From 1daae5b5e1607f17ff87a4fe66e0886377faea69 Mon Sep 17 00:00:00 2001
From: baarkerlounger <db@slothlife.xyz>
Date: Fri, 3 Dec 2021 10:34:44 +0000
Subject: [PATCH] Authenticate bulk uploads

---
 app/controllers/bulk_upload_controller.rb    |  4 +
 spec/requests/bulk_upload_controller_spec.rb | 91 +++++++++++++-------
 2 files changed, 63 insertions(+), 32 deletions(-)

diff --git a/app/controllers/bulk_upload_controller.rb b/app/controllers/bulk_upload_controller.rb
index ba552cb49..986f3f3fd 100644
--- a/app/controllers/bulk_upload_controller.rb
+++ b/app/controllers/bulk_upload_controller.rb
@@ -1,4 +1,6 @@
 class BulkUploadController < ApplicationController
+  before_action :authenticate_user!
+
   def show
     @bulk_upload = BulkUpload.new(nil, nil)
     render "case_logs/bulk_upload"
@@ -16,6 +18,8 @@ class BulkUploadController < ApplicationController
     end
   end
 
+private
+
   def upload_params
     params.require("bulk_upload")["case_log_bulk_upload"]
   end
diff --git a/spec/requests/bulk_upload_controller_spec.rb b/spec/requests/bulk_upload_controller_spec.rb
index 52233906c..e19247162 100644
--- a/spec/requests/bulk_upload_controller_spec.rb
+++ b/spec/requests/bulk_upload_controller_spec.rb
@@ -2,62 +2,89 @@ require "rails_helper"
 
 RSpec.describe BulkUploadController, type: :request do
   let(:url) { "/case-logs/bulk-upload" }
-  let(:organisation) { FactoryBot.create(:organisation) }
+  let(:user) { FactoryBot.create(:user) }
+  let(:organisation) { user.organisation }
   before do
     allow(Organisation).to receive(:find).with(107_242).and_return(organisation)
   end
 
-  describe "GET #show" do
-    before do
-      get url, params: {}
+  context "a not signed in user" do
+    describe "GET #show" do
+      it "does not let you see the bulk upload page" do
+        get url, headers: headers, params: {}
+        expect(response).to redirect_to("/users/sign-in")
+      end
     end
 
-    it "returns a success response" do
-      expect(response).to be_successful
-    end
+    describe "POST #bulk upload" do
+      before do
+        @file = fixture_file_upload("2021_22_lettings_bulk_upload.xlsx", "application/vnd.ms-excel")
+      end
 
-    it "returns a page with a file upload form" do
-      expect(response.body).to match(/<input id="bulk-upload-case-log-bulk-upload-field" class="govuk-file-upload"/)
-      expect(response.body).to match(/<button type="submit" formnovalidate="formnovalidate" class="govuk-button"/)
+      it "does not let you submit bulk uploads" do
+        post url, params: { bulk_upload: { case_log_bulk_upload: @file } }
+        expect(response).to redirect_to("/users/sign-in")
+      end
     end
   end
 
-  describe "POST #bulk upload" do
-    subject { post url, params: { bulk_upload: { case_log_bulk_upload: @file } } }
+  context "a signed in user" do
+    before do
+      sign_in user
+    end
 
-    context "given a valid file based on the upload template" do
+    describe "GET #show" do
       before do
-        @file = fixture_file_upload("2021_22_lettings_bulk_upload.xlsx", "application/vnd.ms-excel")
+        get url, params: {}
       end
 
-      it "creates case logs for each row in the template" do
-        expect { subject }.to change(CaseLog, :count).by(9)
+      it "returns a success response" do
+        expect(response).to be_successful
       end
 
-      it "redirects to the case log index page" do
-        expect(subject).to redirect_to(case_logs_path)
+      it "returns a page with a file upload form" do
+        expect(response.body).to match(/<input id="bulk-upload-case-log-bulk-upload-field" class="govuk-file-upload"/)
+        expect(response.body).to match(/<button type="submit" formnovalidate="formnovalidate" class="govuk-button"/)
       end
     end
 
-    context "given an invalid file type" do
-      before do
-        @file = fixture_file_upload("random.txt", "text/plain")
-        subject
-      end
+    describe "POST #bulk upload" do
+      subject { post url, params: { bulk_upload: { case_log_bulk_upload: @file } } }
+
+      context "given a valid file based on the upload template" do
+        before do
+          @file = fixture_file_upload("2021_22_lettings_bulk_upload.xlsx", "application/vnd.ms-excel")
+        end
+
+        it "creates case logs for each row in the template" do
+          expect { subject }.to change(CaseLog, :count).by(9)
+        end
 
-      it "displays an error message" do
-        expect(response.body).to match(/Invalid file type/)
+        it "redirects to the case log index page" do
+          expect(subject).to redirect_to(case_logs_path)
+        end
       end
-    end
 
-    context "given an empty file" do
-      before do
-        @file = fixture_file_upload("2021_22_lettings_bulk_upload_empty.xlsx", "application/vnd.ms-excel")
-        subject
+      context "given an invalid file type" do
+        before do
+          @file = fixture_file_upload("random.txt", "text/plain")
+          subject
+        end
+
+        it "displays an error message" do
+          expect(response.body).to match(/Invalid file type/)
+        end
       end
 
-      it "displays an error message" do
-        expect(response.body).to match(/No data found/)
+      context "given an empty file" do
+        before do
+          @file = fixture_file_upload("2021_22_lettings_bulk_upload_empty.xlsx", "application/vnd.ms-excel")
+          subject
+        end
+
+        it "displays an error message" do
+          expect(response.body).to match(/No data found/)
+        end
       end
     end
   end