Section 7.2.2: Lock down specific projects controller actions for admins only

Author: Ryan Bigg

ticketee/app/helpers/application_helper.rb

@@ -6,4 +6,8 @@ def title(*parts)
       end
     end
   end
+
+  def admins_only(&block)
+    block.call if current_user.try(:admin?)
+  end
 end

ticketee/app/views/projects/index.html.erb

@@ -1,4 +1,6 @@
-<%= link_to "New Project", new_project_path, class: "new" %>
+<% admins_only do %>
+  <%= link_to "New Project", new_project_path, class: "new" %>
+<% end %>
 
 <h2>Projects</h2>
 <ul>

ticketee/app/views/projects/show.html.erb

@@ -1,16 +1,18 @@
 <% title(@project.name, "Projects") %>
 <h2><%= @project.name %></h2>
-<%= link_to "Edit Project",
-    edit_project_path(@project),
-    class: "edit" %>
+<% admins_only do %>
+  <%= link_to "Edit Project",
+      edit_project_path(@project),
+      class: "edit" %>
 
-<%= link_to "Delete Project",
-     project_path(@project),
-     method: :delete,
-     data: { confirm:
-               "Are you sure you want to delete this project?"
-           },
-     class: "delete" %>
+  <%= link_to "Delete Project",
+       project_path(@project),
+       method: :delete,
+       data: { confirm:
+                 "Are you sure you want to delete this project?"
+             },
+       class: "delete" %>
+<% end %>
 
 <%= link_to "New Ticket",
    new_project_ticket_path(@project),

ticketee/spec/features/hidden_links_spec.rb

@@ -0,0 +1,60 @@
+require "rails_helper"
+
+feature "hidden links" do
+  let(:user) { FactoryGirl.create(:user) }
+  let(:admin) { FactoryGirl.create(:admin_user) }
+  let(:project) { FactoryGirl.create(:project) }
+
+  context "anonymous users" do
+    scenario "cannot see the New Project link" do
+      visit "/"
+      assert_no_link_for "New Project"
+    end
+
+    scenario "cannot see the Edit Project link" do
+      visit project_path(project)
+      assert_no_link_for "Edit Project"
+    end
+
+    scenario "cannot see the Delete Project link" do
+      visit project_path(project)
+      assert_no_link_for "Delete Project"
+    end
+  end
+
+  context "regular users" do
+    before { login_as(user) }
+    scenario "cannot see the New Project link" do
+      visit "/"
+      assert_no_link_for "New Project"
+    end
+
+    scenario "cannot see the Edit Project link" do
+      visit project_path(project)
+      assert_no_link_for "Edit Project"
+    end
+
+    scenario "cannot see the Delete Project link" do
+      visit project_path(project)
+      assert_no_link_for "Delete Project"
+    end
+  end
+
+  context "admin users" do
+    before { login_as(admin) }
+    scenario "can see the New Project link" do
+      visit "/"
+      assert_link_for "New Project"
+    end
+
+    scenario "can see the Edit Project link" do
+      visit project_path(project)
+      assert_link_for "Edit Project"
+    end
+
+    scenario "can see the Delete Project link" do
+      visit project_path(project)
+      assert_link_for "Delete Project"
+    end
+  end
+end

ticketee/spec/rails_helper.rb

@@ -18,7 +18,7 @@
 # directory. Alternatively, in the individual `*_spec.rb` files, manually
 # require only the support files necessary.
 #
-# Dir[Rails.root.join("spec/support/**/*.rb")].each { |f| require f }
+Dir[Rails.root.join("spec/support/**/*.rb")].each { |f| require f }
 
 # Checks for pending migrations before tests are run.
 # If you are not using ActiveRecord, you can remove this line.

ticketee/spec/support/capybara_helpers.rb

@@ -0,0 +1,15 @@
+module CapybaraHelpers
+  def assert_no_link_for(text)
+    expect(page).to_not(have_css("a", :text => text),
+      "Expected not to see the #{text.inspect} link, but did.")
+  end
+
+  def assert_link_for(text)
+    expect(page).to(have_css("a", :text => text),
+      "Expected to see the #{text.inspect} link, but did not.")
+  end
+end
+
+RSpec.configure do |config|
+  config.include CapybaraHelpers, :type => :feature
+end