authorization with cancan

Gemfile.lock

@@ -60,7 +60,7 @@ GEM
       rack (>= 1.0.0)
       rack-test (>= 0.5.4)
       selenium-webdriver (>= 0.0.3)
-    code_buddy (0.0.4)
+    code_buddy (0.0.6)
       coderay (~> 0.9.6)
       json_pure (~> 1.4.6)
       rack

app/controllers/admin/organizations_controller.rb

@@ -1,5 +1,6 @@
 class Admin::OrganizationsController < ApplicationController
   layout 'admin'
+  load_and_authorize_resource
 
   def index
     @organizations = Organization.all

app/controllers/admin/projects_controller.rb

@@ -1,7 +1,7 @@
 class Admin::ProjectsController < ApplicationController
   layout 'admin'
-
   before_filter :organization, :except => [:index]
+  load_and_authorize_resource
 
   def index
     @projects = Project.all

app/controllers/admin/users_controller.rb

@@ -3,6 +3,6 @@ class Admin::UsersController < ApplicationController
   load_and_authorize_resource
 
   def index
-    @users = User.all
+    @users = User.ascending.paginate :page => params[:page], :per_page => 10
   end
 end

app/controllers/application_controller.rb

@@ -26,4 +26,9 @@ def sign_out_path
     destroy_user_session_path
   end
   helper_method :sign_out_path
+
+  rescue_from CanCan::AccessDenied do |exception|
+    redirect_to page_path(current_user.nil? ? 'access_denied_anonymous' : 'access_denied')
+  end
+
 end

app/models/ability.rb

@@ -2,7 +2,7 @@ class Ability
   include CanCan::Ability
 
   def initialize(user)
-    if user && user.is?('site_admin')
+    if user && user.is?('admin')
       can :manage, :all
     end
   end

app/models/user.rb

@@ -13,10 +13,14 @@ class User < ActiveRecord::Base
   validates_presence_of :first_name
   validates_presence_of :last_name
 
-  ROLES =%w[site_admin field_operator organization_manager visitor]
+  scope :ascending, order('last_name, first_name')
 
   # http://github.com/ryanb/cancan/wiki/role-based-authorization
+
+  ROLES =%w[admin field_operator organization_manager]
+
   def roles=(roles)
+    roles = roles.split if roles.is_a? String
     self.roles_mask = (roles & ROLES).map { |r| 2**ROLES.index(r) }.sum
   end
 

app/views/admin/users/_user.html.haml

@@ -1,6 +1,6 @@
 %tr
-  %td= user.created_at.strftime('%b %d %Y')
+  %td= user.created_at.strftime("%m/%d/%Y")
   %td= user.display_name
   %td= display_if_is?(user, 'field_operator')
   %td= display_if_is?(user, 'organization_manager')
-  %td= display_if_is?(user, 'site_admin')
+  %td= display_if_is?(user, 'admin')

app/views/admin/users/index.html.haml

@@ -1,8 +1,5 @@
 %h1.left
   Users
-
--#.right
-  -#%h2.create-button= link_to "Create", new_admin_organization_path
 %table
   %tr.header
     %th Created
@@ -11,3 +8,6 @@
     %th Orphanage Manager
     %th Site Administrator
   = render @users
+.pagination
+  %ul=will_paginate @users
+.clear

app/views/pages/access_denied.html.haml

@@ -0,0 +1,6 @@
+#body_wrap
+  #access_denied
+    %h1=t '.access_denied'
+    =t('.access_denied_text1')
+    = link_to t('.access_denied_sign_out'), sign_out_path
+    =t('.access_denied_text2')

app/views/pages/access_denied_anonymous.html.haml

@@ -0,0 +1,5 @@
+#body_wrap
+  #access_denied
+    %h1=t '.access_denied'
+    =t('.access_denied_text')
+    = link_to t('.access_denied_sign_in'), sign_in_path

app/views/shared/_header.html.haml

@@ -10,7 +10,8 @@
   %ul
     - if user_signed_in?
       %li= link_to t('.logout'), destroy_user_session_url
-      %li= link_to 'Admin', admin_organizations_path
+      - if current_user.is?('admin')
+        %li= link_to 'Admin', admin_organizations_path
     - else
       %li= link_to t('.login'), user_session_url
     %li= link_to 'Blog', 'http://blog.reliefhub.org/'
@@ -22,4 +23,4 @@
 #lang
   =link_to_language image_tag('/images/francais.png'), :fr
   =link_to_language image_tag('/images/english.jpg'), :en
-.clear
+.clear

