From dac5b8d22a17be35888e85edfa8d14af4dd92330 Mon Sep 17 00:00:00 2001
From: kikito <kikito@gmail.com>
Date: Fri, 7 Aug 2015 19:15:08 +0200
Subject: [PATCH] Make /admin and /moderation only accesible to Admins &
 Moderators

---
 app/controllers/admin/base_controller.rb      | 11 ++++++
 app/controllers/admin/dashboard_controller.rb |  2 +-
 app/controllers/application_controller.rb     |  7 ++++
 app/controllers/moderation/base_controller.rb | 11 ++++++
 .../moderation/dashboard_controller.rb        |  2 +-
 spec/features/admin_spec.rb                   | 34 +++++++++++++++++++
 spec/features/moderation_spec.rb              | 34 +++++++++++++++++++
 7 files changed, 99 insertions(+), 2 deletions(-)
 create mode 100644 app/controllers/admin/base_controller.rb
 create mode 100644 app/controllers/moderation/base_controller.rb
 create mode 100644 spec/features/admin_spec.rb
 create mode 100644 spec/features/moderation_spec.rb

diff --git a/app/controllers/admin/base_controller.rb b/app/controllers/admin/base_controller.rb
new file mode 100644
index 000000000..d2f06ee84
--- /dev/null
+++ b/app/controllers/admin/base_controller.rb
@@ -0,0 +1,11 @@
+class Admin::BaseController < ApplicationController
+
+  before_filter :verify_administrator
+
+  private
+
+  def verify_administrator
+    raise CanCan::AccessDenied unless current_user.try(:administrator?)
+  end
+
+end
diff --git a/app/controllers/admin/dashboard_controller.rb b/app/controllers/admin/dashboard_controller.rb
index 697546889..f7aa5c440 100644
--- a/app/controllers/admin/dashboard_controller.rb
+++ b/app/controllers/admin/dashboard_controller.rb
@@ -1,4 +1,4 @@
-class Admin::DashboardController < ApplicationController
+class Admin::DashboardController < Admin::BaseController
 
   def index
   end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 7551f3f1a..eaf1c94dd 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -11,6 +11,13 @@ class ApplicationController < ActionController::Base
   # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception
 
+  rescue_from CanCan::AccessDenied do |exception|
+    respond_to do |format|
+      format.json { render nothing: true, status: :forbidden }
+      format.html { redirect_to main_app.root_url, :alert => exception.message }
+    end
+  end
+
   private
 
   def set_locale
diff --git a/app/controllers/moderation/base_controller.rb b/app/controllers/moderation/base_controller.rb
new file mode 100644
index 000000000..2cebe7320
--- /dev/null
+++ b/app/controllers/moderation/base_controller.rb
@@ -0,0 +1,11 @@
+class Moderation::BaseController < ApplicationController
+
+  before_filter :verify_moderator
+
+  private
+
+  def verify_moderator
+    raise CanCan::AccessDenied unless current_user.try(:moderator?)
+  end
+
+end
diff --git a/app/controllers/moderation/dashboard_controller.rb b/app/controllers/moderation/dashboard_controller.rb
index 50491e4e6..ceaddd6f4 100644
--- a/app/controllers/moderation/dashboard_controller.rb
+++ b/app/controllers/moderation/dashboard_controller.rb
@@ -1,4 +1,4 @@
-class Moderation::DashboardController < ApplicationController
+class Moderation::DashboardController < Moderation::BaseController
 
   def index
   end
diff --git a/spec/features/admin_spec.rb b/spec/features/admin_spec.rb
new file mode 100644
index 000000000..a4728623b
--- /dev/null
+++ b/spec/features/admin_spec.rb
@@ -0,0 +1,34 @@
+require 'rails_helper'
+
+feature 'Admin' do
+  let(:user) { create(:user) }
+
+  scenario 'Access as regular user is not authorized' do
+    login_as(user)
+    visit admin_root_path
+
+    expect(current_path).to eq(root_path)
+    expect(page).to have_content "not authorized"
+  end
+
+  scenario 'Access as a moderator is not authorized' do
+    create(:moderator, user: user)
+
+    login_as(user)
+    visit admin_root_path
+
+    expect(current_path).to eq(root_path)
+    expect(page).to have_content "not authorized"
+  end
+
+  scenario 'Access as an administrator is authorized' do
+    create(:administrator, user: user)
+
+    login_as(user)
+    visit admin_root_path
+
+    expect(current_path).to eq(admin_root_path)
+    expect(page).to_not have_content "not authorized"
+  end
+
+end
diff --git a/spec/features/moderation_spec.rb b/spec/features/moderation_spec.rb
new file mode 100644
index 000000000..cd3052f70
--- /dev/null
+++ b/spec/features/moderation_spec.rb
@@ -0,0 +1,34 @@
+require 'rails_helper'
+
+feature 'Admin' do
+  let(:user) { create(:user) }
+
+  scenario 'Access as regular user is not authorized' do
+    login_as(user)
+    visit moderation_root_path
+
+    expect(current_path).to eq(root_path)
+    expect(page).to have_content "not authorized"
+  end
+
+  scenario 'Access as a moderator is authorized' do
+    create(:moderator, user: user)
+
+    login_as(user)
+    visit moderation_root_path
+
+    expect(current_path).to eq(moderation_root_path)
+    expect(page).to_not have_content "not authorized"
+  end
+
+  scenario 'Access as an administrator is authorized' do
+    create(:administrator, user: user)
+
+    login_as(user)
+    visit moderation_root_path
+
+    expect(current_path).to eq(moderation_root_path)
+    expect(page).to_not have_content "not authorized"
+  end
+
+end