From 7d31ebdc982546be76f7170cb577aea8e96e9908 Mon Sep 17 00:00:00 2001
From: Dan Barber <github@danbarber.me>
Date: Wed, 21 Feb 2018 22:03:30 -0500
Subject: [PATCH] Restrict access to API update endpoint

---
 .../controllers/api/game_controller.ex        | 12 ++++++++--
 .../controllers/api/game_controller_test.exs  | 24 +++++++++++++++++--
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/lib/chess_web/controllers/api/game_controller.ex b/lib/chess_web/controllers/api/game_controller.ex
index be57e03..77d899e 100644
--- a/lib/chess_web/controllers/api/game_controller.ex
+++ b/lib/chess_web/controllers/api/game_controller.ex
@@ -17,8 +17,16 @@ defmodule ChessWeb.Api.GameController do
   end
 
   def update(conn, %{"id" => id, "move" => move_params}) do
-    game = Repo.get!(Game, id)
-    changeset = Game.changeset(game, %{board: new_board(game.board, move_params)})
+    query =
+      from(game in Game, preload: [:user, :opponent])
+      |> Game.for_user(current_user(conn))
+    game =
+      query
+      |> Repo.get!(id)
+
+    changeset = Game.changeset(
+      game, %{board: new_board(game.board, move_params)}
+    )
 
     case Repo.update(changeset) do
       {:ok, game} ->
diff --git a/test/chess_web/controllers/api/game_controller_test.exs b/test/chess_web/controllers/api/game_controller_test.exs
index 64ee7e7..539390c 100644
--- a/test/chess_web/controllers/api/game_controller_test.exs
+++ b/test/chess_web/controllers/api/game_controller_test.exs
@@ -31,7 +31,7 @@ defmodule Chess.ApiGameControllerTest do
       |> login(other_user)
 
     assert_error_sent 404, fn ->
-      get conn, api_game_path(conn, :show, game.id)
+      get(conn, api_game_path(conn, :show, game.id))
     end
   end
 
@@ -47,12 +47,32 @@ defmodule Chess.ApiGameControllerTest do
     assert json_response(conn, 403)
   end
 
+  test "does not update a game if the user is not a player", %{conn: conn} do
+    user = create_user()
+    opponent = create_user("revali", "vahmedoh")
+    game = create_game_for(user, opponent)
+
+    other_user = create_user("mipha", "ilovelink")
+
+    conn =
+      conn
+      |> login(other_user)
+
+    assert_error_sent 404, fn ->
+      patch(
+        conn,
+        api_game_path(conn, :update, game.id),
+        %{move: %{from: [1, 1], to: [2, 1]}}
+      )
+    end
+  end
+
   test "renders page not found when id is nonexistent", %{conn: conn} do
     user = create_user()
     conn = login(conn, user)
 
     assert_error_sent 404, fn ->
-      get conn, api_game_path(conn, :show, -1)
+      get(conn, api_game_path(conn, :show, -1))
     end
   end