5086 verify military access in controller (#12252)

* added authorization check to controller * fixed typo in controller * added spec and cassette for 403 response * fixed specs * removed 403 yml file * specs fix
department-of-veterans-affairs · Mar 27, 2023 · 3e66962 · 3e66962
1 parent ad0b487
commit 3e66962
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/modules/mobile/app/controllers/mobile/v0/military_information_controller.rb b/modules/mobile/app/controllers/mobile/v0/military_information_controller.rb
@@ -6,6 +6,7 @@
 module Mobile
   module V0
     class MilitaryInformationController < ApplicationController
+      before_action { authorize :vet360, :military_access? }
       def get_service_history
         response = service.get_service_history
 

diff --git a/modules/mobile/spec/request/military_information_request_spec.rb b/modules/mobile/spec/request/military_information_request_spec.rb
@@ -175,5 +175,14 @@
         expect(response).to have_http_status(:not_found)
       end
     end
+
+    context 'with a user not authorized' do
+      it 'returns a forbidden response' do
+        user = FactoryBot.build(:iam_user, :no_edipi_id)
+        iam_sign_in(user)
+        get '/mobile/v0/military-service-history', headers: iam_headers
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
   end
 end