diff --git a/app/controllers/admin/base_controller.rb b/app/controllers/admin/base_controller.rb new file mode 100644 index 000000000..d2f06ee84 --- /dev/null +++ b/app/controllers/admin/base_controller.rb @@ -0,0 +1,11 @@ +class Admin::BaseController < ApplicationController + + before_filter :verify_administrator + + private + + def verify_administrator + raise CanCan::AccessDenied unless current_user.try(:administrator?) + end + +end diff --git a/app/controllers/admin/dashboard_controller.rb b/app/controllers/admin/dashboard_controller.rb index 697546889..f7aa5c440 100644 --- a/app/controllers/admin/dashboard_controller.rb +++ b/app/controllers/admin/dashboard_controller.rb @@ -1,4 +1,4 @@ -class Admin::DashboardController < ApplicationController +class Admin::DashboardController < Admin::BaseController def index end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7551f3f1a..eaf1c94dd 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -11,6 +11,13 @@ class ApplicationController < ActionController::Base # For APIs, you may want to use :null_session instead. protect_from_forgery with: :exception + rescue_from CanCan::AccessDenied do |exception| + respond_to do |format| + format.json { render nothing: true, status: :forbidden } + format.html { redirect_to main_app.root_url, :alert => exception.message } + end + end + private def set_locale diff --git a/app/controllers/moderation/base_controller.rb b/app/controllers/moderation/base_controller.rb new file mode 100644 index 000000000..2cebe7320 --- /dev/null +++ b/app/controllers/moderation/base_controller.rb @@ -0,0 +1,11 @@ +class Moderation::BaseController < ApplicationController + + before_filter :verify_moderator + + private + + def verify_moderator + raise CanCan::AccessDenied unless current_user.try(:moderator?) + end + +end diff --git a/app/controllers/moderation/dashboard_controller.rb b/app/controllers/moderation/dashboard_controller.rb index 50491e4e6..ceaddd6f4 100644 --- a/app/controllers/moderation/dashboard_controller.rb +++ b/app/controllers/moderation/dashboard_controller.rb @@ -1,4 +1,4 @@ -class Moderation::DashboardController < ApplicationController +class Moderation::DashboardController < Moderation::BaseController def index end diff --git a/spec/features/admin_spec.rb b/spec/features/admin_spec.rb new file mode 100644 index 000000000..a4728623b --- /dev/null +++ b/spec/features/admin_spec.rb @@ -0,0 +1,34 @@ +require 'rails_helper' + +feature 'Admin' do + let(:user) { create(:user) } + + scenario 'Access as regular user is not authorized' do + login_as(user) + visit admin_root_path + + expect(current_path).to eq(root_path) + expect(page).to have_content "not authorized" + end + + scenario 'Access as a moderator is not authorized' do + create(:moderator, user: user) + + login_as(user) + visit admin_root_path + + expect(current_path).to eq(root_path) + expect(page).to have_content "not authorized" + end + + scenario 'Access as an administrator is authorized' do + create(:administrator, user: user) + + login_as(user) + visit admin_root_path + + expect(current_path).to eq(admin_root_path) + expect(page).to_not have_content "not authorized" + end + +end diff --git a/spec/features/moderation_spec.rb b/spec/features/moderation_spec.rb new file mode 100644 index 000000000..cd3052f70 --- /dev/null +++ b/spec/features/moderation_spec.rb @@ -0,0 +1,34 @@ +require 'rails_helper' + +feature 'Admin' do + let(:user) { create(:user) } + + scenario 'Access as regular user is not authorized' do + login_as(user) + visit moderation_root_path + + expect(current_path).to eq(root_path) + expect(page).to have_content "not authorized" + end + + scenario 'Access as a moderator is authorized' do + create(:moderator, user: user) + + login_as(user) + visit moderation_root_path + + expect(current_path).to eq(moderation_root_path) + expect(page).to_not have_content "not authorized" + end + + scenario 'Access as an administrator is authorized' do + create(:administrator, user: user) + + login_as(user) + visit moderation_root_path + + expect(current_path).to eq(moderation_root_path) + expect(page).to_not have_content "not authorized" + end + +end