Merge branch 'main' into jparcill/5547-stream-csv-instead-of-generating-before-send

jparcill · web-flow · commit 11c5d23460d6 · 2026-03-29T23:25:30.000-04:00
diff --git a/app/controllers/donations_controller.rb b/app/controllers/donations_controller.rb
@@ -3,7 +3,7 @@ class DonationsController < ApplicationController
   before_action :authorize_admin, only: [:destroy]
 
   def print
-    @donation = Donation.find(params[:id])
+    @donation = current_organization.donations.find(params[:id])
     respond_to do |format|
       format.any do
         pdf = DonationPdf.new(current_organization, @donation)
@@ -53,7 +53,7 @@ def new
   end
 
   def edit
-    @donation = Donation.find(params[:id])
+    @donation = current_organization.donations.find(params[:id])
     @donation.line_items.build
     @changes_disallowed = SnapshotEvent.intervening(@donation).present?
     @audit_performed_and_finalized = Audit.finalized_since?(@donation, @donation.storage_location_id) &&
@@ -63,12 +63,12 @@ def edit
   end
 
   def show
-    @donation = Donation.includes(line_items: :item).find(params[:id])
+    @donation = current_organization.donations.includes(line_items: :item).find(params[:id])
     @line_items = @donation.line_items
   end
 
   def update
-    @donation = Donation.find(params[:id])
+    @donation = current_organization.donations.find(params[:id])
     @original_source = @donation.source
     ItemizableUpdateService.call(itemizable: @donation,
       params: donation_params,
diff --git a/app/controllers/requests_controller.rb b/app/controllers/requests_controller.rb
@@ -28,7 +28,7 @@ def index
   end
 
   def show
-    @request = Request.find(params[:id])
+    @request = current_organization.requests.find(params[:id])
     @item_requests = @request.item_requests.includes(:item)
 
     @inventory = View::Inventory.new(@request.organization_id)
@@ -42,7 +42,7 @@ def show
   # and will move the user to the new distribution page with a
   # pre-filled distribution containing all the requested items.
   def start
-    request = Request.find(params[:id])
+    request = current_organization.requests.find(params[:id])
     begin
       request.status_started!
       flash[:notice] = "Request started"
diff --git a/app/models/concerns/issued_at.rb b/app/models/concerns/issued_at.rb
@@ -21,7 +21,7 @@ def issued_at_cannot_be_before_2000
   end
 
   def issued_at_cannot_be_further_than_1_year
-    if issued_at.present? && issued_at > DateTime.now.next_year
+    if issued_at.present? && issued_at > DateTime.current.next_year
       errors.add(:issued_at, "cannot be more than 1 year in the future")
     end
   end
diff --git a/spec/factories/donations.rb b/spec/factories/donations.rb
@@ -22,7 +22,7 @@
     source { Donation::SOURCES[:misc] }
     storage_location
     organization { Organization.try(:first) || create(:organization) }
-    issued_at { Time.current }
+    issued_at { DateTime.current }
 
     factory :manufacturer_donation do
       manufacturer
diff --git a/spec/models/organization_spec.rb b/spec/models/organization_spec.rb
@@ -107,7 +107,6 @@
 
     describe 'users' do
       subject { organization.users }
-      let(:organization) { create(:organization) }
 
       context 'when a organizaton has a user that has two roles' do
         let(:user) { create(:user) }
@@ -361,7 +360,6 @@
     end
 
