baarkerlounger
/
submit-social-housing-lettings-and-sales-data
mirror of https://github.com/communitiesuk/submit-social-housing-lettings-and-sales-data.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge branch 'main' into 2308-migrated-locations-not-confirmed-automatically

2308-migrated-locations-not-confirmed-automatically
natdeanlewissoftwire 2 years ago
parent
b13648fc8c c7db5102f6
commit
db57012c28
12 changed files with 203 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      Gemfile
  2. 3
      Gemfile.lock
  3. 8
      app/controllers/application_controller.rb
  4. 8
      app/controllers/bulk_upload_lettings_results_controller.rb
  5. 10
      app/controllers/bulk_upload_sales_results_controller.rb
  6. 26
      app/policies/bulk_upload_policy.rb
  7. 23
      spec/controllers/application_controller_spec.rb
  8. 13
      spec/controllers/bulk_upload_lettings_results_controller_spec.rb
  9. 33
      spec/controllers/bulk_upload_sales_results_controller_spec.rb
  10. 39
      spec/policies/bulk_upload_policy_spec.rb
  11. 1
      spec/rails_helper.rb
  12. 41
      spec/requests/bulk_upload_lettings_results_controller_spec.rb

3
Gemfile
Unescape View File

@ -48,6 +48,9 @@ gem "aws-sdk-s3"
gem "paper_trail" gem "paper_trail"
# Store active record objects in version whodunnits # Store active record objects in version whodunnits
gem "paper_trail-globalid" gem "paper_trail-globalid"
gem "pundit"
# Request rate limiting # Request rate limiting
gem "rack", ">= 2.2.6.3" gem "rack", ">= 2.2.6.3"
gem "rack-attack" gem "rack-attack"

3
Gemfile.lock
Unescape View File

@ -277,6 +277,8 @@ GEM
public_suffix (5.0.1) public_suffix (5.0.1)
puma (5.6.5) puma (5.6.5)
nio4r (~> 2.0) nio4r (~> 2.0)
pundit (2.3.0)
activesupport (>= 3.0.0)
raabro (1.4.0) raabro (1.4.0)
racc (1.6.2) racc (1.6.2)
rack (2.2.6.4) rack (2.2.6.4)
@ -478,6 +480,7 @@ DEPENDENCIES
propshaft propshaft
pry-byebug pry-byebug
puma (~> 5.0) puma (~> 5.0)
pundit
rack (>= 2.2.6.3) rack (>= 2.2.6.3)
rack-attack rack-attack
rack-mini-profiler (~> 2.0) rack-mini-profiler (~> 2.0)

8
app/controllers/application_controller.rb
Unescape View File

@ -1,10 +1,18 @@
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
include Pundit::Authorization
rescue_from Pundit::NotAuthorizedError, with: :render_not_authorized
before_action :set_paper_trail_whodunnit before_action :set_paper_trail_whodunnit
def render_not_found def render_not_found
render "errors/not_found", status: :not_found render "errors/not_found", status: :not_found
end end
def render_not_authorized
render "errors/not_found", status: :unauthorized
end
def render_not_found_json(class_name, id) def render_not_found_json(class_name, id)
render json: { error: "#{class_name} #{id} not found" }, status: :not_found render json: { error: "#{class_name} #{id} not found" }, status: :not_found
end end

8
app/controllers/bulk_upload_lettings_results_controller.rb
Unescape View File

@ -4,7 +4,9 @@ class BulkUploadLettingsResultsController < ApplicationController
rescue_from ActiveRecord::RecordNotFound, with: :render_not_found rescue_from ActiveRecord::RecordNotFound, with: :render_not_found
def show def show
@bulk_upload = current_user.bulk_uploads.lettings.find(params[:id]) @bulk_upload = BulkUpload.lettings.find(params[:id])
authorize @bulk_upload
end end
def resume def resume
@ -20,7 +22,9 @@ class BulkUploadLettingsResultsController < ApplicationController
end end
def summary def summary
@bulk_upload = current_user.bulk_uploads.lettings.find(params[:id]) @bulk_upload = BulkUpload.lettings.find(params[:id])
authorize @bulk_upload
end end
private private

