Section 8.4: Restrict reading tickets to correct project scope

Author: Ryan Bigg

ticketee/app/controllers/tickets_controller.rb

@@ -1,4 +1,5 @@
 class TicketsController < ApplicationController
+  before_action :authenticate_user!
   before_action :set_project
   before_action :set_ticket, only: [:show, :edit, :update, :destroy]
 
@@ -42,7 +43,11 @@ def ticket_params
     end
 
     def set_project
-      @project = Project.find(params[:project_id])
+      @project = Project.for(current_user).find(params[:project_id])
+    rescue ActiveRecord::RecordNotFound
+      flash[:alert] = "The project you were looking " +
+                      "for could not be found."
+      redirect_to root_path
     end
 
     def set_ticket

ticketee/spec/controllers/tickets_controller_spec.rb

@@ -1,5 +1,24 @@
-require 'rails_helper'
+require "rails_helper"
 
-RSpec.describe TicketsController, :type => :controller do
+RSpec.describe TicketsController, type: :controller do
+  let(:user) { FactoryGirl.create(:user) }
+  let(:project) { FactoryGirl.create(:project) }
+  let(:ticket) { FactoryGirl.create(:ticket,
+                                    project: project,
+                                    author: user) }
 
+  context "standard users" do
+    before do
+      allow(controller).to receive(:authenticate_user!)
+      allow(controller).to receive(:current_user).and_return(user)
+    end
+
+    it "cannot access a ticket for a project" do
+      get :show, id: ticket.id, project_id: project.id
+
+      expect(response).to redirect_to(root_path)
+      expect(flash[:alert]).to eql("The project you were looking " +
+                                   "for could not be found.")
+    end
+  end
 end