Redirect contributors from all admin actions (#321)

Author: dcollie2

app/controllers/import_reports_controller.rb

@@ -1,6 +1,7 @@
 class ImportReportsController < ApplicationController
   include Pagy::Backend
 
+  before_action :redirect_contributors
   before_action :set_import_report, only: [ :show ]
 
   def index

app/controllers/tags_controller.rb

@@ -2,6 +2,7 @@
 class TagsController < ApplicationController
   include Pagy::Backend
 
+  before_action :redirect_contributors
   before_action :set_tag, only: [ :show, :edit, :update, :destroy ]
 
   def index
@@ -24,8 +25,6 @@ def update
   end
 
   def destroy
-    redirect_to tags_path and return unless Current.user.is_admin?
-
     if params[:confirmed]
       @tag.destroy
       redirect_to tags_path, notice: "Tag was successfully destroyed."

app/views/tags/show.html.erb

@@ -9,9 +9,6 @@
   <%= link_to "Edit this tag", edit_tag_path(@tag), class: "btn btn-primary mt-4" %>
 </div>
 
-  <% if Current.user.is_admin? %>
-    <div>
-      <%= button_to "Delete this tag", @tag, method: :delete, class: "btn btn-danger mt-4" %>
-    </div>
-  <% end %>
+<div>
+  <%= button_to "Delete this tag", @tag, method: :delete, class: "btn btn-danger mt-4" %>
 </div>

config/routes.rb

@@ -3,14 +3,14 @@
 Rails.application.routes.draw do
   mount SolidQueueMonitor::Engine => "/solid_queue"
   mount MissionControl::Jobs::Engine, at: "/jobs"
-  resources :languages, only: %i[index show new create edit update]
+  resources :languages, only: %i[index new create edit update]
   resources :passwords, param: :token
   resources :providers
   resources :regions
   resource :registration, only: %i[new create]
   resource :session
   resources :uploads, only: %i[create destroy]
-  resources :users
+  resources :users, except: :show
   resources :tags, only: %i[index show edit update destroy]
   resources :topics do
     member do

spec/requests/authorizations_spec.rb

@@ -6,29 +6,170 @@
   before { sign_in(user) }
 
   context "contributor" do
-    it "can access the Topics tab" do
-      get "/topics"
-      expect(response).to be_successful
+    context "Region-related actions" do
+      let!(:region) { create(:region) }
+
+      it "cannot access the Regions index" do
+        expect(get "/regions").to redirect_to(topics_path)
+      end
+
+      it "cannot access Region show page" do
+        expect(get "/regions/#{region.id}").to redirect_to(topics_path)
+      end
+
+      it "cannot access Region new page" do
+        expect(get "/regions/new").to redirect_to(topics_path)
+      end
+
+      it "cannot make a Region create request" do
+        expect { post "/regions", params: { region: { name: "A new Region" } } }.not_to change { Region.count }
+        expect(response).to redirect_to(topics_path)
+      end
+
+      it "cannot access Region edit page" do
+        expect(get "/regions/#{region.id}/edit").to redirect_to(topics_path)
+      end
+
+      it "cannot make a Region update request" do
+        expect { put "/regions/#{region.id}", params: { region: { name: "Updated Region" } } }.not_to change { region.reload.updated_at }
+        expect(response).to redirect_to(topics_path)
+      end
+
+      it "cannot make a Region delete request" do
+         expect { delete "/regions/#{region.id}" }.not_to change { Region.count }
+        expect(response).to redirect_to(topics_path)
+      end
     end
 
-    it "cannot access the Regions tab" do
-      get "/regions"
-      expect(response).to redirect_to(topics_path)
+    context "Provider-related actions" do
+      let!(:provider) { create(:provider) }
+
+      it "cannot access the Providers index" do
+        expect(get "/providers").to redirect_to(topics_path)
+      end
+
+      it "cannot access Provider show page" do
+        expect(get "/providers/#{provider.id}").to redirect_to(topics_path)
+      end
+
+      it "cannot access Provider new page" do
+        expect(get "/providers/new").to redirect_to(topics_path)
+      end
+
+      it "cannot make a Provider create request" do
+        expect { post "/providers", params: { provider: { name: "A new Provider", provider_type: "provider" } } }.not_to change { Provider.count }
+        expect(response).to redirect_to(topics_path)
+      end
+
+      it "cannot access Provider edit page" do
+        expect(get "/providers/#{provider.id}/edit").to redirect_to(topics_path)
+      end
+
+      it "cannot make a Provider update request" do
+        expect { put "/providers/#{provider.id}", params: { provider: { name: "Updated Provider" } } }.not_to change { provider.reload.updated_at }
+        expect(response).to redirect_to(topics_path)
+      end
+
+      it "cannot make a Provider delete request" do
+         expect { delete "/providers/#{provider.id}" }.not_to change { Provider.count }
+        expect(response).to redirect_to(topics_path)
+      end
     end
 