10
app/controllers/bulk_upload_sales_results_controller.rb
Unescape View File

@ -4,7 +4,9 @@ class BulkUploadSalesResultsController < ApplicationController
rescue_from ActiveRecord::RecordNotFound, with: :render_not_found rescue_from ActiveRecord::RecordNotFound, with: :render_not_found
def show def show
@bulk_upload = current_user.bulk_uploads.sales.find(params[:id]) @bulk_upload = BulkUpload.sales.find(params[:id])
authorize @bulk_upload
end end
def resume def resume
@ -20,9 +22,13 @@ class BulkUploadSalesResultsController < ApplicationController
end end
def summary def summary
@bulk_upload = current_user.bulk_uploads.sales.find(params[:id]) @bulk_upload = BulkUpload.sales.find(params[:id])
authorize @bulk_upload
end end
private
def reset_logs_filters def reset_logs_filters
session["logs_filters"] = {}.to_json session["logs_filters"] = {}.to_json
end end

26
app/policies/bulk_upload_policy.rb
Unescape View File

@ -0,0 +1,26 @@
class BulkUploadPolicy
attr_reader :user, :bulk_upload
def initialize(user, bulk_upload)
@user = user
@bulk_upload = bulk_upload
end
def summary?
owner? || same_org? || user.support?
end
def show?
owner? || same_org? || user.support?
end
private
def owner?
bulk_upload.user == user
end
def same_org?
bulk_upload.user.organisation.users.include?(user)
end
end

23
spec/controllers/application_controller_spec.rb
Unescape View File

@ -0,0 +1,23 @@
require "rails_helper"
RSpec.describe ApplicationController do
describe "when Pundit::NotAuthorizedError raised" do
render_views
controller do
def index
raise Pundit::NotAuthorizedError, "error goes here"
end
end
it "returns status 401 unauthorized" do
get :index
expect(response).to be_unauthorized
end
it "renders page not found" do
get :index
expect(response.body).to have_content("Page not found")
end
end
end

13
spec/controllers/bulk_upload_lettings_results_controller_spec.rb
Unescape View File

@ -5,6 +5,19 @@ RSpec.describe BulkUploadLettingsResultsController do
sign_in user sign_in user
end end
describe "#show" do
let(:user) { create(:user) }
let(:bulk_upload) { create(:bulk_upload, :lettings, user:) }
it "passes thru pundit" do
allow(controller).to receive(:authorize)
get :show, params: { id: bulk_upload.id }
expect(controller).to have_received(:authorize)
end
end
describe "GET #resume /lettings-logs/bulk-upload-results/:ID/resume" do describe "GET #resume /lettings-logs/bulk-upload-results/:ID/resume" do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:bulk_upload) { create(:bulk_upload, :lettings, user:) } let(:bulk_upload) { create(:bulk_upload, :lettings, user:) }

33
spec/controllers/bulk_upload_sales_results_controller_spec.rb
Unescape View File

@ -0,0 +1,33 @@
require "rails_helper"
RSpec.describe BulkUploadSalesResultsController do
before do
sign_in user
end
describe "#show" do
let(:user) { create(:user) }
let(:bulk_upload) { create(:bulk_upload, :sales, user:) }
it "passes thru pundit" do
allow(controller).to receive(:authorize)
get :show, params: { id: bulk_upload.id }
expect(controller).to have_received(:authorize)
end
end
describe "#summary" do
let(:user) { create(:user) }
let(:bulk_upload) { create(:bulk_upload, :sales, user:) }
it "passes thru pundit" do
allow(controller).to receive(:authorize)
get :summary, params: { id: bulk_upload.id }
expect(controller).to have_received(:authorize)
end
end
end