config/locales/en.yml

@@ -32,6 +32,16 @@ en:
     donation_error:
       were_sorry: "We're sorry"
       there_was_a_problem: "There was a problem with your donation. Please try again."
+    access_denied:
+      access_denied: "Access Denied"
+      access_denied_text1: "You don't have access to this page. Please"
+      access_denied_sign_out: "sign out"
+      access_denied_sign_in: "sign in"
+      access_denied_text2: "and sign in as a different user."
+    access_denied_anonymous:
+      access_denied: "Access Denied"
+      access_denied_text: "You don't have access to this page. Please"
+      access_denied_sign_in: "sign in."
   shared:
     header:
       home: Home

config/locales/fr.yml

@@ -33,6 +33,16 @@ fr:
     donation_error:
       were_sorry: "[TRANSLATE ME!] We're sorry"
       there_was_a_problem: "[TRANSLATE ME!] There was a problem with your donation. Please try again."
+    access_denied:
+      access_denied: "[TRANSLATE ME!]Access Denied"
+      access_denied_text1: "[TRANSLATE ME!]You don't have access to this page. Please"
+      access_denied_sign_out: "[TRANSLATE ME!]sign out"
+      access_denied_sign_in: "[TRANSLATE ME!]sign in"
+      access_denied_text2: "[TRANSLATE ME!]and sign in as a different user."
+    access_denied_anonymous:
+      access_denied: "[TRANSLATE ME!]Access Denied"
+      access_denied_text: "[TRANSLATE ME!]You don't have access to this page. Please"
+      access_denied_sign_in: "[TRANSLATE ME!]sign in."
   shared:
     header:
       home: Accueille

features/admin_creates_organization.feature

@@ -3,6 +3,11 @@ Feature: Add/Edit a new organization
   As an admin
   I want to be able to Add/Edit/List an organization
 
+  Background:
+    Given the following user exists:
+      | first_name | last_name | email              | password | password_confirmation | roles |
+      | Admin      | User      | admin@test.com     | secret   | secret                | admin |
+
   Scenario: View organizations
     Given the following organizations exist:
       | name        | street1          | street2 | city      | state | zip   | contact person |
@@ -14,6 +19,7 @@ Feature: Add/Edit a new organization
       | relief 1  | name: fred's ngo  |
       | relief 2  | name: fred's ngo  |
       | relief 3  | name: oscar's ngo |
+    And I sign in as "admin@test.com/secret"
     Given I go to the admin organizations page
      Then I should see "Organizations" within "h1"
       And I should see "Organizations" within "#right-menu"
@@ -28,7 +34,8 @@ Feature: Add/Edit a new organization
       And I should see "Created" column following the format "[0-9]{1,2}/[0-9]{1,2}/[0-9]{4}"
 
   Scenario: Create a new organization
-    Given I go to the admin organizations page
+    Given I sign in as "admin@test.com/secret"
+      And I go to the admin organizations page
      When I follow "Create"
      When I fill in "Name" with "my orphanage"
       And I fill in "Street1" with "123 main st"
@@ -51,6 +58,7 @@ Feature: Add/Edit a new organization
       | oliver's orphanage | 123 main st      | alex           |
       | oscar's orphanage  | 455 fifth avenue | alex           |
       | olivia's orphanage | 131 first st     | yan            |
+      And I sign in as "admin@test.com/secret"
     Given I go to the admin organizations page
       And I follow "oliver's orphanage"
       And I follow "Edit"
@@ -69,7 +77,8 @@ Feature: Add/Edit a new organization
       And I should see "Yan"
 
