Authenticate bulk uploads

4 years ago · 1daae5b5e1
2 changed files with 63 additions and 32 deletions
--- a/app/controllers/bulk_upload_controller.rb
+++ b/app/controllers/bulk_upload_controller.rb
@ -1,4 +1,6 @@
 class BulkUploadController < ApplicationController
+  before_action :authenticate_user!
+
  def show
    @bulk_upload = BulkUpload.new(nil, nil)
    render "case_logs/bulk_upload"
@ -16,6 +18,8 @@ class BulkUploadController < ApplicationController
    end
  end

+private
+
  def upload_params
    params.require("bulk_upload")["case_log_bulk_upload"]
  end
--- a/spec/requests/bulk_upload_controller_spec.rb
+++ b/spec/requests/bulk_upload_controller_spec.rb
@ -2,11 +2,37 @@ require "rails_helper"

 RSpec.describe BulkUploadController, type: :request do
  let(:url) { "/case-logs/bulk-upload" }
-  let(:organisation) { FactoryBot.create(:organisation) }
+  let(:user) { FactoryBot.create(:user) }
+  let(:organisation) { user.organisation }
  before do
    allow(Organisation).to receive(:find).with(107_242).and_return(organisation)
  end

+  context "a not signed in user" do
+    describe "GET #show" do
+      it "does not let you see the bulk upload page" do
+        get url, headers: headers, params: {}
+        expect(response).to redirect_to("/users/sign-in")
+      end
+    end
+
+    describe "POST #bulk upload" do
+      before do
+        @file = fixture_file_upload("2021_22_lettings_bulk_upload.xlsx", "application/vnd.ms-excel")
+      end
+
+      it "does not let you submit bulk uploads" do
+        post url, params: { bulk_upload: { case_log_bulk_upload: @file } }
+        expect(response).to redirect_to("/users/sign-in")
+      end
+    end
+  end
+
+  context "a signed in user" do
+    before do
+      sign_in user
+    end
+
    describe "GET #show" do
      before do
        get url, params: {}
@ -61,4 +87,5 @@ RSpec.describe BulkUploadController, type: :request do
        end
      end
    end
+  end
 end