Browse Source
# Context - https://digital.dclg.gov.uk/jira/browse/CLDC-2294 - When bulk upload returns a results page it would be useful if colleagues of the uploader can see this page to help fix errors - It would also be useful if support users can see these reports to help diagnose bulk upload errors # Changes - Added `pundit` gem to handle authorization - Bulk upload results previously only accessible to the bulk uploader. Now they can be seen by users in the same org as the uploader and also support userspull/1601/head
Phil Lee
2 years ago
committed by
GitHub
12 changed files with 203 additions and 5 deletions
@ -0,0 +1,26 @@ |
|||||||
|
class BulkUploadPolicy |
||||||
|
attr_reader :user, :bulk_upload |
||||||
|
|
||||||
|
def initialize(user, bulk_upload) |
||||||
|
@user = user |
||||||
|
@bulk_upload = bulk_upload |
||||||
|
end |
||||||
|
|
||||||
|
def summary? |
||||||
|
owner? || same_org? || user.support? |
||||||
|
end |
||||||
|
|
||||||
|
def show? |
||||||
|
owner? || same_org? || user.support? |
||||||
|
end |
||||||
|
|
||||||
|
private |
||||||
|
|
||||||
|
def owner? |
||||||
|
bulk_upload.user == user |
||||||
|
end |
||||||
|
|
||||||
|
def same_org? |
||||||
|
bulk_upload.user.organisation.users.include?(user) |
||||||
|
end |
||||||
|
end |
@ -0,0 +1,23 @@ |
|||||||
|
require "rails_helper" |
||||||
|
|
||||||
|
RSpec.describe ApplicationController do |
||||||
|
describe "when Pundit::NotAuthorizedError raised" do |
||||||
|
render_views |
||||||
|
|
||||||
|
controller do |
||||||
|
def index |
||||||
|
raise Pundit::NotAuthorizedError, "error goes here" |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
it "returns status 401 unauthorized" do |
||||||
|
get :index |
||||||
|
expect(response).to be_unauthorized |
||||||
|
end |
||||||
|
|
||||||
|
it "renders page not found" do |
||||||
|
get :index |
||||||
|
expect(response.body).to have_content("Page not found") |
||||||
|
end |
||||||
|
end |
||||||
|
end |
@ -0,0 +1,33 @@ |
|||||||
|
require "rails_helper" |
||||||
|
|
||||||
|
RSpec.describe BulkUploadSalesResultsController do |
||||||
|
before do |
||||||
|
sign_in user |
||||||
|
end |
||||||
|
|
||||||
|
describe "#show" do |
||||||
|
let(:user) { create(:user) } |
||||||
|
let(:bulk_upload) { create(:bulk_upload, :sales, user:) } |
||||||
|
|
||||||
|
it "passes thru pundit" do |
||||||
|
allow(controller).to receive(:authorize) |
||||||
|
|
||||||
|
get :show, params: { id: bulk_upload.id } |
||||||
|
|
||||||
|
expect(controller).to have_received(:authorize) |
||||||
|
end |
||||||
|
end |
||||||
|
|
||||||
|
describe "#summary" do |
||||||
|
let(:user) { create(:user) } |
||||||
|
let(:bulk_upload) { create(:bulk_upload, :sales, user:) } |
||||||
|
|
||||||
|
it "passes thru pundit" do |
||||||
|
allow(controller).to receive(:authorize) |
||||||
|
|
||||||
|
get :summary, params: { id: bulk_upload.id } |
||||||
|
|
||||||
|
expect(controller).to have_received(:authorize) |
||||||
|
end |
||||||
|
end |
||||||
|
end |
@ -0,0 +1,39 @@ |
|||||||
|
require "rails_helper" |
||||||
|
|
||||||
|
RSpec.describe BulkUploadPolicy do |
||||||
|
subject(:policy) { described_class } |
||||||
|
|
||||||
|
permissions :summary?, :show? do |
||||||
|
it "grants access to owner" do |
||||||
|
user = build(:user) |
||||||
|
bulk_upload = build(:bulk_upload, user:) |
||||||
|
|
||||||
|
expect(policy).to permit(user, bulk_upload) |
||||||
|
end |
||||||
|
|
||||||
|
it "grants access to user from same org as uploader" do |
||||||
|
user = create(:user) |
||||||
|
organisation = user.organisation |
||||||
|
other_user = create(:user, organisation:) |
||||||
|
bulk_upload = create(:bulk_upload, user:) |
||||||
|
|
||||||
|
expect(policy).to permit(other_user, bulk_upload) |
||||||
|
end |
||||||
|
|
||||||
|
it "grants access to support" do |
||||||
|
user = create(:user) |
||||||
|
support_user = create(:user, :support) |
||||||
|
bulk_upload = create(:bulk_upload, user:) |
||||||
|
|
||||||
|
expect(policy).to permit(support_user, bulk_upload) |
||||||
|
end |
||||||
|
|
||||||
|
it "denies access to random users" do |
||||||
|
user = create(:user) |
||||||
|
other_user = create(:user) |
||||||
|
bulk_upload = create(:bulk_upload, user:) |
||||||
|
|
||||||
|
expect(policy).not_to permit(other_user, bulk_upload) |
||||||
|
end |
||||||
|
end |
||||||
|
end |
Loading…
Reference in new issue