From cf64bfb27c1f0a4d57ccb11831cb14aa8fa19dd3 Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Wed, 1 Feb 2017 12:38:15 +0100
Subject: [PATCH 01/17] refs #389 added access rights for event edit page

---
 app/controllers/events_controller.rb | 4 ++++
 app/models/ability.rb                | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index e6d9d7ef..9622f2cd 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -37,6 +37,9 @@ def new
 
   # GET /events/1/edit
   def edit
+    @event = Event.find(params[:id])
+    authorize! :edit, @event
+    
   end
 
   # POST /events
@@ -52,6 +55,7 @@ def create
   # PATCH/PUT /events/1
   def update
     attrs = event_params
+    authorize! :update, @event
     if @event.update(attrs)
       redirect_to @event, notice: I18n.t('events.notices.updated')
     else
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 50043ab8..a1f7b540 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -45,6 +45,7 @@ def initialize(user)
       can [:new, :create], Request
       can :apply, Event
       cannot :view_personal_details, ApplicationLetter, user: { id: !user.id }
+      cannot [:edit, :update], Event
     end
     if user.role? :coach
       # Coaches can view Applications and participants for and view, upload and download materials for Event
@@ -52,7 +53,7 @@ def initialize(user)
       can [:view_and_add_notes, :show], ApplicationLetter
       can [:print_applications], Event
       can [:show, :index], Request
-      cannot :apply, Event
+      cannot [:apply, :edit, :update], Event
       cannot :check, ApplicationLetter
     end
     if user.role? :organizer

From e6723f4d249aea9820534dbb8f90de3f3cc7f7b6 Mon Sep 17 00:00:00 2001
From: Alec Schneider <alecschneider@me.com>
Date: Thu, 2 Feb 2017 17:08:41 +0100
Subject: [PATCH 02/17] fixed failing tests and added new test for #389

---
 app/controllers/events_controller.rb       |  4 ++--
 app/models/ability.rb                      |  1 +
 spec/controllers/events_controller_spec.rb | 12 +++++++++++-
 spec/features/event_spec.rb                | 10 ++++++++++
 4 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index 9622f2cd..bfa71a6e 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -6,7 +6,7 @@
 
 class EventsController < ApplicationController
 
-  before_action :set_event, only: [:show, :edit, :update, :destroy, :participants, 
+  before_action :set_event, only: [:show, :edit, :update, :destroy, :participants,
     :participants_pdf, :print_applications, :print_applications_eating_habits, :badges, :print_badges]
 
 
@@ -39,7 +39,7 @@ def new
   def edit
     @event = Event.find(params[:id])
     authorize! :edit, @event
-    
+
   end
 
   # POST /events
diff --git a/app/models/ability.rb b/app/models/ability.rb
index a1f7b540..e4b80589 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -66,6 +66,7 @@ def initialize(user)
       can :send_email, Email
       can [:manage, :set_contact_person, :set_notes], Request
       cannot :apply, Event
+      can [:edit, :update], Event
       can [:update], ParticipantGroup
 
       # Organizers can update user roles of pupil, coach and organizer, but cannot manage admins and cannot update a role to admin
diff --git a/spec/controllers/events_controller_spec.rb b/spec/controllers/events_controller_spec.rb
index 6a79aaf7..132ef6ae 100644
--- a/spec/controllers/events_controller_spec.rb
+++ b/spec/controllers/events_controller_spec.rb
@@ -96,6 +96,7 @@
         }
 
         it "updates the requested event" do
+          sign_in FactoryGirl.create(:user, role: :organizer)
           put :update, id: @event.to_param, event: new_attributes, session: valid_session
           @event.reload
           expect(@event.name).to eq(new_attributes[:name])
@@ -107,6 +108,7 @@
         end
 
         it "redirects to the event" do
+          sign_in FactoryGirl.create(:user, role: :organizer)
           put :update, id: @event.to_param, event: valid_attributes, session: valid_session
           expect(response).to redirect_to(@event)
         end
@@ -116,6 +118,13 @@
             put :update, id: @event.to_param, event: valid_attributes_post[:event], session: valid_session
           }.to change((Event.find_by! id: @event.to_param).date_ranges, :count).by(0)
         end
+
+        it "won't update the requested event as user" do
+          sign_in FactoryGirl.create(:user, role: :pupil)
+          put :update, id: @event.to_param, event: new_attributes, session: valid_session
+          @event.reload
+          expect(@event.name).to_not eq(new_attributes[:name])
+        end
       end
 
