311 - limit colleges page and admin pages to admin access #313
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #311
Limits admin pages and "colleges" page to admin-only access.
Previously a non-admin could gain access to the admin pages /colleges, /citations, and to the csv commands. This PR makes those pages admin-only.
This PR addresses the concern for submitter access to admin pages raised in PR #314.
What the PR does
Makes the Colleges page/method and Admin pages/methods(csv, citations) restricted to only admin users.
Creates a new "concern", AdminOnlyAccess, which is added to the colleges and admin controller files. This concern checks to see if a user has an active admin session, and if they don't, they are shown a 404 page. The check is skipped for the admin login and validate methods because the user would not be logged in as an admin when using them.
How it is tested
The biggest testing changes center around the colleges controller, which was not previously restricted. The PR introduces some new "shared examples",
restricts to only admin access
,restricted access
, andallowed access
to determine whether or not a user should be able to complete an action (update, create, edit, destroy, etc) based on the user's role (admin, submitter, or none).The shared examples are called like this:
The above goes through all the actions for the colleges controller and calls each one of them for each of the roles mentioned.
Many of the tests inside the colleges_controller_spec.rb file were only looking for a success response upon calling the method. This functionality is checked inside the shared examples so I removed these duplicate tests from inside the colleges_controller_spec.
The actual logic for the admin-only concern is tested in spec/controllers/concerns/admin_only_access_spec.rb
Additional changes
status: :unprocessable_entity
to failed college creation or updateWhat is not covered in this PR