Restrict game viewing to players

lib/chess_web/controllers/api/game_controller.ex

@@ -4,7 +4,13 @@ defmodule ChessWeb.Api.GameController do
   alias Chess.Store.Game
 
   def show(conn, %{"id" => id}) do
-    game = Repo.get!(Game, id)
+    query =
+      from(game in Game, preload: [:user, :opponent])
+      |> Game.for_user(current_user(conn))
+    game =
+      query
+      |> Repo.get!(id)
+
     render conn, "show.json", game: game
   end
 

lib/chess_web/controllers/game_controller.ex

@@ -42,7 +42,9 @@ defmodule ChessWeb.GameController do
   end
 
   def show(conn, %{"id" => id}) do
-    query = from(game in Game, preload: [:user, :opponent])
+    query =
+      from(game in Game, preload: [:user, :opponent])
+      |> Game.for_user(current_user(conn))
     game =
       query
       |> Repo.get!(id)

test/chess_web/controllers/game_controller_test.exs

@@ -34,7 +34,7 @@ defmodule Chess.GameControllerTest do
     assert redirected_to(conn) == game_path(conn, :show, game)
   end
 
-  test "shows chosen resource", %{conn: conn} do
+  test "shows chosen game", %{conn: conn} do
     user = create_user()
     opponent = create_user("revali", "vahmedoh")
     game = create_game_for(user, opponent)
@@ -47,6 +47,22 @@ defmodule Chess.GameControllerTest do
     assert html_response(conn, 200) =~ "<div id=\"app\" data-game-id=\"#{game.id}\">"
   end
 
+  test "does not show a game if the user is not a player", %{conn: conn} do
+    user = create_user()
+    opponent = create_user("revali", "vahmedoh")
+    game = create_game_for(user, opponent)
+
+    other_user = create_user("mipha", "ilovelink")
+
+    conn =
+      conn
+      |> login(other_user)
+
+    assert_error_sent 404, fn ->
+      get conn, game_path(conn, :show, game.id)
+    end
+  end
+
   test "renders page not found when id is nonexistent", %{conn: conn} do
     user = create_user()
     conn = login(conn, user)