Fix misplaced helper functions, add tests for those scenarios

uclibs · Feb 9, 2024 · 5d14e45 · 5d14e45
1 parent 299ef5c
commit 5d14e45
Show file tree

Hide file tree

Showing 9 changed files with 165 additions and 18 deletions.
diff --git a/app/controllers/concerns/submitter_ownership_guard.rb b/app/controllers/concerns/submitter_ownership_guard.rb
@@ -36,13 +36,13 @@ def current_submitter_is_owner?
  end
 
  def submitter_owns_profile?
- submitter = Submitter.find(params[:id])
+ submitter = Submitter.find_by(id: params[:id])
 
  submitter && (logged_in_submitter_id == submitter.id.to_s)
  end
 
  def submitter_owns_publication?
- publication = publication_class.find(params[:id])
+ publication = publication_class.find_by(id: params[:id])
  publication && (logged_in_submitter_id == publication.submitter_id.to_s)
  end
 
@@ -53,4 +53,12 @@ def publication_class
  def deny_access
  raise ActiveRecord::RecordNotFound
  end
+
+ def user_is_admin?
+ session[:admin]
+ end
+
+ def logged_in_submitter_id
+ session[:submitter_id].to_s
+ end
 end
diff --git a/app/controllers/publications_controller.rb b/app/controllers/publications_controller.rb
@@ -163,7 +163,7 @@ def destroy
  protected
 
  def set_object
- instance_variable_set("@#{controller_name.singularize}", Object.const_get(controller_name.classify).find(params[:id]))
+ instance_variable_set("@#{controller_name.singularize}", Object.const_get(controller_name.classify).find_by(id: params[:id]))
  end
 
  def signed_in

diff --git a/app/controllers/submitters_controller.rb b/app/controllers/submitters_controller.rb
@@ -68,7 +68,7 @@ def finished
 
  # Use callbacks to share common setup or constraints between actions.
  def set_submitter
- @submitter = Submitter.find(params[:id])
+ @submitter = Submitter.find_by(id: params[:id])
  end
 
  # Never trust parameters from the scary internet, only allow the white list through.

diff --git a/app/helpers/submitters_helper.rb b/app/helpers/submitters_helper.rb
@@ -6,7 +6,7 @@ def find_submitter(id)
  end
 
  def find_submitters(id)
- Array.wrap(Submitter.find(id))
+ Array.wrap(Submitter.find_by(id:))
  end
 
  def submitter_name(submitter)

diff --git a/spec/controllers/concerns/submitter_ownership_guard/submitter_profile_ownership_spec.rb b/spec/controllers/concerns/submitter_ownership_guard/submitter_profile_ownership_spec.rb
@@ -16,7 +16,7 @@
 
  describe '#submitter_owned_content_guard' do
  context 'when admin is logged in' do
- before { login_as_admin }
+ before { session[:admin] = true }
 
