238 - Implement User authentication for submitters

app/controllers/admin_controller.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 class AdminController < ApplicationController
+ skip_before_action :require_authenticated_user, only: %i[login validate]
  skip_before_action :check_date
 
  ALLOWED_CONTROLLERS_TO_MODELS = {

app/controllers/application_controller.rb

@@ -2,7 +2,12 @@
 
 class ApplicationController < ActionController::Base
  include Pagy::Backend
- before_action :check_date
+ include UserAuthentication
+
+ prepend_before_action :check_date
+
+ skip_before_action :require_authenticated_user, only: :check_date
+ skip_before_action :check_date, only: :closed
 
  private
 

app/controllers/concerns/user_authentication.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+# The UserAuthentication module provides mechanisms to enforce user authentication
+# for actions in controllers where it is included. It utilizes ActiveSupport::Concern
+# to add a before_action hook that checks for authenticated users (either admin or submitter)
+# before allowing access to controller actions. Unauthenticated users are redirected
+# to the root path with an appropriate warning message.
+module UserAuthentication
+ extend ActiveSupport::Concern
+
+ included do
+ before_action :require_authenticated_user
+ end
+
+ private
+
+ def require_authenticated_user
+ return if admin_logged_in? || current_submitter
+
+ flash.keep[:danger] = 'You must submit your information first.'
+ redirect_to root_path
+ end
+
+ def admin_logged_in?
+ session[:admin]
+ end
+
+ def current_submitter
+ @current_submitter ||= Submitter.find_by(id: session[:submitter_id])
+ end
+end

app/controllers/publications_controller.rb

@@ -128,7 +128,7 @@ def create
  format.html { redirect_to publications_path }
  format.json { render :show, status: :created, location: instance_variable }
  else
- format.html { render :new }
+ format.html { render :new, status: :unprocessable_entity }
  format.json { render json: instance_variable.errors, status: :unprocessable_entity }
  end
  end
@@ -142,7 +142,7 @@ def update
  format.html { redirect_to instance_variable }
  format.json { render :show, status: :created, location: instance_variable }
  else
- format.html { render :new }
+ format.html { render :edit, status: :unprocessable_entity }
  format.json { render json: instance_variable.errors, status: :unprocessable_entity }
  end
  end

app/controllers/submitters_controller.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class SubmittersController < ApplicationController
+ skip_before_action :require_authenticated_user, only: %i[new create finished]
+
  before_action :set_submitter, only: %i[show edit update destroy]
 
  # GET /submitters/1

app/helpers/submitters_helper.rb

@@ -2,7 +2,7 @@
 
 module SubmittersHelper
  def find_submitter(id)
- Submitter.find(id)
+ Submitter.find_by(id:)
  end
 
  def find_submitters(id)

app/mailers/publication_mailer.rb

@@ -29,6 +29,8 @@ class PublicationMailer < ApplicationMailer
  SUBJECT = 'Publication received for Artists, Authors, Editors & Composers'
 
  def publication_submit(submitter, publication)
+ return unless submitter
+
  @submitter = submitter
  @publication = publication
  sender_name, sender_email = parse_default_sender

spec/controllers/admin_controller/admin_controller_citations_spec.rb

@@ -21,7 +21,8 @@
 
  context 'when admin is not logged in' do
  before do
- allow(controller).to receive(:session).and_return(admin: false)
+ session[:admin] = false
+ session[:submitter_id] = FactoryBot.create(:submitter).id
  end
 
  it 'redirects to publications_path' do

spec/controllers/admin_controller/admin_controller_csv_spec.rb

@@ -5,6 +5,7 @@
 RSpec.describe AdminController, type: :controller do
  let(:common_params) { { 'controller_name' => 'other_publications' } }
  let(:admin_session) { { 'admin' => true } }
+ let(:submitter_session) { { 'submitter_id' => FactoryBot.create(:submitter).id } }
 
  describe 'GET #csv' do
  context 'when the user is an admin' do
@@ -33,7 +34,8 @@
 
  context 'when the user is not an admin' do
  it 'redirects even if a valid format is provided' do
- get(:csv, params: common_params.merge({ format: 'csv' }))
+ get(:csv, params: common_params.merge({ format: 'csv' }), session: submitter_session)
+ expect(response).to have_http_status(302)
  expect(response).to redirect_to('/publications')
  end
  end

spec/controllers/admin_controller/admin_controller_toggle_links_spec.rb

@@ -4,6 +4,10 @@
 
 RSpec.describe AdminController, type: :controller do
  describe 'POST #toggle_links' do
+ before do
+ session[:admin] = true
+ end
+
  context 'when session[:links] is true' do
  before do
  session[:links] = true

spec/controllers/application_controller/application_controller_check_date_spec.rb

@@ -5,6 +5,9 @@
 RSpec.describe ApplicationController, type: :controller do
  include ApplicationHelper
 
