From aec7cb77bab5c4628edc2dd9bb0292ef93e00268 Mon Sep 17 00:00:00 2001
From: Anna Headley <anna3LC@gmail.com>
Date: Tue, 13 Mar 2018 14:17:47 -0400
Subject: [PATCH] Make fixity dashboard viewable only by admins, fixes #899

---
 .../fixity_dashboard_controller.rb            |  1 +
 .../catalog/_fixity_dashboard_home.html.erb   | 20 ++++++++-------
 .../fixity_dashboard_controller_spec.rb       | 14 +++++++++++
 .../views/catalog/_home_text.html.erb_spec.rb | 25 +++++++++++++++++++
 4 files changed, 51 insertions(+), 9 deletions(-)
 create mode 100644 spec/views/catalog/_home_text.html.erb_spec.rb

diff --git a/app/controllers/fixity_dashboard_controller.rb b/app/controllers/fixity_dashboard_controller.rb
index ed9d04bd07..aa7368302d 100644
--- a/app/controllers/fixity_dashboard_controller.rb
+++ b/app/controllers/fixity_dashboard_controller.rb
@@ -6,6 +6,7 @@ def show
     @failures = query_service.custom_queries.find_fixity_failures.map(&:decorate)
     @recents = query_service.custom_queries.file_sets_sorted_by_updated(sort: 'desc', limit: 10).map(&:decorate)
     @upcoming = query_service.custom_queries.file_sets_sorted_by_updated(limit: 20).map(&:decorate)
+    authorize! :read, :fixity
   end
 
   def metadata_adapter
diff --git a/app/views/catalog/_fixity_dashboard_home.html.erb b/app/views/catalog/_fixity_dashboard_home.html.erb
index 393e3cbd41..e12eae7f50 100644
--- a/app/views/catalog/_fixity_dashboard_home.html.erb
+++ b/app/views/catalog/_fixity_dashboard_home.html.erb
@@ -1,12 +1,14 @@
-<div class="row">
-  <div class="col-md-12">
-    <div class="panel panel-fixity panel-classify-work">
-      <div class="panel-heading">Fixity</div>
-      <div class="panel-body">
-        <ul>
-          <li><%= link_to 'Fixity Dashboard', fixity_dashboard_path %></li>
-        </ul>
+<% if can?(:read, :fixity) %>
+  <div class="row">
+    <div class="col-md-12">
+      <div class="panel panel-fixity panel-classify-work">
+        <div class="panel-heading">Fixity</div>
+        <div class="panel-body">
+          <ul>
+            <li><%= link_to 'Fixity Dashboard', fixity_dashboard_path %></li>
+          </ul>
+        </div>
       </div>
     </div>
   </div>
-</div>
+<% end %>
diff --git a/spec/controllers/fixity_dashboard_controller_spec.rb b/spec/controllers/fixity_dashboard_controller_spec.rb
index c68074749c..57590ec656 100644
--- a/spec/controllers/fixity_dashboard_controller_spec.rb
+++ b/spec/controllers/fixity_dashboard_controller_spec.rb
@@ -29,6 +29,11 @@
   end
 
   describe "GET #show" do
+    let(:user) { FactoryBot.create(:admin) }
+    before do
+      sign_in user if user
+    end
+
     it "returns http success" do
       get :show
       expect(response).to have_http_status(:success)
@@ -58,5 +63,14 @@
         expect(assigns[:upcoming].size).to eq 3
       end
     end
+
+    context "for non-admin users" do
+      let(:user) { nil }
+
+      it "prevents viewing" do
+        get :show
+        expect(response).to be_redirect
+      end
+    end
   end
 end
diff --git a/spec/views/catalog/_home_text.html.erb_spec.rb b/spec/views/catalog/_home_text.html.erb_spec.rb
new file mode 100644
index 0000000000..63a96b5e8a
--- /dev/null
+++ b/spec/views/catalog/_home_text.html.erb_spec.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+require 'rails_helper'
+
+RSpec.describe "catalog/_home_text.html.erb" do
+  before do
+    sign_in user if user
+    render
+  end
+
+  context "when the user is an admin" do
+    let(:user) { FactoryBot.create(:admin) }
+
+    it 'has a link to the fixity dashboard' do
+      expect(rendered).to have_link 'Fixity Dashboard'
+    end
+  end
+
+  context "when the user is not an admin" do
+    let(:user) { FactoryBot.create(:curator) }
+
+    it 'does not have a link to the fixity dashboard' do
+      expect(rendered).not_to have_link 'Fixity Dashboard'
+    end
+  end
+end