From 610be55f24c5bc41f4969d37ea7aa2795a8cc86f Mon Sep 17 00:00:00 2001
From: Rob Sterner <rob@prettygood.software>
Date: Tue, 5 Mar 2024 20:28:22 -0500
Subject: [PATCH] enforce that the client must belong to the current company

---
 app/graphql/mutations/upsert_project.rb       | 13 ++++++-
 spec/graphql/mutations/upsert_project_spec.rb | 39 +++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/app/graphql/mutations/upsert_project.rb b/app/graphql/mutations/upsert_project.rb
index b424fc84..368e026f 100644
--- a/app/graphql/mutations/upsert_project.rb
+++ b/app/graphql/mutations/upsert_project.rb
@@ -24,7 +24,18 @@ def resolve(id: nil, client_id: nil, name: nil, status: nil, cost: nil, payment_
       end
 
       if project.blank?
-        project = current_company.projects.new(client_id:, name:, status:)
+        client = current_company.clients.find_by(id: client_id)
+
+        # client must belong to the current company
+        if client.nil?
+          context.add_error(
+            GraphQL::ExecutionError.new("Client not found", extensions: { attribute: "client_id" })
+          )
+
+          return
+        end
+
+        project = client.projects.new
       end
 
       project.assign_attributes(name:) if name.present?
diff --git a/spec/graphql/mutations/upsert_project_spec.rb b/spec/graphql/mutations/upsert_project_spec.rb
index 276fcb17..eeb342e9 100644
--- a/spec/graphql/mutations/upsert_project_spec.rb
+++ b/spec/graphql/mutations/upsert_project_spec.rb
@@ -46,6 +46,45 @@
       expect(post_result["endsOn"]).to be_nil
     end
 
+    it "does not allow a client_id from another company to be specified" do
+      query_string = <<-GRAPHQL
+        mutation($clientId: ID, $name: String) {
+          upsertProject(clientId: $clientId, name: $name) {
+            id
+            client {
+              id
+            }
+            name
+          }
+        }
+      GRAPHQL
+
+      user = create(:user)
+      client = create(:client, company: user.current_company)
+      other_client = create(:client)
+
+      expect(client.company).to_not eq(other_client.company)
+      expect(other_client.company.users).to_not include(user)
+      result = nil
+
+      expect do
+        result = StaffplanReduxSchema.execute(
+          query_string,
+          context: {
+            current_user: user,
+            current_company: user.current_company
+          },
+          variables: {
+            clientId: other_client.id,
+            name: project_name = Faker::Company.buzzword
+          }
+        )
+      end.to_not change(Project, :count)
+
+      post_result = result["errors"]
+      expect(post_result.first["message"]).to eq("Client not found")
+    end
+
     it "updates a project with valid params" do
       query_string = <<-GRAPHQL
         mutation($id: ID, $clientId: ID, $name: String, $status: String, $cost: Float, $paymentFrequency: String, $startsOn: ISO8601Date, $endsOn: ISO8601Date) {