   Scenario: Create a new organization
-    Given I go to the admin organizations page
+    Given I sign in as "admin@test.com/secret"
+      And I go to the admin organizations page
      When I follow "Create"
      When I fill in "Name" with "my orphanage"
       And I fill in "Street1" with "123 main st"
@@ -93,8 +102,35 @@ Feature: Add/Edit a new organization
       | Project A | name: Some Org |
       | Project B | name: Some Org |
       | Project C | name: Some Org |
+     And I sign in as "admin@test.com/secret"
      And I go to the admin organizations page
      And I follow "Some Org"
     Then I should see "Project A"
      And I should see "Project B"
      And I should see "Project C"
+
+  Scenario: Anonymous user attempts to view admin organizations page
+    Given I go to the admin organizations page
+    Then I should see "Access Denied" within "h1"
+    And I follow "sign in"
+    Then I should see "Sign in" within "h2"
+
+  Scenario: Field operator attempts to view admin organizations page
+    Given the following user exists:
+      | first_name | last_name | email              | password | password_confirmation | roles                               |
+      | Garret     | Schuster  | garret@test.com    | secret   | secret                | field_operator                      |
+    And I sign in as "garret@test.com/secret"
+    And I go to the admin organizations page
+    Then I should see "Access Denied" within "h1"
+    And I follow "sign out"
+    Then I should see "Signed out."
+
+  Scenario: Organization manager attempts to view admin organizations page
+    Given the following user exists:
+      | first_name | last_name | email              | password | password_confirmation | roles                               |
+      | Lue        | Ankunding | lue@test.com       | secret   | secret                | organization_manager                |
+    And I sign in as "lue@test.com/secret"
+    And I go to the admin organizations page
+    Then I should see "Access Denied" within "h1"
+    And I follow "sign out"
+    Then I should see "Signed out."

features/admin_creates_project.feature

@@ -3,12 +3,18 @@ Feature: Create a project
   In order to collect donations
   An admin should be able to create a project
 
+  Background:
+    Given the following user exists:
+      | first_name | last_name | email              | password | password_confirmation | roles |
+      | Admin      | User      | admin@test.com     | secret   | secret                | admin |
+
   Scenario: View all projects for an organization
     Given the following projects exist:
       | name      | organization   |
       | Project A | name: Some Org |
       | Project B | name: Some Org |
       | Project C | name: Some Org |
+    And I sign in as "admin@test.com/secret"
     And I go to the admin page for organization "Some Org"
     Then I should see "Project A"
     And I should see "Project B"
@@ -31,6 +37,7 @@ Feature: Create a project
       | name: relief 1  | 100    |
       | name: relief 2  | 700    |
       | name: relief 2  | 300    |
+    And I sign in as "admin@test.com/secret"
     Given I go to the admin projects page
     Then I should see "Projects" within "h1"
      And I should see "Organizations" within "#right-menu"
@@ -48,6 +55,7 @@ Feature: Create a project
     Given the following organization exists:
       | name     |
       | Some Org |
+    And I sign in as "admin@test.com/secret"
     And I go to the admin organizations page
     And I follow "Some Org"
     When I follow "Create Project"
@@ -59,9 +67,36 @@ Feature: Create a project
     Given the following project exists:
       | name      | organization   |
       | Project A | name: Some Org |
+    And I sign in as "admin@test.com/secret"
     And I go to the admin organizations page
     And I follow "Some Org"
     When I follow "Project A"
     When I fill in "Name" with "Test Project 2"
     And I press "Save Project"
     Then I should see "Successfully saved changes"
+
+  Scenario: Anonymous user attempts to view admin projects page
+    Given I go to the admin projects page
+    Then I should see "Access Denied" within "h1"
+    And I follow "sign in"
+    Then I should see "Sign in" within "h2"
+
+  Scenario: Field operator attempts to view admin projects page
+    Given the following user exists:
+      | first_name | last_name | email              | password | password_confirmation | roles                               |
+      | Garret     | Schuster  | garret@test.com    | secret   | secret                | field_operator                      |
+    And I sign in as "garret@test.com/secret"
+    And I go to the admin projects page
+    Then I should see "Access Denied" within "h1"
+    And I follow "sign out"
+    Then I should see "Signed out."
+
+  Scenario: Organization manager attempts to view admin projects page
+    Given the following user exists:
+      | first_name | last_name | email              | password | password_confirmation | roles                               |
+      | Lue        | Ankunding | lue@test.com       | secret   | secret                | organization_manager                |
+    And I sign in as "lue@test.com/secret"
+    And I go to the admin projects page
+    Then I should see "Access Denied" within "h1"
+    And I follow "sign out"
+    Then I should see "Signed out."

