GRN2-xx: Admin actions are now dictated by the correct role permission (#1140)

* Admin actions are now dictated by the correct role permission * Rspec fix Co-authored-by: Jesus Federico <jesus@123it.ca>
2020-04-01 10:58:13 -04:00
parent c72d77dbcb
commit 348713d4df
9 changed files with 144 additions and 27 deletions
--- a/spec/controllers/admins_controller_spec.rb
+++ b/spec/controllers/admins_controller_spec.rb
@ -239,6 +239,46 @@ describe AdminsController, type: :controller do
        expect(response).to redirect_to(admins_path)
      end
    end
+
+    context "POST permissions" do
+      it "allows a user with the correct permission to manage users" do
+        Role.create_new_role("test", "greenlight").update_all_role_permissions(can_manage_users: true)
+
+        @user2 = create(:user)
+        @user2.add_role(:test)
+
+        # Random manage user action test
+
+        @request.session[:user_id] = @user2.id
+
+        expect(@user.has_role?(:denied)).to eq(false)
+
+        post :ban_user, params: { user_uid: @user.uid }
+
+        @user.reload
+
+        expect(@user.has_role?(:denied)).to eq(true)
+        expect(flash[:success]).to be_present
+        expect(response).to redirect_to(admins_path)
+      end
+
+      it "doesn't allow a user with the incorrect permission to manage users" do
+        Role.create_new_role("test", "greenlight").update_all_role_permissions(can_manage_users: false)
+
+        @user2 = create(:user)
+        @user2.add_role(:test)
+
+        # Random manage user action test
+
+        @request.session[:user_id] = @user2.id
+
+        expect(@user.has_role?(:denied)).to eq(false)
+
+        post :ban_user, params: { user_uid: @user.uid }
+
+        expect(response).to render_template "errors/greenlight_error"
+      end
+    end
  end

  describe "User Design" do
@ -446,6 +486,41 @@ describe AdminsController, type: :controller do
        expect(Rails.logger.level).to eq(2)
      end
    end
+
+    context "POST permissions" do
+      it "allows a user with the correct permission to edit site settings" do
+        Role.create_new_role("test", "greenlight").update_all_role_permissions(can_edit_site_settings: true)
+
+        @user2 = create(:user)
+        @user2.add_role(:test)
+
+        # Random edit site settings action test
+
+        @request.session[:user_id] = @user2.id
+
+        post :update_settings, params: { setting: "Shared Access", value: "false" }
+
+        feature = Setting.find_by(provider: "provider1").features.find_by(name: "Shared Access")
+
+        expect(feature[:value]).to eq("false")
+        expect(response).to redirect_to(admin_site_settings_path)
+      end
+
+      it "doesn't allow a user with the incorrect permission to edit site settings" do
+        Role.create_new_role("test", "greenlight").update_all_role_permissions(can_manage_users: true)
+
+        @user2 = create(:user)
+        @user2.add_role(:test)
+
+        # Random edit site settings action test
+
+        @request.session[:user_id] = @user2.id
+
+        post :update_settings, params: { setting: "Shared Access", value: "false" }
+
+        expect(response).to render_template "errors/greenlight_error"
+      end
+    end
  end

  describe "Roles" do
@ -662,5 +737,47 @@ describe AdminsController, type: :controller do
        expect(response).to redirect_to admin_roles_path
      end
    end
+
+    context "POST permissions" do
+      it "allows a user with the correct permission to edit roles" do
+        Role.create_new_role("test", "greenlight").update_all_role_permissions(can_edit_roles: true)
+
+        @user2 = create(:user)
+        @user2.add_role(:test)
+
+        # Random edit roles action test
+
+        new_role = Role.create(name: "test2", priority: 2, provider: "provider1")
+        new_role.update_permission("can_edit_roles", "true")
+
+        @request.session[:user_id] = @user2.id
+
+        patch :update_role, params: { role_id: new_role.id, role: { name: "test3", can_edit_roles: false,
+          colour: "#45434", can_manage_users: true } }
+
+        new_role.reload
+        expect(new_role.name).to eq("test3")
+        expect(response).to redirect_to admin_roles_path(selected_role: new_role.id)
+      end
+
+      it "doesn't allow a user with the incorrect permission to edit roles" do
+        Role.create_new_role("test", "greenlight").update_all_role_permissions(can_manage_users: false)
+
+        @user2 = create(:user)
+        @user2.add_role(:test)
+
+        # Random edit roles action test
+
+        new_role = Role.create(name: "test2", priority: 2, provider: "provider1")
+        new_role.update_permission("can_edit_roles", "true")
+
+        @request.session[:user_id] = @user2.id
+
+        patch :update_role, params: { role_id: new_role.id, role: { name: "test3", can_edit_roles: false,
+          colour: "#45434", can_manage_users: true } }
+
+        expect(response).to render_template "errors/greenlight_error"
+      end
+    end
  end
 end
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -167,18 +167,18 @@ describe User, type: :model do
      @admin = create(:user, provider: @user.provider)
      @admin.add_role :admin

-      expect(@admin.admin_of?(@user)).to be true
+      expect(@admin.admin_of?(@user, "can_manage_users")).to be true

      @super_admin = create(:user, provider: "test")
      @super_admin.add_role :super_admin

-      expect(@super_admin.admin_of?(@user)).to be true
+      expect(@super_admin.admin_of?(@user, "can_manage_users")).to be true
    end

    it "returns false if the user is NOT an admin of another" do
      @admin = create(:user)

-      expect(@admin.admin_of?(@user)).to be false
+      expect(@admin.admin_of?(@user, "can_manage_users")).to be false
    end

    it "should get the highest priority role" do