       context "with invalid params" do
@@ -125,6 +134,7 @@
         end
 
         it "re-renders the 'edit' template" do
+          sign_in FactoryGirl.create(:user, role: :organizer)
           put :update, id: @event.to_param, event: invalid_attributes, session: valid_session
           expect(response).to render_template("edit")
         end
@@ -516,6 +526,6 @@
   def login(role)
     @profile = FactoryGirl.create(:profile)
     @profile.user.role = role
-    sign_in(@profile.user, :scope => :user)
+    login_as(@profile.user, :scope => :user)
   end
 end
diff --git a/spec/features/event_spec.rb b/spec/features/event_spec.rb
index eb74a7b2..caedf9fe 100644
--- a/spec/features/event_spec.rb
+++ b/spec/features/event_spec.rb
@@ -283,13 +283,22 @@
   end
 
   describe "edit page" do
+    it "should not be possible to visit as pupil" do
+        login_as(FactoryGirl.create(:user, role: :pupil), :scope => :user)
+        event = FactoryGirl.create(:event, kind: :camp)
+        visit edit_event_path(event)
+        expect(page).to have_text("Du bist nicht authorisiert diese Aktion auszuführen.")
+    end
+
     it "should preselect the event kind" do
+      login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
       event = FactoryGirl.create(:event, kind: :camp)
       visit edit_event_path(event)
       expect(find_field('Camp')[:checked]).to_not be_nil
     end
 
     it "should display all existing date ranges" do
+      login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
       event = FactoryGirl.create(:event, :with_two_date_ranges)
       visit edit_event_path(event.id)
 
@@ -297,6 +306,7 @@
     end
 
     it "should save edits to the date ranges" do
+      login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
       event = FactoryGirl.create(:event, :with_two_date_ranges)
       date_start = Date.current.next_year
       date_end = Date.tomorrow.next_year

From c1399f5a046d39e7e1a641e3f29029e530f7ddaa Mon Sep 17 00:00:00 2001
From: Alec Schneider <alecschneider@me.com>
Date: Thu, 2 Feb 2017 17:22:51 +0100
Subject: [PATCH 03/17] Update event_spec.rb

should fix a test
---
 spec/features/event_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/features/event_spec.rb b/spec/features/event_spec.rb
index 34ba138c..3dd1cc6e 100644
--- a/spec/features/event_spec.rb
+++ b/spec/features/event_spec.rb
@@ -275,7 +275,7 @@
   describe "edit page" do
     it "should not be possible to visit as pupil" do
         login_as(FactoryGirl.create(:user, role: :pupil), :scope => :user)
-        event = FactoryGirl.create(:event, kind: :camp)
+        event = FactoryGirl.create(:event, hidden: false)
         visit edit_event_path(event)
         expect(page).to have_text("Du bist nicht authorisiert diese Aktion auszuführen.")
     end

From 29e4b58aff1719d76a0340afa070a6fbe5135b23 Mon Sep 17 00:00:00 2001
From: Alec Schneider <alecschneider@me.com>
Date: Thu, 2 Feb 2017 17:30:41 +0100
Subject: [PATCH 04/17] fix this fuckin test from merge for #389

---
 app/models/ability.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 63d5b464..a5bf8c73 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -69,7 +69,8 @@ def initialize(user)
       can :send_email, Email
       can [:manage, :set_contact_person, :set_notes], Request
       cannot :apply, Event
-      can [:view_apply_button, :edit, :update], Event
+      cannot :view_apply_button, Event
+      can [:edit, :update], Event
       can [:update], ParticipantGroup
 
       # Organizers can update user roles of pupil, coach and organizer, but cannot manage admins and cannot update a role to admin

From d66b778211d050a328aa35fa0c32c1cf2622805e Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Mon, 6 Feb 2017 12:47:57 +0100
Subject: [PATCH 05/17] refs #389 refactored the authorisation to do it the way
 suggested by cmf cmf