+ let(:submitter) { FactoryBot.create(:submitter) }
+ let(:submitter_session) { { submitter_id: submitter.id } }
+
  controller(ApplicationController) do
  def index
  render plain: 'Hello, world!'
@@ -20,16 +23,17 @@ def index
  context 'when EXPIRATION_DATE is in the past and user is not admin' do
  it 'redirects to the closed page' do
  allow(ENV).to receive(:fetch).with('EXPIRATION_DATE').and_return('2000-01-01')
- get :index
+ get :index, session: submitter_session
  expect(response).to redirect_to(page_route('closed'))
  end
  end
 
  context 'when EXPIRATION_DATE is in the future' do
  it 'does not redirect' do
  allow(ENV).to receive(:fetch).with('EXPIRATION_DATE').and_return('3000-01-01')
- get :index
- expect(response.body).to eq('Hello, world!')
+ get :index, session: submitter_session
+ expect(response).to have_http_status(:ok)
+ expect(response.body).to include('Hello, world!')
  end
  end
 

spec/controllers/artworks_controller_spec.rb

@@ -11,60 +11,23 @@
  { 'author_first_name' => ['Bad'], 'author_last_name' => [''], 'college_ids' => [''], 'uc_department' => '', 'work_title' => '', 'other_title' => '', 'location' => '', 'date' => '' }
  end
 
- let(:valid_session) { { submitter_id: 1 } }
-
- describe 'GET #index' do
- before do
- FactoryBot.create(:submitter)
- end
-
- it 'returns a success response' do
- Artwork.create! valid_attributes
- get :index, session: valid_session
- expect(response).to redirect_to('/publications')
- end
- end
-
- describe 'GET #show' do
- it 'returns a success response' do
- artwork = Artwork.create! valid_attributes
- get :show, params: { id: artwork.to_param }, session: valid_session
- expect(response).to be_successful
- end
- end
-
- describe 'GET #show as admin' do
- it 'returns a success response' do
- FactoryBot.create(:submitter)
- session[:admin] = true
- artwork = Artwork.create! valid_attributes
- get :show, params: { id: artwork.to_param }, session: valid_session
- expect(response).to be_successful
- end
- end
-
- describe 'GET #new' do
- it 'returns a success response' do
- get :new, params: {}, session: valid_session
- expect(response).to be_successful
- end
- end
-
- describe 'GET #edit' do
- it 'returns a success response' do
- artwork = Artwork.create! valid_attributes
- get :edit, params: { id: artwork.to_param }, session: valid_session
- expect(response).to be_successful
- end
- end
+ let(:submitter) { FactoryBot.create(:submitter) }
+ let(:valid_session) { { submitter_id: submitter.id } }
+ let(:artwork) { Artwork.create! valid_attributes }
+
+ it_behaves_like 'restricts non-logged-in users', {
+ 'index' => :get,
+ 'show' => :get,
+ 'new' => :get,
+ 'edit' => :get,
+ 'create' => :post,
+ 'update' => :put,
+ 'destroy' => :delete
+ }
 
  describe 'POST #create' do
  context 'with valid params' do
- before do
- FactoryBot.create(:submitter)
- end
-
- it 'creates a new Other Publication' do
+ it 'creates a new Artwork' do
  expect do
  post :create, params: { artwork: valid_attributes }, session: valid_session
  end.to change(Artwork, :count).by(1)
@@ -77,9 +40,16 @@
  end
 
  context 'with invalid params' do
- it "returns a success response (i.e. to display the 'new' template)" do
+ it 'does not create a new Artwork' do
+ expect do
+ post :create, params: { artwork: invalid_attributes }, session: valid_session
+ end.not_to change(Artwork, :count)
+ end
+
+ it "redirects to the 'new' template with status 'unprocessable_entity'" do
  post :create, params: { artwork: invalid_attributes }, session: valid_session
- expect(response).to be_successful
+ expect(response).to render_template(:new)
+ expect(response.status).to eql 422
  end
  end
  end
@@ -91,39 +61,39 @@
  end
 
  it 'updates the requested other publication' do
- artwork = Artwork.create! valid_attributes
  put :update, params: { id: artwork.to_param, artwork: new_attributes }, session: valid_session
  artwork.reload
  expect(artwork.date).to eql 'new date'
  expect(artwork.college_ids).to eql [6, 7]
  end
 
  it 'redirects to the artwork' do
- artwork = Artwork.create! valid_attributes
  put :update, params: { id: artwork.to_param, artwork: valid_attributes }, session: valid_session
  expect(response).to redirect_to(artwork)
  end
  end
 
  context 'with invalid params' do
- it "returns a success response (i.e. to display the 'edit' template)" do
- artwork = Artwork.create! valid_attributes
+ it "redirects to the 'edit' template with status 'unprocessable_entity'" do
  put :update, params: { id: artwork.to_param, artwork: invalid_attributes }, session: valid_session
- expect(response).to be_successful
+ expect(response).to render_template(:edit)
+ expect(response.status).to eql 422
  end
  end
  end
 
  describe 'DELETE #destroy' do
+ before do
+ artwork
+ end
+
  it 'destroys the requested artwork' do
- artwork = Artwork.create! valid_attributes
  expect do
  delete :destroy, params: { id: artwork.to_param }, session: valid_session
  end.to change(Artwork, :count).by(-1)
  end
 
  it 'redirects to the artworks list' do
- artwork = Artwork.create! valid_attributes
  delete :destroy, params: { id: artwork.to_param }, session: valid_session
  expect(response).to redirect_to(artworks_url)
  end