From 46f9d3ef81c2ef2a11933389672b7f271b818e05 Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Mon, 11 Oct 2021 14:31:50 +0100
Subject: [PATCH] Test permissions combined with Ransack searches

---
 spec/requests/api/v1/customers_spec.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/spec/requests/api/v1/customers_spec.rb b/spec/requests/api/v1/customers_spec.rb
index a97667489d..93c233e699 100644
--- a/spec/requests/api/v1/customers_spec.rb
+++ b/spec/requests/api/v1/customers_spec.rb
@@ -43,6 +43,16 @@ describe "Customers", type: :request do
           expect(json_response_ids).to eq [customer3.id.to_s]
         end
       end
+
+      context "with ransack params searching for specific customers" do
+        before { login_as enterprise2.owner }
+
+        it "does not show results the user doesn't have permissions to view" do
+          get "/api/v1/customers", params: { q: { id_eq: customer2.id } }
+
+          expect(json_response_ids).to eq []
+        end
+      end
     end
 
     post "Create customer" do