curation_concerns 0.1.0

data/spec/controllers/curation_concerns/collections_controller_spec.rb

@@ -0,0 +1,171 @@
+require 'spec_helper'
+
+describe CollectionsController do
+  routes { Hydra::Collections::Engine.routes }
+  before do
+    allow_any_instance_of(User).to receive(:groups).and_return([])
+  end
+
+  let(:user) { FactoryGirl.create(:user) }
+  let(:asset1) { FactoryGirl.build(:generic_work, title: ["First of the Assets"], user: user) }
+  let(:asset2) { FactoryGirl.build(:generic_work, title: ["Second of the Assets"], user: user, depositor: user.user_key) }
+  let(:asset3) { FactoryGirl.build(:generic_work, title: ["Third of the Assets"]) }
+  let!(:asset4) { FactoryGirl.create(:generic_work, title: ["Fourth of the Assets"], user: user) }
+  let(:bogus_depositor_asset) { FactoryGirl.create(:generic_work, title: ["Bogus Asset"], depositor: 'abc') }
+  let(:collection_attrs) { FactoryGirl.attributes_for(:collection, title: "My First Collection ", description: "The Description\r\n\r\nand more") }
+  let(:collection) { FactoryGirl.create(:collection, title: "Collection Title", user: user) }
+
+  describe '#new' do
+    before do
+      sign_in user
+    end
+
+    it 'should assign @collection' do
+      get :new
+      expect(assigns(:collection)).to be_kind_of(Collection)
+    end
+  end
+
+  describe '#create' do
+    before do
+      sign_in user
+    end
+
+    it "should create a Collection" do
+      expect {
+        post :create, collection: collection_attrs
+      }.to change{ Collection.count }.by(1)
+    end
+
+    it "should remove blank strings from params before creating Collection" do
+      expect {
+        post :create, collection: collection_attrs.merge(creator: [""])
+      }.to change{ Collection.count }.by(1)
+      expect(assigns[:collection].title).to eq("My First Collection ")
+      expect(assigns[:collection].creator).to eq([])
+    end
+
+    it "should create a Collection with files I can access" do
+      [ asset1, asset2 ].map(&:save) # bogus_depositor_asset is already saved
+      expect {
+        post :create, collection: collection_attrs,
+          batch_document_ids: [asset1.id, asset2.id, bogus_depositor_asset.id]
+      }.to change{ Collection.count }.by(1)
+      collection = assigns(:collection)
+      expect(collection.members).to match_array [asset1, asset2]
+    end
+
+    it "should add docs to the collection if a batch id is provided and add the collection id to the documents in the collection" do
+      asset1.save
+      post :create, batch_document_ids: [asset1.id], collection: collection_attrs
+      expect(assigns[:collection].members).to eq [asset1]
+
+      asset_results = ActiveFedora::SolrService.instance.conn.get "select", params:{fq:["id:\"#{asset1.id}\""],fl:['id',Solrizer.solr_name(:collection)]}
+      expect(asset_results["response"]["numFound"]).to eq 1
+
+      doc = asset_results["response"]["docs"].first
+      expect(doc["id"]).to eq asset1.id
+
+      afterupdate = GenericWork.find(asset1.id)
+      expect(doc[Solrizer.solr_name(:collection)]).to eq afterupdate.to_solr[Solrizer.solr_name(:collection)]
+    end
+
+  end
+
+  describe "#update" do
+    before { sign_in user }
+
+    context "a collections members" do
+      before do
+        [ asset1, asset2 ].map(&:save) # bogus_depositor_asset is already saved
+        bogus_depositor_asset.apply_depositor_metadata(user.user_key)
+        bogus_depositor_asset.save
+      end
+
+      it "should set collection on members" do
+        put :update, id: collection,
+          collection: { members:"add" },
+          batch_document_ids: [ bogus_depositor_asset.id, asset1.id, asset2.id ]
+        expect(response).to redirect_to routes.url_helpers.collection_path(collection)
+        expect(assigns[:collection].members).to match_array [ asset2, bogus_depositor_asset, asset1 ]
+
+        asset_results = ActiveFedora::SolrService.instance.conn.get "select", params:{fq:["id:\"#{asset2.id}\""],fl:['id',Solrizer.solr_name(:collection)]}
+        expect(asset_results["response"]["numFound"]).to eq 1
+
+        doc = asset_results["response"]["docs"].first
+        expect(doc["id"]).to eq asset2.id
+
+        afterupdate = GenericWork.find(asset2.id)
+        expect(doc[Solrizer.solr_name(:collection)]).to eq afterupdate.to_solr[Solrizer.solr_name(:collection)]
+
+        put :update, id: collection,