---
 app/controllers/events_controller.rb | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index 674d04bf..3483c43a 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -5,6 +5,8 @@
 require 'zip'
 
 class EventsController < ApplicationController
+  load_and_authorize_resource
+  skip_authorize_resource :only => [:show,:index,:archive,:upload_material,:badges,:new,:create,:destroy,:accept_all_applicants,:print_applications_eating_habits] 
 
   before_action :set_event, only: [:show, :edit, :update, :destroy, :participants,
     :participants_pdf, :print_applications, :print_applications_eating_habits, :badges, :print_badges]
@@ -38,7 +40,7 @@ def new
   # GET /events/1/edit
   def edit
     @event = Event.find(params[:id])
-    authorize! :edit, @event
+    #authorize! :edit, @event
 
   end
 
@@ -55,7 +57,7 @@ def create
   # PATCH/PUT /events/1
   def update
     attrs = event_params
-    authorize! :update, @event
+    #authorize! :update, @event
     if @event.update(attrs)
       redirect_to @event, notice: I18n.t('events.notices.updated')
     else
@@ -71,13 +73,13 @@ def destroy
 
   # GET /events/1/badges
   def badges
-    authorize! :print_badges, @event
+    #authorize! :print_badges, @event
     @participants = @event.participants
   end
 
   # POST /events/1/badges
   def print_badges
-    authorize! :print_badges, @event
+    #authorize! :print_badges, @event
     @participants = @event.participants
     name_format = params[:name_format]
     show_color = params[:show_color]
@@ -110,7 +112,7 @@ def participants
 
   # GET /events/1/print_applications
   def print_applications
-    authorize! :print_applications, @event
+    #authorize! :print_applications, @event
     pdf = ApplicationsPDF.generate(@event)
     send_data pdf, filename: "applications_#{@event.name}_#{Date.today}.pdf", type: "application/pdf", disposition: "inline"
   end
@@ -135,7 +137,7 @@ def download_agreement_letters
     if not params.has_key?(:selected_participants)
       redirect_to event_participants_url(@event), notice: I18n.t('events.agreement_letters_download.notices.no_participants_selected') and return
     end
-    authorize! :print_agreement_letters, @event
+    #authorize! :print_agreement_letters, @event
     if params[:download_type] == "zip"
       filename = "agreement_letters_#{@event.name}_#{Date.today}.zip"
       temp_file = Tempfile.new(filename)
@@ -241,7 +243,7 @@ def download_material
     unless params.has_key?(:file)
       redirect_to event_path(event), alert: I18n.t('events.material_area.no_file_given') and return
     end
-    authorize! :download_material, event
+    #authorize! :download_material, event
 
     file_full_path = File.join(event.material_path, params[:file])
     unless File.exists?(file_full_path)

From 8f60295cae8c0191682f6d706c6c1841fa1fbd3e Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Mon, 6 Feb 2017 12:59:12 +0100
Subject: [PATCH 06/17] fixed failing tests refs #389

---
 app/controllers/events_controller.rb |  2 +-
 spec/features/event_spec.rb          | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index 3483c43a..ab3cfd40 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -6,7 +6,7 @@
 
 class EventsController < ApplicationController
   load_and_authorize_resource
-  skip_authorize_resource :only => [:show,:index,:archive,:upload_material,:badges,:new,:create,:destroy,:accept_all_applicants,:print_applications_eating_habits] 
+  skip_authorize_resource :only => [:show,:index,:archive,:upload_material,:badges,:new,:create,:destroy,:accept_all_applicants,:print_applications_eating_habits,:participants_pdf,:participants] 
 
   before_action :set_event, only: [:show, :edit, :update, :destroy, :participants,
     :participants_pdf, :print_applications, :print_applications_eating_habits, :badges, :print_badges]
diff --git a/spec/features/event_spec.rb b/spec/features/event_spec.rb
index 3dd1cc6e..12645cc6 100644
--- a/spec/features/event_spec.rb
+++ b/spec/features/event_spec.rb
@@ -280,6 +280,19 @@
         expect(page).to have_text("Du bist nicht authorisiert diese Aktion auszuführen.")
     end
 
