311 - limit colleges page and admin pages to admin access

[Janell-Huyck]

Fixes #311

Limits admin pages and "colleges" page to admin-only access.

Previously a non-admin could gain access to the admin pages /colleges, /citations, and to the csv commands. This PR makes those pages admin-only.

This PR addresses the concern for submitter access to admin pages raised in PR #314.

What the PR does

Makes the Colleges page/method and Admin pages/methods(csv, citations) restricted to only admin users.

Creates a new "concern", AdminOnlyAccess, which is added to the colleges and admin controller files. This concern checks to see if a user has an active admin session, and if they don't, they are shown a 404 page. The check is skipped for the admin login and validate methods because the user would not be logged in as an admin when using them.

How it is tested

The biggest testing changes center around the colleges controller, which was not previously restricted. The PR introduces some new "shared examples", restricts to only admin access, restricted access, and allowed access to determine whether or not a user should be able to complete an action (update, create, edit, destroy, etc) based on the user's role (admin, submitter, or none).

The shared examples are called like this:

  it_behaves_like 'restricts to only admin access', {
    'index' => :get,
    'show' => :get,
    'new' => :get,
    'edit' => :get,
    'create' => :post,
    'update' => :put,
    'destroy' => :delete
  }

The above goes through all the actions for the colleges controller and calls each one of them for each of the roles mentioned.

Many of the tests inside the colleges_controller_spec.rb file were only looking for a success response upon calling the method. This functionality is checked inside the shared examples so I removed these duplicate tests from inside the colleges_controller_spec.

The actual logic for the admin-only concern is tested in spec/controllers/concerns/admin_only_access_spec.rb

Additional changes

• Clarifies (refactors) the "citations" method in the admin controller to make it easier to read and update, and updated the test to work with the find_each syntax used.
• Adds html status: :unprocessable_entity to failed college creation or update
• Adds test for csv for 'when an id is sent in the params'
• Adds admin session = true for tests where appropriate
• Minor DRY refactoring for college tests by moving college creation to the top of the file

What is not covered in this PR

• General submitter-user authorization management (see PR 238 - Implement User authentication for submitters #314 )
• Preventing submitter # 2 from seeing works from submitter # 1 (see PR 319 - Restrict Submitters From Accessing Things They Don't Own #323 )

[scherztc]

@haitzlm

I ran the test locally. Do NOT use bundle exec rake spec. Use bundle exec rspec spec instead.
I tested routes as submitter (/citations, /colleges)
I tested routes as admin (/citations, /colleges, /manage

I did a code read to make sure the concern was use correctly in each of the controllers.
I did a code read on the shared_examples test and other new controller test.

I merged the PR.