add auth to PageTextController

rubyforgood · Mar 29, 2024 · c823557 · c823557
1 parent c741cf2
commit c823557
Show file tree

Hide file tree

Showing 5 changed files with 127 additions and 3 deletions.
diff --git a/app/controllers/organizations/page_texts_controller.rb b/app/controllers/organizations/page_texts_controller.rb
@@ -1,11 +1,10 @@
 class Organizations::PageTextsController < Organizations::BaseController
   layout "dashboard"
+  before_action :set_page_text, only: %i[edit update]
   def edit
-    @page_text = current_user.organization.page_text
   end
 
   def update
-    @page_text = current_user.organization.page_text
     if @page_text.update(page_text_params)
       redirect_to edit_page_text_path, notice: "Page text updated successfully!"
     else
@@ -18,4 +17,10 @@ def update
   def page_text_params
     params.require(:page_text).permit(:hero, :about)
   end
+
+  def set_page_text
+    @page_text = current_user.organization.page_text
+
+    authorize! @page_text
+  end
 end
diff --git a/app/models/concerns/authorizable.rb b/app/models/concerns/authorizable.rb
@@ -49,6 +49,7 @@ def permissions
       activate_staff
       invite_staff
       manage_organization_profile
+      manage_page_text
       manage_staff
     ]
   ).freeze

diff --git a/app/policies/organizations/page_text_policy.rb b/app/policies/organizations/page_text_policy.rb
@@ -0,0 +1,8 @@
+class Organizations::PageTextPolicy < ApplicationPolicy
+  pre_check :verify_organization!
+  pre_check :verify_active_staff!
+
+  def manage?
+    permission?(:manage_page_text)
+  end
+end
diff --git a/test/controllers/organizations/page_texts_controller_test.rb b/test/controllers/organizations/page_texts_controller_test.rb
@@ -1,13 +1,41 @@
 require "test_helper"
+require "action_policy/test_helper"
 
 class Organizations::PageTextsControllerTest < ActionDispatch::IntegrationTest
   setup do
     @org = ActsAsTenant.current_tenant
-    admin = create(:user, :staff_admin, organization: @org)
+    admin = create(:staff_admin, organization: @org)
     sign_in admin
     @page_text = create(:page_text, organization: @org)
   end
 
+  context "authorization" do
+    include ActionPolicy::TestHelper
+
+    context "#edit" do
+      should "be authorized" do
+        assert_authorized_to(
+          :manage?, @page_text, with: Organizations::PageTextPolicy
+        ) do
+          get edit_page_text_url(@page_text)
+        end
+      end
+    end
+
+    context "#update" do
+      setup do
+        @params = {page_text: {hero: "Super Dog", about: "canine caped crusader"}}
+      end
+
+      should "be authorized" do
+        assert_authorized_to(
+          :manage?, @page_text, with: Organizations::PageTextPolicy
+        ) do
+          patch page_text_url(@page_text), params: @params
+        end
+      end
+    end
+  end
   context "GET #edit" do
     should "get edit page" do
       get edit_page_text_path

diff --git a/test/policies/organizations/page_text_policy_test.rb b/test/policies/organizations/page_text_policy_test.rb
@@ -0,0 +1,82 @@
+require "test_helper"
+
+# See https://actionpolicy.evilmartians.io/#/testing?id=testing-policies
+class Organizations::PageTextPolicyTest < ActiveSupport::TestCase
+  include PetRescue::PolicyAssertions
+
+  setup do
+    @organization = ActsAsTenant.current_tenant
+    @policy = -> {
+      Organizations::PageTextPolicy.new(Pet, user: @user,
+        organization: @organization)
+    }
+  end
+
+  context "#manage?" do
+    setup do
+      @action = -> { @policy.call.apply(:manage?) }
+    end
+
+    context "when user is nil" do
+      setup do
+        @user = nil
+      end
+
+      should "return false" do
+        assert_equal @action.call, false
+      end
+    end
+
+    context "when user is adopter" do
+      setup do
+        @user = create(:adopter)
+      end
+
+      should "return false" do
+        assert_equal @action.call, false
+      end
+    end
+
+    context "when user is deactivated staff" do
+      setup do
+        @user = create(:staff, :deactivated)
+      end
+
+      should "return false" do
+        assert_equal @action.call, false
+      end
+    end
+
+    context "when user is active staff" do
+      setup do
+        @user = create(:staff)
+      end
+
+      should "return false" do
+        assert_equal @action.call, false
+      end
+    end
+
+    context "when user is staff admin" do
+      setup do
+        @user = create(:staff_admin)
+      end
+
+      should "return true" do
+        assert_equal @action.call, true
+      end
+    end
+  end
+
+  context "#edit?" do
+    should "be an alias to :manage?" do
+      assert_alias_rule @policy.call, :edit?, :manage?
+    end
+  end
+
+  context "#update?" do
+    should "be an alias to :manage?" do
+      assert_alias_rule @policy.call, :update?, :manage?
+    end
+  end
+end