+    it "should not be possible to visit when logged out" do
+        event = FactoryGirl.create(:event, hidden: false)
+        visit edit_event_path(event)
+        expect(page).to have_text("Du bist nicht authorisiert diese Aktion auszuführen.")
+    end
+  
+    it "should not be possible to visit as coach" do
+        login_as(FactoryGirl.create(:user, role: :coach), :scope => :user)
+        event = FactoryGirl.create(:event, hidden: false)
+        visit edit_event_path(event)
+        expect(page).to have_text("Du bist nicht authorisiert diese Aktion auszuführen.")
+    end
+
     it "should preselect the event kind" do
       login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
       event = FactoryGirl.create(:event, hidden: false)

From 6f2246ebddd3466ab1676104e55e189c346e473f Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Mon, 6 Feb 2017 13:01:37 +0100
Subject: [PATCH 07/17] removed comments refs #389

---
 app/controllers/events_controller.rb | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index ab3cfd40..a9679643 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -40,8 +40,6 @@ def new
   # GET /events/1/edit
   def edit
     @event = Event.find(params[:id])
-    #authorize! :edit, @event
-
   end
 
   # POST /events
@@ -57,7 +55,6 @@ def create
   # PATCH/PUT /events/1
   def update
     attrs = event_params
-    #authorize! :update, @event
     if @event.update(attrs)
       redirect_to @event, notice: I18n.t('events.notices.updated')
     else
@@ -73,13 +70,11 @@ def destroy
 
   # GET /events/1/badges
   def badges
-    #authorize! :print_badges, @event
     @participants = @event.participants
   end
 
   # POST /events/1/badges
   def print_badges
-    #authorize! :print_badges, @event
     @participants = @event.participants
     name_format = params[:name_format]
     show_color = params[:show_color]
@@ -112,7 +107,6 @@ def participants
 
   # GET /events/1/print_applications
   def print_applications
-    #authorize! :print_applications, @event
     pdf = ApplicationsPDF.generate(@event)
     send_data pdf, filename: "applications_#{@event.name}_#{Date.today}.pdf", type: "application/pdf", disposition: "inline"
   end
@@ -137,7 +131,6 @@ def download_agreement_letters
     if not params.has_key?(:selected_participants)
       redirect_to event_participants_url(@event), notice: I18n.t('events.agreement_letters_download.notices.no_participants_selected') and return
     end
-    #authorize! :print_agreement_letters, @event
     if params[:download_type] == "zip"
       filename = "agreement_letters_#{@event.name}_#{Date.today}.zip"
       temp_file = Tempfile.new(filename)
@@ -243,8 +236,7 @@ def download_material
     unless params.has_key?(:file)
       redirect_to event_path(event), alert: I18n.t('events.material_area.no_file_given') and return
     end
-    #authorize! :download_material, event
-
+   
     file_full_path = File.join(event.material_path, params[:file])
     unless File.exists?(file_full_path)
       redirect_to event_path(event), alert: t("events.material_area.download_file_not_found") and return

From cda7bed72f4a1a58d5f79699efb88eaba5952102 Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Mon, 6 Feb 2017 19:22:24 +0100
Subject: [PATCH 08/17] removed further comments

---
 app/controllers/events_controller.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index a9679643..19d7e543 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -112,7 +112,6 @@ def print_applications
   end
 
   def print_applications_eating_habits
-    #authorize! :print_applications_eating_habits, @event
     pdf = ParticipantsPDF.generate(@event)
     send_data pdf, filename: "applications_eating_habits_#{@event.name}_#{Date.today}.pdf", type: "application/pdf", disposition: "inline"
   end

From 701bb1d2b4ecb324e5f152e5826838b733ea84fc Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Mon, 6 Feb 2017 19:26:31 +0100
Subject: [PATCH 09/17] merged dev in

---
 app/controllers/events_controller.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index 777286ba..d786b6da 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -127,7 +127,6 @@ def accept_all_applicants
 
   # GET /events/1/send-participants-email
   def send_participants_email
-    authorize! :send_email, Email
     event = Event.find(params[:id])
     @email = event.generate_participants_email(params[:all],params[:groups], params[:users])
     @templates = []

From d81c718e23101de439491e5174faab20fc3a81ad Mon Sep 17 00:00:00 2001
From: Alec Schneider <alecschneider@me.com>
Date: Wed, 8 Feb 2017 19:06:27 +0100
Subject: [PATCH 10/17] Fix tests for #389

