Merge pull request #486 from hpi-swt2/389_access_rights

finished #389 access rights closes #389

app/controllers/events_controller.rb

@@ -8,8 +8,9 @@
 
 class EventsController < ApplicationController
   include EventImageUploadHelper
-
-  before_action :set_event, only: [:show, :edit, :update, :destroy, :participants, 
+  load_and_authorize_resource
+  skip_authorize_resource :only => [:badges, :download_agreement_letters, :send_participants_email]
+  before_action :set_event, only: [:show, :edit, :update, :destroy, :participants,
     :participants_pdf, :print_applications, :print_applications_eating_habits, :badges, :print_badges]
 
 
@@ -41,6 +42,7 @@ def new
 
   # GET /events/1/edit
   def edit
+    @event = Event.find(params[:id])
   end
 
   # POST /events
@@ -77,7 +79,6 @@ def badges
 
   # POST /events/1/badges
   def print_badges
-    authorize! :print_badges, @event
     @participants = @event.participants
     name_format = params[:name_format]
     show_color = params[:show_color]
@@ -110,13 +111,11 @@ def participants
 
   # GET /events/1/print_applications
   def print_applications
-    authorize! :print_applications, @event
     pdf = ApplicationsPDF.generate(@event)
     send_data pdf, filename: "applications_#{@event.name}_#{Date.today}.pdf", type: "application/pdf", disposition: "inline"
   end
 
   def print_applications_eating_habits
-    #authorize! :print_applications_eating_habits, @event
     pdf = ParticipantsPDF.generate(@event)
     send_data pdf, filename: "applications_eating_habits_#{@event.name}_#{Date.today}.pdf", type: "application/pdf", disposition: "inline"
   end
@@ -251,7 +250,6 @@ def download_material
     unless params.has_key?(:file)
       redirect_to event_path(event), alert: I18n.t('events.material_area.no_file_given') and return
     end
-    authorize! :download_material, event
 
     file_full_path = File.join(event.material_path, params[:file])
     unless File.exists?(file_full_path)

app/models/ability.rb

@@ -34,6 +34,8 @@ def initialize(user)
     # Even guests can see the apply button
     # This is revoked for coaches and organizers below.
     can :view_apply_button, Event
+    can [:show, :index, :archive], Event
+
 
     if user.role? :pupil
       # Pupils can only edit their own profiles
@@ -53,7 +55,6 @@ def initialize(user)
       # Coaches can view Applications and participants for and view, upload and download materials for Event
       can [:view_applicants, :view_participants, :view_material, :upload_material, :print_applications, :download_material], Event
       can [:view_and_add_notes, :show], ApplicationLetter
-      can [:print_applications], Event
       can [:show, :index], Request
       cannot :view_apply_button, Event
       cannot :check, ApplicationLetter
@@ -67,7 +68,9 @@ def initialize(user)
            :view_unpublished, :show_eating_habits, :print_applications_eating_habits, :view_hidden], Event
       can :send_email, Email
       can [:manage, :set_contact_person, :set_notes], Request
+      cannot :apply, Event
       cannot :view_apply_button, Event
+      can [:edit, :update, :destroy], Event
       can [:update], ParticipantGroup
 
       # Organizers can update user roles of pupil, coach and organizer, but cannot manage admins and cannot update a role to admin
@@ -77,6 +80,7 @@ def initialize(user)
     end
     if user.role? :admin
       can :manage, :all
+
       can :view_delete_button, ApplicationLetter
       cannot [:edit, :update], ApplicationLetter
     end

spec/controllers/events_controller_spec.rb

@@ -47,6 +47,7 @@
   context "With an existing event" do
     before :each do
       @event = Event.create! valid_attributes
+
     end
 
     describe "GET #index" do
@@ -101,6 +102,7 @@
         }
 
         it "updates the requested event" do
+          sign_in FactoryGirl.create(:user, role: :organizer)
           put :update, id: @event.to_param, event: new_attributes, session: valid_session
           @event.reload
           expect(@event.name).to eq(new_attributes[:name])
@@ -112,6 +114,7 @@
         end
 