+          collection: { members: "remove" },
+          batch_document_ids: [ asset2 ]
+        asset_results = ActiveFedora::SolrService.instance.conn.get "select", params:{fq:["id:\"#{asset2.id}\""],fl:['id',Solrizer.solr_name(:collection)]}
+        expect(asset_results["response"]["numFound"]).to eq 1
+
+        doc = asset_results["response"]["docs"].first
+        expect(doc["id"]).to eq asset2.id
+
+        afterupdate = GenericWork.find(asset2.id)
+        expect(doc[Solrizer.solr_name(:collection)]).to be_nil
+      end
+    end
+
+    context "updating a collections metadata" do
+      it "should save the metadata" do
+        put :update, id: collection, collection: { creator: ['Emily'] }
+        collection.reload
+        expect(collection.creator).to eq ['Emily']
+      end
+
+      it "should remove blank strings from params before updating Collection metadata" do
+        put :update, id: collection, collection: collection_attrs.merge(creator: [""])
+        expect(assigns[:collection].title).to eq("My First Collection ")
+        expect(assigns[:collection].creator).to eq([])
+      end
+
+    end
+  end
+
+  describe "#show" do
+
+    context "when signed in" do
+      before do
+        sign_in user
+        [ asset1, asset2, asset3 ].map { |a| a.apply_depositor_metadata(user); a.save }
+        collection.members = [ asset1, asset2, asset3 ]
+        collection.save
+      end
+
+      it "should return the collection and its members" do
+        get :show, id: collection
+        expect(response).to be_successful
+        expect(assigns[:presenter]).to be_kind_of CurationConcerns::CollectionPresenter
+        expect(assigns[:collection].title).to eq collection.title
+        expect(assigns[:member_docs].map(&:id)).to match_array [asset1, asset2, asset3].map(&:id)
+      end
+    end
+
+    context "not signed in" do
+      before do
+        collection.members = [ asset1, asset2, asset3 ]
+        collection.save
+      end
+      it "should force me to log in" do
+        get :show, id: collection
+        expect(response).to redirect_to(main_app.new_user_session_path)
+      end
+    end
+  end
+
+  describe "#edit" do
+
+    before { sign_in user }
+
+    it "should not show flash" do
+      get :edit, id: collection
+      expect(flash[:notice]).to be_nil
+    end
+  end
+end

data/spec/controllers/curation_concerns/generic_files_controller_spec.rb

@@ -0,0 +1,251 @@
+require 'spec_helper'
+
+describe CurationConcerns::GenericFilesController do
+  let(:user) { FactoryGirl.create(:user) }
+  let(:file) { fixture_file_upload('files/image.png','image/png') }
+  let(:parent) { FactoryGirl.create(:generic_work, edit_users: [user.user_key], visibility:Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC) }
+
+  context "when signed in" do
+    before { sign_in user }
+
+    describe "#create" do
+      before do
+        GenericFile.destroy_all
+      end
+
+      context "on the happy path" do
+        let(:date_today) { DateTime.now }
+
+        before do
+          allow(DateTime).to receive(:now).and_return(date_today)
+        end
+
+        it "spawns a CharacterizeJob" do
+          s2 = double('one')
+          expect(CharacterizeJob).to receive(:new).and_return(s2)
+          expect(CurationConcerns.queue).to receive(:push).with(s2).once
+          expect {
+            xhr :post, :create, files: [file], parent_id: parent,
+              generic_file: { "title"=>["test title"],
+                              visibility: "restricted"}
+            expect(response).to be_success
+          }.to change { GenericFile.count }.by(1)
+          expect(flash[:error]).to be_nil
+          saved_file = assigns[:generic_file].reload
+
+          expect(saved_file.title).to eq ['test title']
+          expect(saved_file.label).to eq 'image.png'
+          expect(parent.reload.generic_files).to include saved_file
+          # Confirming that date_uploaded and date_modified were set
+          expect(saved_file.date_uploaded).to eq date_today.utc
+          expect(saved_file.date_modified).to eq date_today.utc
+          expect(saved_file.depositor).to eq user.email
+
+          expect(saved_file.original_file.versions.count).to eq(3)
+          expect(saved_file.original_file.versions.last).to be_instance_of(ActiveFedora::VersionsGraph::ResourceVersion)
+
+          # Confirm that embargo/lease are not set.