---
 spec/features/event_spec.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/spec/features/event_spec.rb b/spec/features/event_spec.rb
index 0d7db5ca..0e6d2ed0 100644
--- a/spec/features/event_spec.rb
+++ b/spec/features/event_spec.rb
@@ -122,6 +122,9 @@
   end
 
   describe "create page" do
+    before :each do
+        login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
+    end
     I18n.t(".events.type").each do |type|
       it "should allow picking the #{type[1]} type" do
         visit new_event_path
@@ -223,8 +226,6 @@
     end
 
     it "should allow to add custom fields", js: true do
-      login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
-
       visit new_event_path
 
       click_link I18n.t "events.form.add_field"
@@ -322,7 +323,7 @@
         visit edit_event_path(event)
         expect(page).to have_text("Du bist nicht authorisiert diese Aktion auszuführen.")
     end
-  
+
     it "should not be possible to visit as coach" do
         login_as(FactoryGirl.create(:user, role: :coach), :scope => :user)
         event = FactoryGirl.create(:event, hidden: false)

From b0d9db359d722d9289bc7eb269b3f69e653cf607 Mon Sep 17 00:00:00 2001
From: Alec Schneider <alecschneider@me.com>
Date: Wed, 8 Feb 2017 19:38:06 +0100
Subject: [PATCH 11/17] Fix tests for #389

---
 app/controllers/events_controller.rb       |  4 ++--
 spec/controllers/events_controller_spec.rb | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index d786b6da..434743b3 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -7,7 +7,7 @@
 
 class EventsController < ApplicationController
   load_and_authorize_resource
-  skip_authorize_resource :only => [:show,:index,:archive,:upload_material,:badges,:new,:create,:destroy,:accept_all_applicants,:print_applications_eating_habits,:participants_pdf,:participants] 
+  skip_authorize_resource :only => [:show,:index,:archive,:new,:create,:destroy,:print_applications_eating_habits] 
 
   before_action :set_event, only: [:show, :edit, :update, :destroy, :participants,
     :participants_pdf, :print_applications, :print_applications_eating_habits, :badges, :print_badges]
@@ -246,7 +246,7 @@ def download_material
     unless params.has_key?(:file)
       redirect_to event_path(event), alert: I18n.t('events.material_area.no_file_given') and return
     end
-   
+
     file_full_path = File.join(event.material_path, params[:file])
     unless File.exists?(file_full_path)
       redirect_to event_path(event), alert: t("events.material_area.download_file_not_found") and return
diff --git a/spec/controllers/events_controller_spec.rb b/spec/controllers/events_controller_spec.rb
index f4050195..dbe1bdf6 100644
--- a/spec/controllers/events_controller_spec.rb
+++ b/spec/controllers/events_controller_spec.rb
@@ -160,6 +160,11 @@
 
       describe "GET #participants" do
         let(:valid_attributes) { FactoryGirl.attributes_for(:event_with_accepted_applications) }
+        
+        before :each do
+          @user = FactoryGirl.create(:user_with_profile, role: :admin)
+          sign_in @user
+        end
 
         it "assigns the event as @event" do
           get :participants, id: @event.to_param, session: valid_session
@@ -184,6 +189,10 @@
     end
 
     describe "GET #accept_all_applicants" do
+        before :each do
+          @user = FactoryGirl.create(:user_with_profile, role: :organizer)
+          sign_in @user
+        end
       it "should redirect to the event" do
         get :accept_all_applicants, id: @event.to_param, session: valid_session
         expect(response).to redirect_to(@event)
@@ -203,6 +212,10 @@
 
   describe "GET #participants_pdf" do
     let(:valid_attributes) { FactoryGirl.attributes_for(:event_with_accepted_applications) }
+    before :each do
+      @user = FactoryGirl.create(:user_with_profile, role: :organizer)
+      sign_in @user
+    end
 
     it "should return an pdf" do
       event = Event.create! valid_attributes
@@ -347,6 +360,7 @@
 
   describe "POST #upload_material" do
     before :each do
+      sign_in FactoryGirl.create(:user, role: :organizer)
       filepath = Rails.root.join('spec/testfiles/actual.pdf')
       @file = fixture_file_upload(filepath, 'application/pdf')
       @event = Event.create! valid_attributes

From 32dbe58b811ced2aed39bdd823db0803f9e1091c Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Wed, 8 Feb 2017 19:38:40 +0100
Subject: [PATCH 12/17] fixed tests for authorization refs #389