         it "redirects to the event" do
+          sign_in FactoryGirl.create(:user, role: :organizer)
           put :update, id: @event.to_param, event: valid_attributes, session: valid_session
           expect(response).to redirect_to(@event)
         end
@@ -121,6 +124,13 @@
             put :update, id: @event.to_param, event: valid_attributes_post[:event], session: valid_session
           }.to change((Event.find_by! id: @event.to_param).date_ranges, :count).by(0)
         end
+
+        it "won't update the requested event as user" do
+          sign_in FactoryGirl.create(:user, role: :pupil)
+          put :update, id: @event.to_param, event: new_attributes, session: valid_session
+          @event.reload
+          expect(@event.name).to_not eq(new_attributes[:name])
+        end
       end
 
       context "with invalid params" do
@@ -130,6 +140,7 @@
         end
 
         it "re-renders the 'edit' template" do
+          sign_in FactoryGirl.create(:user, role: :organizer)
           put :update, id: @event.to_param, event: invalid_attributes, session: valid_session
           expect(response).to render_template("edit")
         end
@@ -138,18 +149,47 @@
       describe "DELETE #destroy" do
         it "destroys the requested event" do
           expect {
+            sign_in FactoryGirl.create(:user, role: :pupil)
+            delete :destroy, id: @event.to_param, session: valid_session
+          }.to change(Event, :count).by(0)
+        end
+
+        it "destroys the requested event" do
+          expect {
+            sign_in FactoryGirl.create(:user, role: :coach)
+            delete :destroy, id: @event.to_param, session: valid_session
+          }.to change(Event, :count).by(0)
+        end
+
+        it "destroys the requested event" do
+          expect {
+            sign_in FactoryGirl.create(:user, role: :organizer)
             delete :destroy, id: @event.to_param, session: valid_session
           }.to change(Event, :count).by(-1)
         end
 
+        it "destroys the requested event" do
+          expect {
+            sign_in FactoryGirl.create(:user, role: :admin)
+            delete :destroy, id: @event.to_param, session: valid_session
+          }.to change(Event, :count).by(-1)
+        end
+
+
         it "redirects to the events list" do
+          sign_in FactoryGirl.create(:user, role: :organizer)
           delete :destroy, id: @event.to_param, session: valid_session
           expect(response).to redirect_to(events_url)
         end
       end
 
       describe "GET #participants" do
         let(:valid_attributes) { FactoryGirl.attributes_for(:event_with_accepted_applications) }
+
+        before :each do
+          @user = FactoryGirl.create(:user_with_profile, role: :admin)
+          sign_in @user
+        end
 
         it "assigns the event as @event" do
           get :participants, id: @event.to_param, session: valid_session
@@ -174,6 +214,10 @@
     end
 
     describe "GET #accept_all_applicants" do
+        before :each do
+          @user = FactoryGirl.create(:user_with_profile, role: :organizer)
+          sign_in @user
+        end
       it "should redirect to the event" do
         get :accept_all_applicants, id: @event.to_param, session: valid_session
         expect(response).to redirect_to(@event)
@@ -193,6 +237,10 @@
 
   describe "GET #participants_pdf" do
     let(:valid_attributes) { FactoryGirl.attributes_for(:event_with_accepted_applications) }
+    before :each do
+      @user = FactoryGirl.create(:user_with_profile, role: :organizer)
+      sign_in @user
+    end
 
     it "should return an pdf" do
       event = Event.create! valid_attributes
@@ -220,7 +268,8 @@
     let(:valid_attributes) { FactoryGirl.attributes_for(:event_with_accepted_applications) }
 
     it "should return an pdf" do
-      login(:organizer)
+      sign_in FactoryGirl.create(:user, role: :organizer)
+      #login(:organizer)
       event = Event.create! valid_attributes
       profile = FactoryGirl.create(:profile)
       user = FactoryGirl.create(:user, profile: profile)
@@ -231,7 +280,8 @@
     end
 
     it "should return an pdf with the eating habits of the user" do
-      login(:organizer)
+      sign_in FactoryGirl.create(:user, role: :organizer)
+      #login(:organizer)
       event = Event.create! valid_attributes
 