  it 'allows access to show' do
  get :show, params: { id: submitter.id }

diff --git a/spec/features/specific_page_access/book_page_access_spec.rb b/spec/features/specific_page_access/book_page_access_spec.rb
@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+# We are verifying the access to a book's view and edit pages.,
+
+# The application is within open dates.
+# The user has a valid authentication token.
+# The user is logged in as either a submitter or admin
+require 'rails_helper'
+
+RSpec.describe 'Book Submission Ownership', type: :feature do
+ let(:submitter) { FactoryBot.create(:submitter) }
+ let(:another_submitter) { FactoryBot.create(:submitter) }
+
+ before do
+ submitter
+ another_submitter
+ end
+
+ context 'when admin is logged in' do
+ before do
+ login_as_admin
+ create_book_as_new_submitter
+ click_on("I'm Finished")
+ end
+
+ it 'allows access to the book view page' do
+ visit book_path(Book.first.id)
+ expect(page).to have_http_status(:ok)
+ end
+
+ it 'allows access to the book edit page' do
+ visit edit_book_path(Book.first.id)
+ expect(page).to have_http_status(:ok)
+ end
+ end
+
+ context 'when submitter owns the resource' do
+ before do
+ create_book_as_new_submitter
+ end
+
+ it 'allows access to the book show page' do
+ visit book_path(Book.first.id)
+ expect(page).to have_http_status(:ok)
+ end
+
+ it 'allows access to the edit book page' do
+ visit edit_book_path(Book.first.id)
+ expect(page).to have_http_status(:ok)
+ end
+ end
+
+ context 'when another submitter is logged in' do
+ before do
+ create_book_as_new_submitter
+ click_on("I'm Finished")
+ create_submitter(another_submitter)
+ end
+
+ it 'restricts access to the book view page' do
+ expect { visit book_path(Book.first.id) }.to raise_error(ActiveRecord::RecordNotFound)
+ end
+
+ it 'restricts access to the book edit page' do
+ expect { visit edit_book_path(Book.first.id) }.to raise_error(ActiveRecord::RecordNotFound)
+ end
+ end
+
+ def create_book_as_new_submitter
+ create_submitter(submitter)
+ visit new_book_path
+ fill_in('book[work_title]', with: 'The History of Unicorns')
+ fill_in('book[author_first_name][]', with: 'Juan')
+ fill_in('book[author_last_name][]', with: 'Dela Cruz')
+ click_on('Submit')
+ end
+end
diff --git a/spec/features/specific_page_access/submitter_page_access_spec.rb b/spec/features/specific_page_access/submitter_page_access_spec.rb
@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+# We are verifying access to user profile view and edit pages.
+
+# The application is within open dates.
+# The user has a valid authentication token.
+# The user is logged in as either a submitter or admin
+require 'rails_helper'
+
+RSpec.describe 'Submitter Profile Ownership', type: :feature do
+ let(:submitter) { FactoryBot.create(:submitter) }
+ let(:another_submitter) { FactoryBot.create(:submitter) }
+
+ before do
+ submitter
+ another_submitter
+ end
+
+ context 'when admin is logged in' do
+ before do
+ login_as_admin
+ end
+
+ it 'allows access to the submitter profile page' do
+ visit submitter_path(submitter.id)
+ expect(page).to have_http_status(:ok)
+ end
+
+ it 'allows access to the edit-submitter profile page' do
+ visit edit_submitter_path(submitter.id)
+ expect(page).to have_http_status(:ok)
+ end
+ end
+
+ context 'when submitter owns the resource' do
+ before do
+ create_submitter(submitter)
+ end
+
+ it 'allows access to the submitter profile page' do
+ find('a[href*="submitters/"][href*="/edit"]').click
+ click_button 'Next' # This is the only way to get to the submitter profile page
+ expect(page).to have_http_status(:ok)
+ end
+
+ it 'allows access to the edit submitter profile page' do
+ find('a[href*="submitters/"][href*="/edit"]').click
+ expect(page).to have_http_status(:ok)
+ end
+ end
+
+ context 'when another submitter is logged in' do
+ before do
+ create_submitter(submitter)
+ end
+
+ it 'restricts access to the submitter profile page' do
+ create_submitter(submitter)
+ expect { visit submitter_path(another_submitter.id) }.to raise_error(ActiveRecord::RecordNotFound)
+ end
+
+ it 'restricts access to the edit-submitter profile page' do
+ create_submitter(submitter)
+ expect { visit edit_submitter_path(another_submitter.id) }.to raise_error(ActiveRecord::RecordNotFound)
+ end
+ end
+end
diff --git a/spec/support/helpers/access_authorization_for_feature_tests.rb b/spec/support/helpers/access_authorization_for_feature_tests.rb
@@ -1,5 +1,12 @@
 # frozen_string_literal: true
 
+def login_as_admin
+ visit manage_path
+ fill_in('username', with: ENV.fetch('ADMIN_USERNAME', nil))
+ fill_in('password', with: ENV.fetch('ADMIN_PASSWORD', nil))
+ click_on('Submit')
+end
+
 def visit_publications_page_as_submitter(submitter)
  create_submitter(submitter)
 end

diff --git a/spec/support/helpers/login_helpers_for_unit_tests.rb b/spec/support/helpers/login_helpers_for_unit_tests.rb
@@ -7,18 +7,6 @@ def login_as_submitter_of(resource)
  log_in_submitter(submitter_id)
 end
 
-def login_as_admin
- session[:admin] = true
-end
-
-def user_is_admin?
- session[:admin]
-end
-
-def logged_in_submitter_id
- session[:submitter_id].to_s
-end
-
 private
 
 def extract_submitter_id_from(resource)