Browse Source
# Context - https://digital.dclg.gov.uk/jira/browse/CLDC-2294 - When bulk upload returns a results page it would be useful if colleagues of the uploader can see this page to help fix errors - It would also be useful if support users can see these reports to help diagnose bulk upload errors # Changes - Added `pundit` gem to handle authorization - Bulk upload results previously only accessible to the bulk uploader. Now they can be seen by users in the same org as the uploader and also support userspull/1601/head
Phil Lee
2 years ago
committed by
GitHub
12 changed files with 203 additions and 5 deletions
@ -0,0 +1,26 @@
|
||||
class BulkUploadPolicy |
||||
attr_reader :user, :bulk_upload |
||||
|
||||
def initialize(user, bulk_upload) |
||||
@user = user |
||||
@bulk_upload = bulk_upload |
||||
end |
||||
|
||||
def summary? |
||||
owner? || same_org? || user.support? |
||||
end |
||||
|
||||
def show? |
||||
owner? || same_org? || user.support? |
||||
end |
||||
|
||||
private |
||||
|
||||
def owner? |
||||
bulk_upload.user == user |
||||
end |
||||
|
||||
def same_org? |
||||
bulk_upload.user.organisation.users.include?(user) |
||||
end |
||||
end |
@ -0,0 +1,23 @@
|
||||
require "rails_helper" |
||||
|
||||
RSpec.describe ApplicationController do |
||||
describe "when Pundit::NotAuthorizedError raised" do |
||||
render_views |
||||
|
||||
controller do |
||||
def index |
||||
raise Pundit::NotAuthorizedError, "error goes here" |
||||
end |
||||
end |
||||
|
||||
it "returns status 401 unauthorized" do |
||||
get :index |
||||
expect(response).to be_unauthorized |
||||
end |
||||
|
||||
it "renders page not found" do |
||||
get :index |
||||
expect(response.body).to have_content("Page not found") |
||||
end |
||||
end |
||||
end |
@ -0,0 +1,33 @@
|
||||
require "rails_helper" |
||||
|
||||
RSpec.describe BulkUploadSalesResultsController do |
||||
before do |
||||
sign_in user |
||||
end |
||||
|
||||
describe "#show" do |
||||
let(:user) { create(:user) } |
||||
let(:bulk_upload) { create(:bulk_upload, :sales, user:) } |
||||
|
||||
it "passes thru pundit" do |
||||
allow(controller).to receive(:authorize) |
||||
|
||||
get :show, params: { id: bulk_upload.id } |
||||
|
||||
expect(controller).to have_received(:authorize) |
||||
end |
||||
end |
||||
|
||||
describe "#summary" do |
||||
let(:user) { create(:user) } |
||||
let(:bulk_upload) { create(:bulk_upload, :sales, user:) } |
||||
|
||||
it "passes thru pundit" do |
||||
allow(controller).to receive(:authorize) |
||||
|
||||
get :summary, params: { id: bulk_upload.id } |
||||
|
||||
expect(controller).to have_received(:authorize) |
||||
end |
||||
end |
||||
end |
@ -0,0 +1,39 @@
|
||||
require "rails_helper" |
||||
|
||||
RSpec.describe BulkUploadPolicy do |
||||
subject(:policy) { described_class } |
||||
|
||||
permissions :summary?, :show? do |
||||
it "grants access to owner" do |
||||
user = build(:user) |
||||
bulk_upload = build(:bulk_upload, user:) |
||||
|
||||
expect(policy).to permit(user, bulk_upload) |
||||
end |
||||
|
||||
it "grants access to user from same org as uploader" do |
||||
user = create(:user) |
||||
organisation = user.organisation |
||||
other_user = create(:user, organisation:) |
||||
bulk_upload = create(:bulk_upload, user:) |
||||
|
||||
expect(policy).to permit(other_user, bulk_upload) |
||||
end |
||||
|
||||
it "grants access to support" do |
||||
user = create(:user) |
||||
support_user = create(:user, :support) |
||||
bulk_upload = create(:bulk_upload, user:) |
||||
|
||||
expect(policy).to permit(support_user, bulk_upload) |
||||
end |
||||
|
||||
it "denies access to random users" do |
||||
user = create(:user) |
||||
other_user = create(:user) |
||||
bulk_upload = create(:bulk_upload, user:) |
||||
|
||||
expect(policy).not_to permit(other_user, bulk_upload) |
||||
end |
||||
end |
||||
end |
Loading…
Reference in new issue