From b90208cf206cacbfe57108e9e2a8d52e81601d14 Mon Sep 17 00:00:00 2001
From: abcampo-iry <261805581+abcampo-iry@users.noreply.github.com>
Date: Mon, 27 Apr 2026 14:13:04 +0200
Subject: [PATCH] update identifier

---
 .../api/projects/remixes_controller.rb          | 16 +++++++++++++++-
 spec/requests/projects/remix_spec.rb            | 17 +++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/projects/remixes_controller.rb b/app/controllers/api/projects/remixes_controller.rb
index e61a19667..430e50c56 100644
--- a/app/controllers/api/projects/remixes_controller.rb
+++ b/app/controllers/api/projects/remixes_controller.rb
@@ -7,7 +7,8 @@ class RemixesController < ApiController
 
       before_action :authorize_user
       load_and_authorize_resource :school, only: :index
-      before_action :load_and_authorize_remix, only: %i[show show_identifier]
+      before_action :load_and_authorize_remix, only: :show
+      before_action :load_and_authorize_remix_identifier, only: :show_identifier
 
       def index
         projects = Project.where(remixed_from_id: project.id).accessible_by(current_ability)
@@ -52,6 +53,19 @@ def load_and_authorize_remix
         authorize! :show, @project
       end
 
+      def load_and_authorize_remix_identifier
+        @project =
+          if project.remixed_from_id.present?
+            project if project.user_id == current_user.id
+          else
+            remix_for_user(project, current_user)
+          end
+
+        raise ActiveRecord::RecordNotFound unless @project
+
+        authorize! :show, @project
+      end
+
       def remix_params
         params.require(:project)
               .permit(:name,
diff --git a/spec/requests/projects/remix_spec.rb b/spec/requests/projects/remix_spec.rb
index 7be77aaa0..461c085ba 100644
--- a/spec/requests/projects/remix_spec.rb
+++ b/spec/requests/projects/remix_spec.rb
@@ -106,6 +106,12 @@
         expect(response.parsed_body['identifier']).to eq(remixed_project.identifier)
       end
 
+      it 'returns the supplied identifier when it already belongs to the user remix' do
+        get("/api/projects/#{remixed_project.identifier}/remix/identifier", headers:)
+        expect(response).to have_http_status(:ok)
+        expect(response.parsed_body['identifier']).to eq(remixed_project.identifier)
+      end
+
       it 'returns 404 response if invalid project' do
         get('/api/projects/no-such-project/remix/identifier', headers:)
         expect(response).to have_http_status(:not_found)
@@ -119,6 +125,17 @@
         expect(response).to have_http_status(:not_found)
       end
 
+      it 'returns 404 if the supplied remix identifier belongs to another user' do
+        another_user_remix = create(
+          :project,
+          remixed_from_id: original_project.id,
+          user_id: create(:owner, school:).id
+        )
+
+        get("/api/projects/#{another_user_remix.identifier}/remix/identifier", headers:)
+        expect(response).to have_http_status(:not_found)
+      end
+
       context 'when multiple remixes exist for the same user and project' do
         let!(:oldest_remix) do
           create(:project, remixed_from_id: original_project.id, user_id: authenticated_user.id,