fix authorization mishap

we did some authorization debugging earlier, and it seems we left a line commented out by accident.
dodo-as · Jul 28, 2010 · dfe1647 · dfe1647
1 parent 92f3c9e
commit dfe1647
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/app/controllers/vat_accounts_controller.rb b/app/controllers/vat_accounts_controller.rb
@@ -4,7 +4,7 @@ class VatAccountsController < ApplicationController
   # GET /vat_accounts
   # GET /vat_accounts.xml
   def index
-    @vat_accounts = VatAccount.with_permissions_to(:index).all(:order => "accounts.number", :include => :target_account)
+    @vat_accounts = VatAccount.with_permissions_to(:index).where(:company_id => current_user.current_company.id).order("accounts.number").includes("target_account")
 
     respond_to do |format|
       format.html # index.html.erb

diff --git a/config/authorization_rules.rb b/config/authorization_rules.rb
@@ -18,7 +18,7 @@
     has_permission_on :accounts, :to => :create
 
     has_permission_on :vat_accounts, :to => :manage do
-#      if_attribute :company_id => is {user.current_company.id}
+      if_attribute :company_id => is {user.current_company.id}
     end
     has_permission_on :vat_accounts, :to => :create
 

diff --git a/test/functional/vat_accounts_controller_test.rb b/test/functional/vat_accounts_controller_test.rb
@@ -1,4 +1,19 @@
 require 'test_helper'
 
-class VATAccountsControllerTest < ActionController::TestCase
+class VatAccountsControllerTest < ActionController::TestCase
+
+  setup do
+    log_in_as_bob
+  end
+
+  test "should not display other companies vat accounts" do
+    get :index
+
+    assert_response :success
+    assert_template :index
+
+    not_ours = assigns(:vat_accounts).select {|va| va.company != @company}
+    assert not_ours.empty?, "It seems we're listing #{not_ours.size} vat accounts which belong to another company."
+  end
+
 end