Only allow update password if there is a session

seadowg · seadowg · commit 3dc124936918 · 2019-03-01T14:44:57.000Z
diff --git a/api/app/controllers/retros_controller.rb b/api/app/controllers/retros_controller.rb
@@ -31,9 +31,13 @@
 class RetrosController < ApplicationController
   include RetrosAuth
 
-  before_action :load_and_authenticate_retro, only: [:show, :update_password]
-  before_action :authenticate_user, only: [:create, :index]
-  before_action :load_and_authenticate_retro_admin, only: [:archive, :update]
+  before_action :authenticate_user, only: [:index, :create]
+  before_action :load_and_authenticate_retro, only: [:show]
+  before_action :load_and_authenticate_retro_admin, only: [:archive, :update, :update_password]
+
+  def index
+    render json: { retros: @user.retros }
+  end
 
   def create
     @retro = @user.retros.create(retro_params)
@@ -48,10 +52,6 @@ def create
     end
   end
 
-  def index
-    render json: { retros: @user.retros }
-  end
-
   def update
     @retro.assign_attributes(retro_update_params.fetch(:retro))
 
@@ -120,8 +120,4 @@ def retro_update_params
   def retro_update_password_params
     params.permit(:id, :current_password, :new_password, :request_uuid)
   end
-
-  def load_retro_with_items
-    @retro = Retro.includes(:items, :action_items).find_by_slug!(params.fetch(:id))
-  end
 end
diff --git a/api/config/routes.rb b/api/config/routes.rb
@@ -40,7 +40,7 @@
   resources :oauth_sessions, path: 'sessions', only: [:create]
   resources :users, only: [:create]
 
-  resources :retros, only: [:create, :index, :show, :update] do
+  resources :retros, only: [:index, :create, :show, :update] do
     resources :archives, only: [:index, :show]
     resources :settings, only: [:index]
     resources :action_items, only: [:create, :destroy, :update]
diff --git a/api/spec/requests/retros_request_spec.rb b/api/spec/requests/retros_request_spec.rb
@@ -419,7 +419,13 @@
       retro.update!(password: 'before')
 
       patch retro_update_password_path(retro),
-            params: { current_password: 'before', new_password: 'after', request_uuid: 'blah' }, as: :json
+            headers: { HTTP_AUTHORIZATION: token },
+            params: {
+              current_password: 'before',
+              new_password: 'after',
+              request_uuid: 'blah'
+            },
+            as: :json
 
       expect(response.status).to eq(200)
 
@@ -430,7 +436,13 @@
     it 'returns unprocessable entity when current password does not match' do
       retro.update!(password: 'bleah')
 
-      patch retro_update_password_path(retro), params: { current_password: 'before', new_password: 'after' }, as: :json
+      patch retro_update_password_path(retro),
+            headers: { HTTP_AUTHORIZATION: token },
+            params: {
+              current_password: 'before',
+              new_password: 'after'
+            },
+            as: :json
 
       expect(response.status).to eq(422)
       expect(retro.validate_login?('bleah')).to eq(true)