     context 'with invisible items' do
-      let!(:organization) { create(:organization) }
       let!(:item1) { create(:item, organization: organization, active: true, visible_to_partners: true) }
       let!(:item2) { create(:item, organization: organization, active: true, visible_to_partners: false) }
       let!(:item3) { create(:item, organization: organization, active: false, visible_to_partners: true) }
@@ -401,21 +399,24 @@
   describe 'earliest reporting year' do
     # re 2813 update annual report -- allowing an earliest reporting year will let us do system testing and staging for annual reports
     it 'is the organization created year if no associated data' do
-      org = create(:organization)
-      expect(org.earliest_reporting_year).to eq(org.created_at.year)
+      expect(organization.earliest_reporting_year).to eq(organization.created_at.year)
     end
+
     it 'is the year of the earliest of donation, purchase, or distribution if they are earlier ' do
-      org = create(:organization)
-      create(:donation, organization: org, issued_at: 364.days.from_now)
-      create(:purchase, organization: org, issued_at: 364.days.from_now)
-      create(:distribution, organization: org, issued_at: 364.days.from_now)
-      expect(org.earliest_reporting_year).to eq(org.created_at.year)
-      create(:donation, organization: org, issued_at: 5.years.ago)
-      expect(org.earliest_reporting_year).to eq(5.years.ago.year)
-      create(:purchase, organization: org, issued_at: 6.years.ago)
-      expect(org.earliest_reporting_year).to eq(6.years.ago.year)
-      create(:purchase, organization: org, issued_at: 7.years.ago)
-      expect(org.earliest_reporting_year).to eq(7.years.ago.year)
+      freeze_time do
+        create(:donation, organization: organization, issued_at: DateTime.current.next_year - 1.day)
+        create(:purchase, organization: organization, issued_at: DateTime.current.next_year - 1.day)
+        create(:distribution, organization: organization, issued_at: DateTime.current.next_year - 1.day)
+        expect(organization.earliest_reporting_year).to eq(organization.created_at.year)
+        create(:donation, organization: organization, issued_at: 5.years.ago)
+        expect(organization.earliest_reporting_year).to eq(5.years.ago.year)
+        create(:purchase, organization: organization, issued_at: 6.years.ago)
+        expect(organization.earliest_reporting_year).to eq(6.years.ago.year)
+        create(:purchase, organization: organization, issued_at: 7.years.ago)
+        expect(organization.earliest_reporting_year).to eq(7.years.ago.year)
+      ensure
+        travel_back
+      end
     end
   end
 
diff --git a/spec/requests/donations_requests_spec.rb b/spec/requests/donations_requests_spec.rb
@@ -277,6 +277,36 @@
       end
     end
 
+    describe "when accessing a donation from another organization" do
+      let(:other_organization) { create(:organization) }
+      let(:other_donation) { create(:donation, organization: other_organization, comment: "Original comment") }
+
+      it "returns not found for show" do
+        get donation_path(id: other_donation.id)
+
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it "returns not found for edit" do
+        get edit_donation_path(id: other_donation.id)
+
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it "returns not found for print" do
+        get print_donation_path(id: other_donation.id)
+
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it "returns not found for update and does not change donation" do
+        put donation_path(id: other_donation.id, donation: {comment: "Changed comment"})
+
+        expect(response).to have_http_status(:not_found)
+        expect(other_donation.reload.comment).to eq("Original comment")
+      end
+    end
+
     describe "GET #edit" do
       it 'should not allow edits if there is an intervening snapshot' do
         donation = FactoryBot.create(:donation,
diff --git a/spec/requests/reports/donations_summary_spec.rb b/spec/requests/reports/donations_summary_spec.rb
@@ -8,15 +8,16 @@
     end
 
     describe "time display" do
-      let!(:donation) { create(:donation, :with_items, issued_at: 1.day.ago) }
+      it "uses issued_at for the relative time display, not created_at" do
+        freeze_time do
+          create(:donation, :with_items, issued_at: DateTime.current - 1.day)
 
-      before do
-        freeze_time
-        get reports_donations_summary_path
-      end
+          get reports_donations_summary_path
 
-      it "uses issued_at for the relative time display, not created_at" do
-        expect(response.body).to include("1 day ago")
+          expect(response.body).to include("1 day ago")
+        ensure
+          travel_back
+        end
       end
     end
 
diff --git a/spec/requests/requests_requests_spec.rb b/spec/requests/requests_requests_spec.rb
@@ -77,8 +77,24 @@
         end
       end
 
+      context 'When the request belongs to another organization' do
+        let(:other_organization) { create(:organization) }
+        let(:other_request) { create(:request, organization: other_organization) }
+
+        it 'responds with not found' do
+          get request_path(other_request)
+
+          expect(response).to have_http_status(:not_found)
+        end
+      end
+
       context 'When organization has a default storage location' do
-        let(:request) { create(:request, organization: create(:organization, default_storage_location: 1)) }
+        let(:storage_location) { create(:storage_location, organization: organization) }
+        let(:request) do
+          organization.update!(default_storage_location: storage_location.id)
+          create(:request, organization: organization)
+        end
+
         it 'shows the column Default storage location inventory' do
           get request_path(request)
 
@@ -168,6 +184,19 @@
           expect(response).to have_http_status(:not_found)
         end
       end
+
+      context 'When the request belongs to another organization' do
+        let(:other_organization) { create(:organization) }
+        let(:other_request) { create(:request, organization: other_organization) }
+
+        it 'responds with not found and does not change status' do
+          expect do
+            post start_request_path(other_request)
+          end.not_to change { other_request.reload.status }
+
+          expect(response).to have_http_status(:not_found)
+        end
+      end
     end
   end
 end
