238 - Implement User authentication for submitters #314
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #238
Implements User authentication for submitters
We were having problems where if a user was trying to access submitter pages such as submitting a new publication, the app would crash. While the crash was due to us trying to find the submitter id in a brittle way, the underlying issue was that an unauthorized user was able to access the page in the first place.
What the PR does
This PR creates a new "concern" called UserAuthentication that is included in all application pages through being part of AplicationController. Aside from places where it's obviously not needed (the login pages), it restricts access to all pages unless the user is logged in as either an admin or a submitter. If the user is not allowed to view a page, they are redirected back to the root path (where they can log in as a submitter).
How it is tested
There is a file specifically for testing the authentication methods: spec/controllers/concerns/user_authentication_spec.rb
Additionally, how it works in relation to all of our publication types is checked by a new shared example, called like this
The code for the shared example is at spec/support/shared_examples/restricts_non_logged_in_users.rb. Additional helper methods and shared examples to support this shared example are in the /support folder.
The shared example takes each of the actions shown and tests them against users who aren't logged in, users who are logged in as submitters, and users who are logged in as admins. It checks by calling the action (index, show, update, etc) on the controller that's being tested, and sees what the results are. (Does it successfully show an index, show an item, allow for an update, etc appropriately if the user is authorized to do that action? If the user isn't authorized, are they appropriately redirected?)
The checking of different user statuses for pages created some redundancies in the publications tests, so any tests in the publications files that were only checking for a "success" response upon calling the method as user or admin were deleted.
Additional changes
update
orcreate
methodsWhat this PR does not do
Both those concerns will need to be addressed in separate PR's.