---
 app/controllers/events_controller.rb       |  2 +-
 app/models/ability.rb                      | 10 +++---
 spec/controllers/events_controller_spec.rb | 38 ++++++++++++++++++++--
 3 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index d786b6da..c23b3285 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -7,7 +7,7 @@
 
 class EventsController < ApplicationController
   load_and_authorize_resource
-  skip_authorize_resource :only => [:show,:index,:archive,:upload_material,:badges,:new,:create,:destroy,:accept_all_applicants,:print_applications_eating_habits,:participants_pdf,:participants] 
+  skip_authorize_resource :only => [:show,:index,:archive,:upload_material,:badges,:accept_all_applicants,:participants_pdf,:participants] 
 
   before_action :set_event, only: [:show, :edit, :update, :destroy, :participants,
     :participants_pdf, :print_applications, :print_applications_eating_habits, :badges, :print_badges]
diff --git a/app/models/ability.rb b/app/models/ability.rb
index a5bf8c73..a444941a 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -48,15 +48,15 @@ def initialize(user)
       can [:create], AgreementLetter
       can [:new, :create], Request
       cannot :view_personal_details, ApplicationLetter, user: { id: !user.id }
-      cannot [:edit, :update], Event
+      can [:show, :index, :archive], Event
+      cannot [:edit, :update, :new, :create, :destroy, :accept_all_applicants, :print_applications_eating_habits, :participants_pdf, :participants], Event
     end
     if user.role? :coach
       # Coaches can view Applications and participants for and view, upload and download materials for Event
       can [:view_applicants, :view_participants, :view_material, :upload_material, :print_applications, :download_material], Event
       can [:view_and_add_notes, :show], ApplicationLetter
-      can [:print_applications], Event
       can [:show, :index], Request
-      cannot [:view_apply_button, :edit, :update], Event
+      cannot [:view_apply_button, :edit, :update, :new, :create, :destroy], Event
       cannot :check, ApplicationLetter
     end
     if user.role? :organizer
@@ -70,7 +70,7 @@ def initialize(user)
       can [:manage, :set_contact_person, :set_notes], Request
       cannot :apply, Event
       cannot :view_apply_button, Event
-      can [:edit, :update], Event
+      can [:edit, :update, :destroy], Event
       can [:update], ParticipantGroup
 
       # Organizers can update user roles of pupil, coach and organizer, but cannot manage admins and cannot update a role to admin
@@ -80,6 +80,8 @@ def initialize(user)
     end
     if user.role? :admin
       can :manage, :all
+      can [:edit, :update, :destroy], Event
+      
       can :view_delete_button, ApplicationLetter
       cannot [:edit, :update], ApplicationLetter
     end
diff --git a/spec/controllers/events_controller_spec.rb b/spec/controllers/events_controller_spec.rb
index f4050195..79ea556f 100644
--- a/spec/controllers/events_controller_spec.rb
+++ b/spec/controllers/events_controller_spec.rb
@@ -47,6 +47,7 @@
   context "With an existing event" do
     before :each do
       @event = Event.create! valid_attributes
+      
     end
 
     describe "GET #index" do
@@ -148,11 +149,35 @@
       describe "DELETE #destroy" do
         it "destroys the requested event" do
           expect {
+            sign_in FactoryGirl.create(:user, role: :pupil)
+            delete :destroy, id: @event.to_param, session: valid_session
+          }.to change(Event, :count).by(0)
+        end
+
+        it "destroys the requested event" do
+          expect {
+            sign_in FactoryGirl.create(:user, role: :coach)
+            delete :destroy, id: @event.to_param, session: valid_session
+          }.to change(Event, :count).by(0)
+        end
+        
+        it "destroys the requested event" do
+          expect {
+            sign_in FactoryGirl.create(:user, role: :organizer)
             delete :destroy, id: @event.to_param, session: valid_session
           }.to change(Event, :count).by(-1)
         end
 