39
spec/policies/bulk_upload_policy_spec.rb
Unescape View File

@ -0,0 +1,39 @@
require "rails_helper"
RSpec.describe BulkUploadPolicy do
subject(:policy) { described_class }
permissions :summary?, :show? do
it "grants access to owner" do
user = build(:user)
bulk_upload = build(:bulk_upload, user:)
expect(policy).to permit(user, bulk_upload)
end
it "grants access to user from same org as uploader" do
user = create(:user)
organisation = user.organisation
other_user = create(:user, organisation:)
bulk_upload = create(:bulk_upload, user:)
expect(policy).to permit(other_user, bulk_upload)
end
it "grants access to support" do
user = create(:user)
support_user = create(:user, :support)
bulk_upload = create(:bulk_upload, user:)
expect(policy).to permit(support_user, bulk_upload)
end
it "denies access to random users" do
user = create(:user)
other_user = create(:user)
bulk_upload = create(:bulk_upload, user:)
expect(policy).not_to permit(other_user, bulk_upload)
end
end
end

1
spec/rails_helper.rb
Unescape View File

@ -9,6 +9,7 @@ require "capybara/rspec"
require "capybara-screenshot/rspec" require "capybara-screenshot/rspec"
require "selenium-webdriver" require "selenium-webdriver"
require "view_component/test_helpers" require "view_component/test_helpers"
require "pundit/rspec"
Capybara.register_driver :headless do |app| Capybara.register_driver :headless do |app|
options = Selenium::WebDriver::Firefox::Options.new options = Selenium::WebDriver::Firefox::Options.new

41
spec/requests/bulk_upload_lettings_results_controller_spec.rb
Unescape View File

@ -2,11 +2,13 @@ require "rails_helper"
RSpec.describe BulkUploadLettingsResultsController, type: :request do RSpec.describe BulkUploadLettingsResultsController, type: :request do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:support_user) { create(:user, :support) }
let(:bulk_upload) { create(:bulk_upload, :lettings, user:, bulk_upload_errors:) } let(:bulk_upload) { create(:bulk_upload, :lettings, user:, bulk_upload_errors:) }
let(:bulk_upload_errors) { create_list(:bulk_upload_error, 2) } let(:bulk_upload_errors) { create_list(:bulk_upload_error, 2) }
let(:viewing_user) { user }
before do before do
sign_in user sign_in viewing_user
end end
describe "GET /lettings-logs/bulk-upload-results/:ID/summary" do describe "GET /lettings-logs/bulk-upload-results/:ID/summary" do
@ -22,6 +24,43 @@ RSpec.describe BulkUploadLettingsResultsController, type: :request do
expect(response.body).to include(bulk_upload.filename) expect(response.body).to include(bulk_upload.filename)
end end
context "when viewed by support user" do
before do
allow(support_user).to receive(:need_two_factor_authentication?).and_return(false)
end
let(:viewing_user) { support_user }
it "is accessible" do
get "/lettings-logs/bulk-upload-results/#{bulk_upload.id}/summary"
expect(response).to be_successful
expect(response.body).to include(bulk_upload.filename)
end
end
context "when viewed by some other random user" do
let(:other_user) { create(:user) }
let(:viewing_user) { other_user }
it "is not accessible" do
get "/lettings-logs/bulk-upload-results/#{bulk_upload.id}/summary"
expect(response).to be_unauthorized
end
end
context "when viewed by another user in the same org" do
let(:other_user) { create(:user, organisation: user.organisation) }
let(:viewing_user) { other_user }
it "is accessible" do
get "/lettings-logs/bulk-upload-results/#{bulk_upload.id}/summary"
expect(response).to be_successful
expect(response.body).to include(bulk_upload.filename)
end
end
end end
describe "GET /lettings-logs/bulk-upload-results/:ID" do describe "GET /lettings-logs/bulk-upload-results/:ID" do

Write Preview
Loading…
Cancel
Save