better-together-org · rsmithlal · Aug 11, 2025 · Sep 2, 2025
diff --git a/app/controllers/better_together/host_dashboard_controller.rb b/app/controllers/better_together/host_dashboard_controller.rb
@@ -3,6 +3,7 @@
 module BetterTogether
   class HostDashboardController < ApplicationController # rubocop:todo Style/Documentation
     def index # rubocop:todo Metrics/MethodLength
+      authorize :host_dashboard, :index?
       root_classes = [
         Community, NavigationArea, Page, Platform, Person, Role, ResourcePermission, User,
         Conversation, Message, Category

diff --git a/app/policies/better_together/host_dashboard_policy.rb b/app/policies/better_together/host_dashboard_policy.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# app/policies/better_together/host_dashboard_policy.rb
+
+module BetterTogether
+  class HostDashboardPolicy < ApplicationPolicy # rubocop:todo Style/Documentation
+    def index?
+      user.present? && user.permitted_to?('manage_platform')
+    end
+  end
+end
diff --git a/spec/controllers/better_together/host_dashboard_controller_spec.rb b/spec/controllers/better_together/host_dashboard_controller_spec.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe BetterTogether::HostDashboardController, type: :controller do
+  include Devise::Test::ControllerHelpers
+  include BetterTogether::DeviseSessionHelpers
+
+  routes { BetterTogether::Engine.routes }
+
+  before do
+    configure_host_platform
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+  end
+
+  describe 'GET #index' do
+    context 'when user can manage platform' do
+      let(:user) { BetterTogether::User.find_by(email: '[email protected]') }
+
+      before { sign_in user }
+
+      it 'returns http success' do
+        get :index, params: { locale: I18n.default_locale }
+        expect(response).to be_successful
+      end
+    end
+
+    context 'when user cannot manage platform' do
+      let(:user) { create(:user, :confirmed) }
+
+      before { sign_in user }
+
+      it 'raises Pundit::NotAuthorizedError' do
+        expect do
+          get :index, params: { locale: I18n.default_locale }
+        end.to raise_error(Pundit::NotAuthorizedError)
+      end
+    end
+  end
+end
diff --git a/spec/policies/better_together/host_dashboard_policy_spec.rb b/spec/policies/better_together/host_dashboard_policy_spec.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe BetterTogether::HostDashboardPolicy, type: :policy do
+  subject(:policy) { described_class.new(user, nil) }
+
+  context 'when user can manage platform' do
+    let(:user) { create(:user, :confirmed, :platform_manager) }
+
+    it 'permits access' do
+      expect(policy.index?).to be(true)
+    end
+  end
+
+  context 'when user cannot manage platform' do
+    let(:user) { create(:user, :confirmed) }
+
+    it 'denies access' do
+      expect(policy.index?).to be(false)
+    end
+  end
+
+  context 'when no user is present' do
+    let(:user) { nil }
+
+    it 'denies access' do
+      expect(policy.index?).to be(false)
+    end
+  end
+end