+        it "destroys the requested event" do
+          expect {
+            sign_in FactoryGirl.create(:user, role: :admin)
+            delete :destroy, id: @event.to_param, session: valid_session
+          }.to change(Event, :count).by(-1)
+        end
+        
+        
         it "redirects to the events list" do
+          sign_in FactoryGirl.create(:user, role: :organizer)
           delete :destroy, id: @event.to_param, session: valid_session
           expect(response).to redirect_to(events_url)
         end
@@ -230,7 +255,8 @@
     let(:valid_attributes) { FactoryGirl.attributes_for(:event_with_accepted_applications) }
 
     it "should return an pdf" do
-      login(:organizer)
+      sign_in FactoryGirl.create(:user, role: :organizer)
+      #login(:organizer)
       event = Event.create! valid_attributes
       profile = FactoryGirl.create(:profile)
       user = FactoryGirl.create(:user, profile: profile)
@@ -241,7 +267,8 @@
     end
 
     it "should return an pdf with the eating habits of the user" do
-      login(:organizer)
+      sign_in FactoryGirl.create(:user, role: :organizer)
+      #login(:organizer)
       event = Event.create! valid_attributes
 
       user = FactoryGirl.create(:user)
@@ -414,6 +441,10 @@
 
   describe "POST #create" do
     context "with valid params" do
+      before :each do
+        sign_in FactoryGirl.create(:user, role: :organizer)
+      end 
+
       it "creates a new Event" do
         expect {
           post :create, valid_attributes_post, session: valid_session
@@ -426,6 +457,7 @@
         expect(assigns(:event)).to be_persisted
       end
 
+
       it "saves optional attributes" do
         post :create, valid_attributes_post, session: valid_session
         event = Event.create! valid_attributes
@@ -447,12 +479,14 @@
       end
 
       it "re-renders the 'new' template" do
+        sign_in FactoryGirl.create(:user, role: :organizer)
         post :create, event: invalid_attributes, session: valid_session
         expect(response).to render_template("new")
       end
     end
 
     it "should attach correct date ranges to the event entity" do
+      sign_in FactoryGirl.create(:user, role: :organizer)
       post :create, valid_attributes_post, session: valid_session
       expect(assigns(:event)).to be_a(Event)
       expect(assigns(:event)).to be_persisted

From 233590a7fc0dc537a8c4bf620f6294875275b89b Mon Sep 17 00:00:00 2001
From: Alec Schneider <alecschneider@me.com>
Date: Thu, 9 Feb 2017 18:46:44 +0100
Subject: [PATCH 13/17] Fix some redundant authorize issues

---
 app/controllers/events_controller.rb | 1 -
 app/models/ability.rb                | 9 ++++-----
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index 13c960f5..c4fa48a6 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -7,7 +7,6 @@
 
 class EventsController < ApplicationController
   load_and_authorize_resource
-  skip_authorize_resource :only => [:show,:index,:archive] 
 
   before_action :set_event, only: [:show, :edit, :update, :destroy, :participants,
     :participants_pdf, :print_applications, :print_applications_eating_habits, :badges, :print_badges]
diff --git a/app/models/ability.rb b/app/models/ability.rb
index a444941a..093aa305 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -34,6 +34,8 @@ def initialize(user)
     # Even guests can see the apply button
     # This is revoked for coaches and organizers below.
     can :view_apply_button, Event
+    can [:show, :index, :archive], Event
+
 
     if user.role? :pupil
       # Pupils can only edit their own profiles
@@ -48,15 +50,13 @@ def initialize(user)
       can [:create], AgreementLetter
       can [:new, :create], Request
       cannot :view_personal_details, ApplicationLetter, user: { id: !user.id }
-      can [:show, :index, :archive], Event
-      cannot [:edit, :update, :new, :create, :destroy, :accept_all_applicants, :print_applications_eating_habits, :participants_pdf, :participants], Event
     end
     if user.role? :coach
       # Coaches can view Applications and participants for and view, upload and download materials for Event
       can [:view_applicants, :view_participants, :view_material, :upload_material, :print_applications, :download_material], Event
       can [:view_and_add_notes, :show], ApplicationLetter
       can [:show, :index], Request
-      cannot [:view_apply_button, :edit, :update, :new, :create, :destroy], Event
+      cannot [:view_apply_button], Event
       cannot :check, ApplicationLetter
     end
     if user.role? :organizer
@@ -80,8 +80,7 @@ def initialize(user)
     end
     if user.role? :admin
       can :manage, :all
-      can [:edit, :update, :destroy], Event
-      
+
       can :view_delete_button, ApplicationLetter
       cannot [:edit, :update], ApplicationLetter
     end

