Ensure images can only be attached to a project owned by the logged in user

.gitignore

@@ -4,6 +4,8 @@
 # or operating system, you probably want to add a global ignore instead:
 #   git config --global core.excludesfile '~/.gitignore_global'
 
+.DS_Store
+
 .env
 
 # Ignore bundler config.

app/controllers/api/projects/images_controller.rb

@@ -7,6 +7,7 @@ class ImagesController < ApiController
 
       def create
         @project = Project.find_by!(identifier: params[:project_id])
+        authorize! :update, @project
         @project.images.attach(params[:images])
         render '/api/projects/images', formats: [:json]
       end

app/controllers/api_controller.rb

@@ -4,8 +4,8 @@ class ApiController < ActionController::API
   include OauthUser
 
   unless Rails.application.config.consider_all_requests_local
-    rescue_from ActiveRecord::RecordNotFound, with: -> { return404 }
-    rescue_from CanCan::AccessDenied, with: -> { return401 }
+    rescue_from ActiveRecord::RecordNotFound, with: -> { notfound }
+    rescue_from CanCan::AccessDenied, with: -> { denied }
   end
 
   private
@@ -19,11 +19,11 @@ def current_user
     oauth_user_id
   end
 
-  def return404
+  def notfound
     head :not_found
   end
 
-  def return401
-    head :unauthorized
+  def denied
+    head :forbidden
   end
 end

spec/request/projects/images_spec.rb

@@ -3,8 +3,8 @@
 require 'rails_helper'
 
 RSpec.describe 'Images requests', type: :request do
-  let!(:project) { create(:project) }
   let(:user_id) { 'e0675b6c-dc48-4cd6-8c04-0f7ac05af51a' }
+  let(:project) { create(:project, user_id: user_id) }
   let(:image_filename) { 'test_image_1.png' }
   let(:params) { { images: [fixture_file_upload(image_filename, 'image/png')] } }
   let(:expected_json) do
@@ -21,7 +21,7 @@
   describe 'create' do
     context 'when auth is correct' do
       before do
-        mock_oauth_user
+        mock_oauth_user(user_id)
       end
 
       it 'attaches file to project' do
@@ -47,6 +47,17 @@
       end
     end
 
+    context 'when authed user is not creator' do
+      before do
+        mock_oauth_user
+      end
+
+      it 'returns forbidden response' do
+        post "/api/projects/#{project.identifier}/images", params: params
+        expect(response.status).to eq(403)
+      end
+    end
+
     context 'when auth is invalid' do
       it 'returns unauthorized' do
         post "/api/projects/#{project.identifier}/images"

spec/request/projects/update_spec.rb

@@ -68,9 +68,9 @@
       mock_oauth_user(user_id)
     end
 
-    it 'returns unauthorized response' do
+    it 'returns forbidden response' do
       put "/api/projects/#{project.identifier}", params: params
-      expect(response.status).to eq(401)
+      expect(response.status).to eq(403)
     end
   end