added auth for destroy org_user

Author: Jess-White

app/controllers/api/organization_users_controller.rb

@@ -29,6 +29,7 @@ def show
 
     def destroy
       @organization_user = organization_user
+      authorize @organization_user
       @organization_user.destroy!
       render 'show.json.jb'
     end

spec/controllers/api/organization_users_controller_spec.rb

@@ -207,6 +207,23 @@
   end
 
   describe 'DELETE /organizations/:organization_id/users/:id' do
+    before do
+      allow_any_instance_of(OrganizationUserPolicy).to receive(:destroy?).and_return(true)
+    end
+
+    context 'when organization user policy fails' do
+      before do
+        allow_any_instance_of(OrganizationUserPolicy).to receive(:destroy?).and_return(false)
+      end
+
+      it 'renders 401' do
+        set_auth_header(chidi)
+        delete :destroy, params: { organization_id: good_place.id, id: chidi.id }
+
+        expect(response).to have_http_status(401)
+      end
+    end
+
     it 'renders 401 if organization does not exist' do
       set_auth_header(chidi)
       delete :destroy, params: { organization_id: 123, id: chidi.id }

spec/policies/organization_user_policy_spec.rb

@@ -27,8 +27,3 @@
     end
   end
 end
-
-# run these tests, they should pass
-# use this policy in the organization users controller
-# update organization user controller spec like we did for invitation controller spec (create mock)
-# done? (last check)