Add authorization check

wyeworks · Jan 15, 2025 · 0eb5119 · 0eb5119
1 parent 7b836f5
commit 0eb5119
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 5 deletions.
diff --git a/...engines/sanger_sequencing/app/controllers/sanger_sequencing/sanger_products_controller.rb b/...engines/sanger_sequencing/app/controllers/sanger_sequencing/sanger_products_controller.rb
@@ -4,6 +4,8 @@ module SangerSequencing
 
   class SangerProductsController < BaseController
     before_action :set_resources
+    before_action { @active_tab = "admin_products" }
+    before_action { authorize! :manage, current_facility }
 
     layout "two_column"
     admin_tab :all
@@ -16,12 +18,16 @@ def edit
 
     def update
       if @sanger_product.update(sanger_product_params)
-        redirect_to [current_facility, @product, :sanger_sequencing, :sanger_product]
+        redirect_to [current_facility, @product, :sanger_sequencing, :sanger_product], notice: text(".update.success")
       else
         render :edit
       end
     end
 
+    def sanger_ability
+      Ability.new(current_user, current_facility)
+    end
+
     private
 
     def sanger_product_groups
@@ -40,8 +46,9 @@ def sanger_product_params
     end
 
     def set_resources
-      @active_tab = "admin_products"
-      @product = Product.find_by!(url_name: params[:service_id])
+      @product = current_facility.products.find_by!(
+        url_name: params[:service_id]
+      )
       @sanger_product = @product.sanger_product || @product.create_sanger_product(group: "default")
     end
   end

diff --git a/vendor/engines/sanger_sequencing/app/models/sanger_sequencing/ability.rb b/vendor/engines/sanger_sequencing/app/models/sanger_sequencing/ability.rb
@@ -9,7 +9,7 @@ class Ability
     def initialize(user, facility = nil)
       return unless user
 
-      can [:show, :create, :update, :create_sample], Submission, user: user
+      can [:show, :create, :update, :create_sample], Submission, user:
 
       if facility && user.operator_of?(facility)
         can [:index, :show], Submission

diff --git a/...nger_sequencing/app/views/sanger_sequencing/admin/shared/tabnav_product/_sanger.html.haml b/...nger_sequencing/app/views/sanger_sequencing/admin/shared/tabnav_product/_sanger.html.haml
@@ -1,4 +1,4 @@
-- if @product.sanger_sequencing_enabled? && can?(:manage, @facility)
+- if @product.sanger_sequencing_enabled? && can?(:manage, current_facility)
   = tab t("sanger_sequencing.tabnav_product"),
     facility_service_sanger_sequencing_sanger_product_path(current_facility, @product),
     (secondary_tab == "sanger")
diff --git a/vendor/engines/sanger_sequencing/config/locales/en.yml b/vendor/engines/sanger_sequencing/config/locales/en.yml
@@ -13,6 +13,9 @@ en:
         success: "We have saved your batch"
       destroy:
         success: "Batch was successfully deleted"
+    sanger_sequencing/sanger_products:
+      update:
+        success: Sanger Configuration updated successfully
 
   views:
     sanger_sequencing:

diff --git a/vendor/engines/sanger_sequencing/spec/system/sanger_product_spec.rb b/vendor/engines/sanger_sequencing/spec/system/sanger_product_spec.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe "Sanger Product" do
+  let(:facility) { create(:setup_facility, sanger_sequencing_enabled: true) }
+  let(:service) { create(:setup_service, sanger_sequencing_enabled: true) }
+  let(:admin) { create(:user, :facility_administrator, facility:) }
+  let(:user) { create(:user) }
+
+  describe "admin tab" do
+    context "when not logged in" do
+      it "redirects to login" do
+        visit facility_service_sanger_sequencing_sanger_product_path(facility, service)
+
+        expect(page).to have_content("Login")
+        expect(page).to_not have_content("Sanger")
+        expect(page).to_not have_content(service.name)
+      end
+    end
+
+    context "when logged in as normal user" do
+      before { login_as user }
+
+      it "renders permission denied" do
+        visit facility_service_sanger_sequencing_sanger_product_path(facility, service)
+
+        expect(page).to have_content("Permission Denied")
+      end
+    end
+
+    context "when logged in as admin" do
+      before { login_as admin }
+
+      it "requires the facility to be sanger enabled" do
+        facility.update(sanger_sequencing_enabled: false)
+
+        visit facility_service_sanger_sequencing_sanger_product_path(facility, service)
+
+        expect(page).to have_content("Not Found")
+      end
+
+      it "shows the tab if service is sanger enabled" do
+        service.update(sanger_sequencing_enabled: true)
+
+        visit facility_service_sanger_sequencing_sanger_product_path(facility, service)
+
+        expect(page).to have_content("Sanger")
+      end
+    end
+  end
+end