Re-enable authentication on editor controllers

Activate authenticate_admin_user! on EditorController,
PagePartsController, and ThemeSettingsController. Update specs to
use real Devise sign_in and add authentication tests for
unauthenticated and non-admin users.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: etewiah

app/controllers/pwb/editor/page_parts_controller.rb

@@ -7,8 +7,7 @@ class Editor::PagePartsController < ApplicationController
     skip_before_action :footer_content
     # Skip CSRF for API calls (forms include their own token)
     skip_before_action :verify_authenticity_token, only: [:update]
-    # TODO: Re-enable authentication before production
-    # before_action :authenticate_admin_user!
+    before_action :authenticate_admin_user!
     before_action :set_page_part, only: [:show, :update]
 
     # Handle record not found gracefully

app/controllers/pwb/editor/theme_settings_controller.rb

@@ -7,8 +7,7 @@ class Editor::ThemeSettingsController < ApplicationController
     skip_before_action :footer_content
     # Skip CSRF for API calls
     skip_before_action :verify_authenticity_token, only: [:update]
-    # TODO: Re-enable authentication before production
-    # before_action :authenticate_admin_user!
+    before_action :authenticate_admin_user!
 
     def show
       render json: {

app/controllers/pwb/editor_controller.rb

@@ -6,9 +6,8 @@ class EditorController < ApplicationController
     # Skip theme path setup since editor has its own layout
     skip_before_action :set_theme_path
 
-    # TODO: Re-enable authentication before production
     # Ensure only admins can access the editor
-    # before_action :authenticate_admin_user!
+    before_action :authenticate_admin_user!
 
     def show
       # The path to load in the iframe (defaults to root)

spec/controllers/pwb/editor/theme_settings_controller_spec.rb

@@ -5,10 +5,12 @@
 module Pwb
   RSpec.describe Editor::ThemeSettingsController, type: :controller do
     let!(:website) { FactoryBot.create(:pwb_website) }
-    let(:admin_user) { FactoryBot.create(:pwb_user, :admin) }
+    let(:admin_user) { FactoryBot.create(:pwb_user, :admin, website: website) }
+    let(:regular_user) { FactoryBot.create(:pwb_user, website: website) }
 
     before do
       @request.env["devise.mapping"] = ::Devise.mappings[:user]
+      sign_in admin_user, scope: :user
     end
 
     describe "GET #show" do
@@ -47,29 +49,22 @@ module Pwb
 
         json = response.parsed_body
         expect(json["status"]).to eq("success")
-        # style_variables includes custom and palette colors; check custom was stored
         expect(json["style_variables"]).to include("primary_color")
-        # Verify the raw stored value
         website.reload
         expect(website.style_variables_for_theme['default']['primary_color']).to eq("#ff0000")
       end
 
       it "merges with existing style variables" do
-        # Set initial values via the controller
-        # Using body_style and theme which are NOT in the palette colors
         patch :update, params: { style_variables: { primary_color: "#111111", body_style: "siteLayout.boxed", theme: "dark" } }, format: :json
         expect(response).to have_http_status(:success)
 
-        # Update only primary_color
         patch :update, params: { style_variables: { primary_color: "#333333" } }, format: :json
 
         response.parsed_body
         expect(response).to have_http_status(:success)
 
-        # Verify raw stored values
         website.reload
         expect(website.style_variables_for_theme['default']['primary_color']).to eq("#333333")
-        # body_style and theme should be preserved (not in palette colors)
         expect(website.style_variables_for_theme['default']['body_style']).to eq("siteLayout.boxed")
         expect(website.style_variables_for_theme['default']['theme']).to eq("dark")
       end
@@ -81,5 +76,33 @@ module Pwb
         expect(json["message"]).to eq("Theme settings saved successfully")
       end
     end
+
+    describe "authentication" do
+      context "when not signed in" do
+        before { sign_out :user }
+
+        it "returns unauthorized for show" do
+          get :show, format: :json
+          expect(response).to have_http_status(:unauthorized)
+        end
+
+        it "returns unauthorized for update" do
+          patch :update, params: { style_variables: { primary_color: "#ff0000" } }, format: :json
+          expect(response).to have_http_status(:unauthorized)
+        end
+      end
+
+      context "when signed in as non-admin" do
+        before do
+          sign_out :user
+          sign_in regular_user, scope: :user
+        end
+
+        it "returns unauthorized for show" do
+          get :show, format: :json
+          expect(response).to have_http_status(:unauthorized)
+        end
+      end
+    end
   end
 end

spec/controllers/pwb/editor_controller_spec.rb

@@ -4,40 +4,36 @@
 
 module Pwb
   RSpec.describe EditorController, type: :controller do
-    # routes { Pwb::Engine.routes }
-
-    let(:admin_user) { FactoryBot.create(:pwb_user, :admin) }
-    let(:regular_user) { FactoryBot.create(:pwb_user) }
     let!(:website) { FactoryBot.create(:pwb_website) }
+    let(:admin_user) { FactoryBot.create(:pwb_user, :admin, website: website) }
+    let(:regular_user) { FactoryBot.create(:pwb_user, website: website) }
 
     before do
       @request.env["devise.mapping"] = ::Devise.mappings[:user]
     end
 
     describe "GET #show" do
-      # NOTE: Authentication is currently disabled for easier testing
-      # These tests are skipped until authentication is re-enabled
       context "when user is not logged in" do
-        it "allows access (auth temporarily disabled)" do
+        it "redirects to root" do
           get :show
-          expect(response).to have_http_status(:success)
+          expect(response).to redirect_to(root_path)
         end
       end
 
       context "when user is logged in but not admin" do
         before do
-          allow(controller).to receive(:current_user).and_return(regular_user)
+          sign_in regular_user, scope: :user
         end
 
-        it "allows access (auth temporarily disabled)" do
+        it "redirects to root" do
           get :show
-          expect(response).to have_http_status(:success)
+          expect(response).to redirect_to(root_path)
         end
       end
 
       context "when user is admin" do
         before do
-          allow(controller).to receive(:current_user).and_return(admin_user)
+          sign_in admin_user, scope: :user
         end
 
         it "renders the show template" do