-    it "cannot access the Providers tab" do
-      get "/providers"
-      expect(response).to redirect_to(topics_path)
+    context "Language-related actions" do
+      let!(:language) { create(:language) }
+
+      it "cannot access the Languages index" do
+        expect(get "/languages").to redirect_to(topics_path)
+      end
+
+      it "cannot access Language new page" do
+        expect(get "/languages/new").to redirect_to(topics_path)
+      end
+
+      it "cannot make a Language create request" do
+        expect { post "/languages", params: { language: { name: "A new Language", language_type: "language" } } }.not_to change { Language.count }
+        expect(response).to redirect_to(topics_path)
+      end
+
+      it "cannot access Language edit page" do
+        expect(get "/languages/#{language.id}/edit").to redirect_to(topics_path)
+      end
+
+      it "cannot make a Language update request" do
+        expect { put "/languages/#{language.id}", params: { language: { name: "Updated Language" } } }.not_to change { language.reload.updated_at }
+        expect(response).to redirect_to(topics_path)
+      end
     end
 
-    it "cannot access the Languages tab" do
-      get "/languages"
-      expect(response).to redirect_to(topics_path)
+    context "Tag-related actions" do
+      let!(:tag) { create(:tag) }
+
+      it "cannot access the Tags index" do
+        expect(get "/tags").to redirect_to(topics_path)
+      end
+
+      it "cannot access Tag show page" do
+        expect(get "/tags/#{tag.id}").to redirect_to(topics_path)
+      end
+
+      it "cannot access Tag edit page" do
+        expect(get "/tags/#{tag.id}/edit").to redirect_to(topics_path)
+      end
+
+      it "cannot make a Tag update request" do
+        expect { put "/tags/#{tag.id}", params: { tag: { name: "Updated Tag" } } }.not_to change { tag.reload.updated_at }
+        expect(response).to redirect_to(topics_path)
+      end
+
+      it "cannot make a Tag delete request" do
+        expect(delete "/tags/#{tag.id}").to redirect_to(topics_path)
+      end
     end
 
-    it "cannot access the Users tab" do
-      get "/users"
-      expect(response).to redirect_to(topics_path)
+    context "User-related actions" do
+      let!(:user) { create(:user) }
+
+      it "cannot access the Users index" do
+        expect(get "/users").to redirect_to(topics_path)
+      end
+
+      it "cannot access User new page" do
+        expect(get "/users/new").to redirect_to(topics_path)
+      end
+
+      it "cannot make a User create request" do
+        provider = create(:provider)
+        expect { post "/users", params: { user: { email: Faker::Internet.email, password: "password123", provider_ids: [ provider.id ] } } }
+          .not_to change { User.count }
+        expect(response).to redirect_to(topics_path)
+      end
+
+      it "cannot access User edit page" do
+        expect(get "/users/#{user.id}/edit").to redirect_to(topics_path)
+      end
+
+      it "cannot make a User update request" do
+        expect { put "/users/#{user.id}", params: { user: { is_admin: "true" } } }.not_to change { user.reload.updated_at }
+        expect(response).to redirect_to(topics_path)
+      end
+
+      it "cannot make a User delete request" do
+         expect { delete "/users/#{user.id}" }.not_to change { User.count }
+        expect(response).to redirect_to(topics_path)
+      end
+    end
+
+    context "Import Reports-related actions" do
+      let!(:import_report) { ImportReport.create }
+
+      it "cannot access the ImportReport index" do
+        expect(get "/import_reports").to redirect_to(topics_path)
+      end
+
+      it "cannot access ImportReport show page" do
+        expect(get "/import_reports/#{import_report.id}").to redirect_to(topics_path)
+      end
     end
   end
 
@@ -40,22 +181,22 @@
       expect(response).to be_successful
     end
 
-    it "cannot access the Regions tab" do
+    it "can access the Regions tab" do
       get "/regions"
       expect(response).to be_successful
     end
 
-    it "cannot access the Providers tab" do
+    it "can access the Providers tab" do
       get "/providers"
       expect(response).to be_successful
     end
 
-    it "cannot access the Languages tab" do
+    it "can access the Languages tab" do
       get "/languages"
       expect(response).to be_successful
     end
 
-    it "cannot access the Users tab" do
+    it "can access the Users tab" do
       get "/users"
       expect(response).to be_successful
     end

spec/requests/tags/destroy_spec.rb

@@ -42,16 +42,5 @@
         end
       end
     end
-
-    context "when user is not an admin" do
-      let(:user) { create(:user) }
-
-      it "preserves the tag and redirects" do
-        delete tag_url(tag)
-
-        expect(response).to redirect_to(tags_url)
-        expect(Tag.count).to eq(1)
-      end
-    end
   end
 end

spec/requests/tags/index_spec.rb

@@ -2,7 +2,7 @@
 
 describe "Tags", type: :request do
   describe "GET /tags" do
-    let(:user) { create(:user) }
+    let(:user) { create(:user, :admin) }
 
     before do
       sign_in(user)

spec/requests/tags/update_spec.rb

@@ -2,7 +2,7 @@
 
 describe "Tag", type: :request do
   describe "PUT /tags/:id" do
-    let(:user) { create(:user) }
+    let(:user) { create(:user, :admin) }
     let!(:tag) { create(:tag, name: "Hart") }
     let(:tag_params) { attributes_for(:tag, name: "Heart", cognates_list: [ "", "Cardiovascular", "Cardio" ]) }