feat: context switching validation and tests for user organization access

lib/algora/accounts/accounts.ex

@@ -7,6 +7,7 @@ defmodule Algora.Accounts do
   alias Algora.Accounts.User
   alias Algora.Bounties.Bounty
   alias Algora.Organizations
+  alias Algora.Organizations.Member
   alias Algora.Payments.Transaction
   alias Algora.Repo
 
@@ -386,7 +387,7 @@ defmodule Algora.Accounts do
       from(b in Bounty,
         join: c in assoc(b, :creator),
         where: c.id in ^Enum.map(orgs, & &1.id),
-        order_by: [desc: b.created_at],
+        order_by: [desc: b.inserted_at],
         limit: 1,
         select_merge: %{creator: c}
       )
@@ -413,6 +414,26 @@ defmodule Algora.Accounts do
 
   def default_context, do: "personal"
 
+  def set_context(%User{} = user, "personal") do
+    update_settings(user, %{last_context: "personal"})
+  end
+
+  def set_context(%User{} = user, context) do
+    membership =
+      Repo.one(
+        from(m in Member,
+          join: o in assoc(m, :org),
+          where: m.user_id == ^user.id and o.handle == ^context
+        )
+      )
+
+    if membership do
+      update_settings(user, %{last_context: context})
+    else
+      {:error, :unauthorized}
+    end
+  end
+
   defp get_flag(user), do: Algora.Misc.CountryEmojis.get(user.country, "🌎")
 
   # TODO: implement this

lib/algora_web/controllers/context_controller.ex

@@ -5,16 +5,15 @@ defmodule AlgoraWeb.ContextController do
   alias AlgoraWeb.UserAuth
 
   def set(conn, %{"context" => context}) do
-    # TODO: validate context is accessible by user
+    case Accounts.set_context(conn.assigns.current_user, context) do
+      {:ok, user} ->
+        conn
+        |> assign(:current_user, user)
+        |> put_session(:last_context, context)
+        |> redirect(to: UserAuth.signed_in_path_from_context(context))
 
-    conn =
-      case Accounts.update_settings(conn.assigns.current_user, %{last_context: context}) do
-        {:ok, user} -> assign(conn, :current_user, user)
-        {:error, _} -> conn
-      end
-
-    conn
-    |> put_session(:last_context, context)
-    |> redirect(to: UserAuth.signed_in_path_from_context(context))
+      {:error, _} ->
+        redirect(conn, to: "/")
+    end
   end
 end

test/algora/accounts_test.exs

@@ -36,4 +36,30 @@ defmodule Algora.AccountsTest do
       assert_activity_names_for_user(org_1.id, [])
     end
   end
+
+  describe "set_context/2" do
+    test "can set context to personal" do
+      user = insert(:user, last_context: nil)
+
+      assert {:ok, user} = Accounts.set_context(user, "personal")
+      assert Accounts.last_context(user) == "personal"
+    end
+
+    test "can set context to member org" do
+      user = insert(:user, last_context: nil)
+      org = insert(:organization)
+      insert(:member, user: user, org: org)
+
+      assert {:ok, user} = Accounts.set_context(user, org.handle)
+      assert Accounts.last_context(user) == org.handle
+    end
+
+    test "cannot set context to non-member org" do
+      user = insert(:user, last_context: nil)
+      org = insert(:organization)
+
+      assert {:error, :unauthorized} = Accounts.set_context(user, org.handle)
+      assert Accounts.last_context(user) == "personal"
+    end
+  end
 end