From c09cc680202882e9b767a8cd9d9e5dee5ba374dd Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Thu, 9 Feb 2017 22:21:09 +0100
Subject: [PATCH 14/17] refs #389 added the deleted authorization lines

---
 app/controllers/events_controller.rb | 2 ++
 app/models/ability.rb                | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index c4fa48a6..6258351d 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -71,6 +71,7 @@ def destroy
 
   # GET /events/1/badges
   def badges
+    authorize! :print_badges, @event
     @participants = @event.participants
   end
 
@@ -140,6 +141,7 @@ def download_agreement_letters
     if not params.has_key?(:selected_participants)
       redirect_to event_participants_url(@event), notice: I18n.t('events.agreement_letters_download.notices.no_participants_selected') and return
     end
+    authorize! :print_agreement_letters, @event
     if params[:download_type] == "zip"
       filename = "agreement_letters_#{@event.name}_#{Date.today}.zip"
       temp_file = Tempfile.new(filename)
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 093aa305..5ddfaae2 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -56,7 +56,7 @@ def initialize(user)
       can [:view_applicants, :view_participants, :view_material, :upload_material, :print_applications, :download_material], Event
       can [:view_and_add_notes, :show], ApplicationLetter
       can [:show, :index], Request
-      cannot [:view_apply_button], Event
+      cannot :view_apply_button, Event
       cannot :check, ApplicationLetter
     end
     if user.role? :organizer

From c5a7b7c8ef8984abda03eccbcead5f27c9c204ec Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Thu, 9 Feb 2017 22:26:09 +0100
Subject: [PATCH 15/17] refs #389 restored one further authorize! for
 send_email in events controller

---
 app/controllers/events_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index 6258351d..e46ec32a 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -127,6 +127,7 @@ def accept_all_applicants
 
   # GET /events/1/send-participants-email
   def send_participants_email
+    authorize! :send_email, Email
     event = Event.find(params[:id])
     @email = event.generate_participants_email(params[:all],params[:groups], params[:users])
     @templates = []

From f0e667fc707c7e0f70f6836ff043cce7cbc9caf3 Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Thu, 9 Feb 2017 23:02:05 +0100
Subject: [PATCH 16/17] merged master, but still some tests are failing

---
 app/controllers/events_controller.rb | 2 +-
 spec/features/event_image_spec.rb    | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index 83743a67..cd2e1ee2 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -8,7 +8,7 @@
 
 class EventsController < ApplicationController
   include EventImageUploadHelper
-load_and_authorize_resource
+  load_and_authorize_resource
  
   before_action :set_event, only: [:show, :edit, :update, :destroy, :participants,
     :participants_pdf, :print_applications, :print_applications_eating_habits, :badges, :print_badges]
diff --git a/spec/features/event_image_spec.rb b/spec/features/event_image_spec.rb
index 367a6595..2233676e 100644
--- a/spec/features/event_image_spec.rb
+++ b/spec/features/event_image_spec.rb
@@ -7,6 +7,7 @@
 
   describe "new event" do
     before :each do
+      login_as(FactoryGirl.create(:user, role: :organizer), :scope => :user)
       visit new_event_path
       choose I18n.t "events.form.draft.publish"
       fill_in "Maximale Teilnehmerzahl", :with => 25

From 734b9ccc743768e1433ef849a4dc95f706192e86 Mon Sep 17 00:00:00 2001
From: JuliusCosmoRomeo <julius.rudolph@student.hpi.de>
Date: Mon, 13 Feb 2017 10:26:33 +0100
Subject: [PATCH 17/17] removed double authorization

---
 app/controllers/events_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
index cd2e1ee2..1c8eea62 100644
--- a/app/controllers/events_controller.rb
+++ b/app/controllers/events_controller.rb
@@ -9,7 +9,7 @@
 class EventsController < ApplicationController
   include EventImageUploadHelper
   load_and_authorize_resource
- 
+  skip_authorize_resource :only => [:badges, :download_agreement_letters, :send_participants_email]
   before_action :set_event, only: [:show, :edit, :update, :destroy, :participants,
     :participants_pdf, :print_applications, :print_applications_eating_habits, :badges, :print_badges]