Make /admin and /moderation only accesible to Admins & Moderators

2015-08-07 19:15:08 +02:00
parent 9eae91c764
commit dac5b8d22a
7 changed files with 99 additions and 2 deletions
--- a/app/controllers/admin/base_controller.rb
+++ b/app/controllers/admin/base_controller.rb
@@ -0,0 +1,11 @@
+class Admin::BaseController < ApplicationController
+
+  before_filter :verify_administrator
+
+  private
+
+  def verify_administrator
+    raise CanCan::AccessDenied unless current_user.try(:administrator?)
+  end
+
+end
--- a/app/controllers/admin/dashboard_controller.rb
+++ b/app/controllers/admin/dashboard_controller.rb
@@ -1,4 +1,4 @@
-class Admin::DashboardController < ApplicationController
+class Admin::DashboardController < Admin::BaseController

  def index
  end
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -11,6 +11,13 @@ class ApplicationController < ActionController::Base
  # For APIs, you may want to use :null_session instead.
  protect_from_forgery with: :exception

+  rescue_from CanCan::AccessDenied do |exception|
+    respond_to do |format|
+      format.json { render nothing: true, status: :forbidden }
+      format.html { redirect_to main_app.root_url, :alert => exception.message }
+    end
+  end
+
  private

  def set_locale
--- a/app/controllers/moderation/base_controller.rb
+++ b/app/controllers/moderation/base_controller.rb
@@ -0,0 +1,11 @@
+class Moderation::BaseController < ApplicationController
+
+  before_filter :verify_moderator
+
+  private
+
+  def verify_moderator
+    raise CanCan::AccessDenied unless current_user.try(:moderator?)
+  end
+
+end
--- a/app/controllers/moderation/dashboard_controller.rb
+++ b/app/controllers/moderation/dashboard_controller.rb
@@ -1,4 +1,4 @@
-class Moderation::DashboardController < ApplicationController
+class Moderation::DashboardController < Moderation::BaseController

  def index
  end
--- a/spec/features/admin_spec.rb
+++ b/spec/features/admin_spec.rb
@@ -0,0 +1,34 @@
+require 'rails_helper'
+
+feature 'Admin' do
+  let(:user) { create(:user) }
+
+  scenario 'Access as regular user is not authorized' do
+    login_as(user)
+    visit admin_root_path
+
+    expect(current_path).to eq(root_path)
+    expect(page).to have_content "not authorized"
+  end
+
+  scenario 'Access as a moderator is not authorized' do
+    create(:moderator, user: user)
+
+    login_as(user)
+    visit admin_root_path
+
+    expect(current_path).to eq(root_path)
+    expect(page).to have_content "not authorized"
+  end
+
+  scenario 'Access as an administrator is authorized' do
+    create(:administrator, user: user)
+
+    login_as(user)
+    visit admin_root_path
+
+    expect(current_path).to eq(admin_root_path)
+    expect(page).to_not have_content "not authorized"
+  end
+
+end
--- a/spec/features/moderation_spec.rb
+++ b/spec/features/moderation_spec.rb
@@ -0,0 +1,34 @@
+require 'rails_helper'
+
+feature 'Admin' do
+  let(:user) { create(:user) }
+
+  scenario 'Access as regular user is not authorized' do
+    login_as(user)
+    visit moderation_root_path
+
+    expect(current_path).to eq(root_path)
+    expect(page).to have_content "not authorized"
+  end
+
+  scenario 'Access as a moderator is authorized' do
+    create(:moderator, user: user)
+
+    login_as(user)
+    visit moderation_root_path
+
+    expect(current_path).to eq(moderation_root_path)
+    expect(page).to_not have_content "not authorized"
+  end
+
+  scenario 'Access as an administrator is authorized' do
+    create(:administrator, user: user)
+
+    login_as(user)
+    visit moderation_root_path
+
+    expect(current_path).to eq(moderation_root_path)
+    expect(page).to_not have_content "not authorized"
+  end
+
+end