rubyforgood · therufs · Sep 12, 2024
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -65,6 +65,11 @@ def authorize_user
       current_user.has_role?(Role::PARTNER, current_partner)
   end
 
+  def authorize_org_user
+    verboten! unless current_user.has_role?(Role::SUPER_ADMIN) ||
+      current_user.has_role?(Role::ORG_USER, current_organization)
+  end
+
   def authorize_admin
     verboten! unless current_user.has_role?(Role::SUPER_ADMIN) ||
       current_user.has_role?(Role::ORG_ADMIN, current_organization)
@@ -97,9 +102,9 @@ def not_found!
     end
   end
 
-  def verboten!
+  def verboten!(message: 'Access Denied.')
     respond_to do |format|
-      format.html { redirect_to dashboard_path_from_current_role, flash: { error: "Access Denied." } }
+      format.html { redirect_to dashboard_path_from_current_role, flash: { error: message } }
       format.json { render body: nil, status: :forbidden }
     end
   end

diff --git a/app/controllers/organizations_controller.rb b/app/controllers/organizations_controller.rb
@@ -1,7 +1,7 @@
 # Provides limited R/W to a scope-limited organization resource (member-routes-only)
 class OrganizationsController < ApplicationController
   before_action :authorize_admin, except: [:show]
-  before_action :authorize_user, only: [:show]
+  before_action :authorize_org_user, only: [:show]
 
   def show
     @organization = current_organization
@@ -80,11 +80,6 @@ def remove_user
 
   private
 
-  def authorize_user
-    verboten! unless current_user.has_role?(Role::SUPER_ADMIN) ||
-      current_user.has_role?(Role::ORG_USER, current_organization)
-  end
-
   def organization_params
     request_type_formatter(params)
 

diff --git a/app/controllers/reports/annual_reports_controller.rb b/app/controllers/reports/annual_reports_controller.rb
@@ -1,5 +1,6 @@
 class Reports::AnnualReportsController < ApplicationController
   before_action :validate_show_params, only: [:show, :recalculate]
+  before_action :authorize_org_user
 
   def index
     # 2813_update_annual_report -- changed to earliest_reporting_year

diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb
@@ -1,5 +1,6 @@
 class ReportsController < ApplicationController
   before_action :setup_date_range_picker
+  before_action :authorize_org_user
 
   def donations_summary
     @donations = current_organization.donations.during(helpers.selected_range)

diff --git a/spec/controllers/reports_controller_spec.rb b/spec/controllers/reports_controller_spec.rb
@@ -0,0 +1,3 @@
+RSpec.describe ReportsController do
+  let(:organization) { create(:organization) }
+end