       user = FactoryGirl.create(:user)
@@ -337,6 +387,7 @@
 
   describe "POST #upload_material" do
     before :each do
+      sign_in FactoryGirl.create(:user, role: :organizer)
       filepath = Rails.root.join('spec/testfiles/actual.pdf')
       @file = fixture_file_upload(filepath, 'application/pdf')
       @event = Event.create! valid_attributes
@@ -404,6 +455,10 @@
 
   describe "POST #create" do
     context "with valid params" do
+      before :each do
+        sign_in FactoryGirl.create(:user, role: :organizer)
+      end 
+
       it "creates a new Event" do
         expect {
           post :create, valid_attributes_post, session: valid_session
@@ -416,6 +471,7 @@
         expect(assigns(:event)).to be_persisted
       end
 
+
       it "saves optional attributes" do
         post :create, valid_attributes_post, session: valid_session
         event = Event.create! valid_attributes
@@ -437,12 +493,14 @@
       end
 
       it "re-renders the 'new' template" do
+        sign_in FactoryGirl.create(:user, role: :organizer)
         post :create, event: invalid_attributes, session: valid_session
         expect(response).to render_template("new")
       end
     end
 
     it "should attach correct date ranges to the event entity" do
+      sign_in FactoryGirl.create(:user, role: :organizer)
       post :create, valid_attributes_post, session: valid_session
       expect(assigns(:event)).to be_a(Event)
       expect(assigns(:event)).to be_persisted
@@ -532,6 +590,6 @@
   def login(role)
     @profile = FactoryGirl.create(:profile)
     @profile.user.role = role
-    sign_in(@profile.user, :scope => :user)
+    login_as(@profile.user, :scope => :user)
   end
 end

spec/features/event_image_spec.rb

@@ -7,6 +7,7 @@
 
   describe "new event" do
     before :each do
+      login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
       visit new_event_path
       choose I18n.t "events.form.draft.publish"
       fill_in "Maximale Teilnehmerzahl", :with => 25

spec/features/event_spec.rb

@@ -122,6 +122,9 @@
   end
 
   describe "create page" do
+    before :each do
+        login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
+    end
     I18n.t(".events.type").each do |type|
       it "should allow picking the #{type[1]} type" do
         visit new_event_path
@@ -223,8 +226,6 @@
     end
 
     it "should allow to add custom fields", js: true do
-      login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
-
       visit new_event_path
 
       click_link I18n.t "events.form.add_field"
@@ -285,20 +286,43 @@
   end
 
   describe "edit page" do
-    it "should preselect the event type" do
+    it "should not be possible to visit as pupil" do
+        login_as(FactoryGirl.create(:user, role: :pupil), :scope => :user)
+        event = FactoryGirl.create(:event, hidden: false)
+        visit edit_event_path(event)
+        expect(page).to have_text("Du bist nicht authorisiert diese Aktion auszuführen.")
+    end
+
+    it "should not be possible to visit when logged out" do
+        event = FactoryGirl.create(:event, hidden: false)
+        visit edit_event_path(event)
+        expect(page).to have_text("Du bist nicht authorisiert diese Aktion auszuführen.")
+    end
+
+    it "should not be possible to visit as coach" do
+        login_as(FactoryGirl.create(:user, role: :coach), :scope => :user)
+        event = FactoryGirl.create(:event, hidden: false)
+        visit edit_event_path(event)
+        expect(page).to have_text("Du bist nicht authorisiert diese Aktion auszuführen.")
+    end
+
+    it "should preselect the event kind" do
+      login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
       event = FactoryGirl.create(:event, hidden: false)
       visit edit_event_path(event)
       expect(find_field(I18n.t("events.type.public"))[:checked]).to_not be_nil
     end
 
     it "should display all existing date ranges" do
+      login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
       event = FactoryGirl.create(:event, :with_two_date_ranges)
       visit edit_event_path(event.id)
 
       page.assert_selector('[name="event[date_ranges_attributes][][start_date]"]', count: 2)
     end
 
     it "should save edits to the date ranges" do
+      login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
       event = FactoryGirl.create(:event, :with_two_date_ranges)
       date_start = Date.current.next_year
       date_end = Date.tomorrow.next_year