Section 7.1.3: Restrict access to project actions to admins only

Author: Ryan Bigg

ticketee/app/controllers/projects_controller.rb

@@ -1,4 +1,5 @@
 class ProjectsController < ApplicationController
+  before_action :authorize_admin!, except: [:index, :show]
   before_action :set_project, only: [:show,
                                      :edit,
                                      :update,
@@ -55,4 +56,15 @@ def set_project
   def project_params
     params.require(:project).permit(:name, :description)
   end
+
+  private
+
+  def authorize_admin!
+    authenticate_user!
+
+    unless current_user.admin?
+      flash[:alert] = "You must be an admin to do that."
+      redirect_to root_path
+    end
+  end
 end

ticketee/spec/controllers/projects_controller_spec.rb

@@ -1,6 +1,28 @@
 require 'rails_helper'
 
 RSpec.describe ProjectsController, :type => :controller do
+  let(:user) { FactoryGirl.create(:user) }
+  before do
+    allow(controller).to receive(:authenticate_user!)
+    allow(controller).to receive(:current_user).and_return(user)
+  end
+
+  context "standard users" do
+    { new: :get,
+      create: :post,
+      edit: :get,
+      update: :put,
+      destroy: :delete }.each do |action, method|
+
+      it "cannot access the #{action} action" do
+        send(method, action, :id => FactoryGirl.create(:project))
+
+        expect(response).to redirect_to(root_path)
+        expect(flash[:alert]).to eql("You must be an admin to do that.")
+      end
+    end
+  end
+
   it "displays an error for a missing project" do
     get :show, id: "not-here"
 

ticketee/spec/features/deleting_projects_spec.rb

@@ -1,6 +1,9 @@
 require "rails_helper"
 
 feature "Deleting projects" do
+  before do
+    login_as(FactoryGirl.create(:user, :admin))
+  end
   scenario "Deleting a project" do
     FactoryGirl.create(:project, name: "Sublime Text 3")
 

ticketee/spec/features/editing_projects_spec.rb

@@ -1,6 +1,9 @@
 require "rails_helper"
 
 feature "Editing Projects" do
+  before do
+    login_as(FactoryGirl.create(:user, :admin))
+  end
   before do
     FactoryGirl.create(:project, name: "Sublime Text 3")