features/admin_views_homepage.feature

@@ -0,0 +1,13 @@
+Feature: Admin visits home page
+
+  In order to manage the ReliefHub site
+  As an admin
+  I want to see the "Admin" link on the home page.
+
+  Scenario: Admin visits home page
+    Given the following user exists:
+      | first_name | last_name | email              | password | password_confirmation | roles |
+      | Admin      | User      | admin@test.com     | secret   | secret                | admin |
+    And I sign in as "admin@test.com/secret"
+    And I am on the homepage
+    And I should see "Admin"

features/admin_views_users.feature

@@ -0,0 +1,53 @@
+Feature: View ReliefHub user list
+  As a ReliefHub admin user
+  I want to be able to view all existing user accounts
+
+  Scenario: View users
+    Given the following users exist:
+      | first_name | last_name | email              | password | password_confirmation | roles                               |
+      | Julio      | Kulas     | julio@test.com     | secret   | secret                |                                     |
+      | Garret     | Schuster  | garret@test.com    | secret   | secret                | field_operator                      |
+      | Lue        | Ankunding | lue@test.com       | secret   | secret                | organization_manager                |
+      | Cassandra  | Goodwin   | cassandra@test.com | secret   | secret                | organization_manager field_operator |
+      | Admin      | User      | admin@test.com     | secret   | secret                | admin                               |
+    And I sign in as "admin@test.com/secret"
+    And I go to the admin users page
+    Then I should see "Users" within "h1"
+    And I should see "Organizations" within "#right-menu"
+    And I should see "Projects" within "#right-menu"
+    And I should see "Users" within "#right-menu"
+    And I should see "Users" tab ".selected" within "#right-menu"
+    And I should see the following users table:
+      | User Name         | Field Operator | Orphanage Manager | Site Administrator |
+      | Lue Ankunding     | Disabled       | Enabled           | Disabled           |
+      | Cassandra Goodwin | Enabled        | Enabled           | Disabled           |
+      | Julio Kulas       | Disabled       | Disabled          | Disabled           |
+      | Garret Schuster   | Enabled        | Disabled          | Disabled           |
+      | Admin User        | Disabled       | Disabled          | Enabled            |
+    And I should see "Created" column following the format "[0-9]{1,2}/[0-9]{1,2}/[0-9]{4}"
+
+  Scenario: Anonymous user attempts to view users
+    Given I go to the admin users page
+    Then I should see "Access Denied" within "h1"
+    And I follow "sign in"
+    Then I should see "Sign in" within "h2"
+
+  Scenario: Field operator user attempts to view admin users page
+    Given the following user exists:
+      | first_name | last_name | email              | password | password_confirmation | roles                               |
+      | Garret     | Schuster  | garret@test.com    | secret   | secret                | field_operator                      |
+    And I sign in as "garret@test.com/secret"
+    And I go to the admin users page
+    Then I should see "Access Denied" within "h1"
+    And I follow "sign out"
+    Then I should see "Signed out."
+
+  Scenario: Organziation manager user attempts to view admin users page
+    Given the following user exists:
+      | first_name | last_name | email              | password | password_confirmation | roles                               |
+      | Lue        | Ankunding | lue@test.com       | secret   | secret                | organization_manager                |
+    And I sign in as "lue@test.com/secret"
+    And I go to the admin users page
+    Then I should see "Access Denied" within "h1"
+    And I follow "sign out"
+    Then I should see "Signed out."

features/support/paths.rb

@@ -33,6 +33,10 @@ def path_to(page_name)
     # ADMIN
     when /the admin organizations page/i
       admin_organizations_path
+    when /the admin projects page/i
+      admin_projects_path
+    when /the admin projects page/i
+      admin_users_path
     when /the admin page for organization \"(.*)\"/i
       admin_organization_path(:id => Organization.where(:name => $1).first)
 

features/visitor_views_homepage.feature

@@ -13,3 +13,4 @@ Feature: Visitor visits home page
     And I should see blog posts on the page
     And I should see recent press on the page
     And I should see "Christmas Toy Drive"
+    And I should not see "Admin"