:vat_rate_code])
     redirect_to available_vat_rates_path, notice: "VAT rate was successfully removed"
   rescue Taxes::VatRateNotExists
diff --git a/rails_application/app/read_models/vat_rates/configuration.rb b/rails_application/app/read_models/vat_rates/configuration.rb
@@ -3,6 +3,10 @@ class AvailableVatRate < ApplicationRecord
     self.table_name = "available_vat_rates"
   end
 
+  def self.available_vat_rates_for_store(store_id)
+    AvailableVatRate.where(store_id: store_id)
+  end
+
   class Configuration
     def call(event_store)
       event_store.subscribe(AddAvailableVatRate, to: [Taxes::AvailableVatRateAdded])
diff --git a/rails_application/test/integration/vat_rates_security_test.rb b/rails_application/test/integration/vat_rates_security_test.rb
@@ -0,0 +1,53 @@
+require "test_helper"
+
+class VatRatesSecurityTest < InMemoryRESIntegrationTestCase
+  def test_user_can_only_see_vat_rates_from_their_current_store
+    store_1_id = register_store("Store 1")
+    store_2_id = register_store("Store 2")
+
+    switch_to_store(store_1_id)
+    add_available_vat_rate(20, "vat20")
+
+    switch_to_store(store_2_id)
+    add_available_vat_rate(10, "vat10")
+
+    assert_equal(0, VatRates.available_vat_rates_for_store(store_1_id).where(code: "vat10").count)
+    assert_equal(1, VatRates.available_vat_rates_for_store(store_1_id).where(code: "vat20").count)
+    assert_equal(1, VatRates.available_vat_rates_for_store(store_2_id).where(code: "vat10").count)
+    assert_equal(0, VatRates.available_vat_rates_for_store(store_2_id).where(code: "vat20").count)
+  end
+
+  def test_user_cannot_delete_vat_rate_from_another_store
+    store_1_id = register_store("Store 1")
+    store_2_id = register_store("Store 2")
+
+    add_available_vat_rate(20, "vat20")
+    vat_rate_code = "vat20"
+
+    switch_to_store(store_2_id)
+
+    delete available_vat_rates_path, params: { vat_rate_code: vat_rate_code }
+
+    assert_redirected_to available_vat_rates_path
+    follow_redirect!
+    assert_select "#alert", text: /does not exist/
+  end
+
+  def test_user_can_delete_vat_rate_from_their_own_store
+    store_1_id = register_store("Store 1")
+
+    add_available_vat_rate(20, "vat20")
+
+    delete available_vat_rates_path, params: { vat_rate_code: "vat20" }
+
+    assert_redirected_to available_vat_rates_path
+    follow_redirect!
+    assert_select "td", text: "vat20", count: 0
+  end
+
+  private
+
+  def switch_to_store(store_id)
+    cookies[:current_store_id] = store_id
+  end
+end