+          expect(saved_file).to_not be_under_embargo
+          expect(saved_file).to_not be_active_lease
+          expect(saved_file.visibility).to eq 'restricted'
+        end
+
+        it "copies visibility from the parent" do
+          s2 = double('one')
+          expect(CharacterizeJob).to receive(:new).and_return(s2)
+          allow(CurationConcerns.queue).to receive(:push).with(s2).once
+          xhr :post, :create, files: [file], parent_id: parent
+          expect(assigns[:generic_file]).to be_persisted
+          saved_file = assigns[:generic_file].reload
+          expect(saved_file.visibility).to eq Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
+        end
+      end
+
+      context "on something that isn't a file" do
+        it "should render error" do
+          xhr :post, :create, files: ['hello'], parent_id: parent,
+               permission: { group: { 'public' => 'read' } }, terms_of_service: '1'
+          expect(response.status).to eq 422
+          err = JSON.parse(response.body).first['error']
+          expect(err).to match(/no file for upload/i)
+        end
+      end
+
+      context "when the file has a virus" do
+        it "displays a flash error" do
+          skip "pending hydra-works#89"
+          expect(CurationConcerns::GenericFileActor).to receive(:virus_check).with(file.path).and_raise(CurationConcerns::VirusFoundError.new('A virus was found'))
+          xhr :post, :create, files: [file], parent_id: parent,
+               permission: { group: { 'public' => 'read' } }, terms_of_service: '1'
+          expect(flash[:error]).to include('A virus was found')
+        end
+      end
+
+      context "when solr is down" do
+        it "should error out of create and save after on continuos rsolr error" do
+          allow_any_instance_of(GenericFile).to receive(:save).and_raise(RSolr::Error::Http.new({},{}))
+
+          xhr :post, :create, files: [file], parent_id: parent,
+               permission: { group: { 'public' => 'read' } }, terms_of_service: '1'
+          expect(response.body).to include("Error occurred while creating generic file.")
+        end
+      end
+
+    end
+
+    describe "destroy" do
+      let(:generic_file) do
+        generic_file = GenericFile.new.tap do |gf|
+          gf.apply_depositor_metadata(user)
+          gf.save!
+        end
+        parent.generic_files << generic_file
+        generic_file
+      end
+
+      it "should delete the file" do
+        expect(GenericFile.find(generic_file.id)).to be_kind_of GenericFile
+        delete :destroy, id: generic_file
+        expect { GenericFile.find(generic_file.id) }.to raise_error Ldp::Gone
+        expect(response).to redirect_to main_app.curation_concerns_generic_work_path(parent)
+      end
+    end
+
+    describe "update" do
+      let!(:generic_file) do
+        generic_file = GenericFile.new.tap do |gf|
+          gf.apply_depositor_metadata(user)
+          gf.visibility = Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PRIVATE
+          gf.save!
+        end
+        parent.generic_files << generic_file
+        generic_file
+      end
+
+      after do
+        generic_file.destroy
+      end
+
+      context "updating metadata" do
+        it "should be successful and update attributes" do
+          post :update, id: generic_file, generic_file:
+            {title: ['new_title'], tag: [''], permissions_attributes: [{ type: 'person', name: 'archivist1', access: 'edit'}]}
+          expect(response).to redirect_to main_app.curation_concerns_generic_file_path(generic_file)
+          expect(assigns[:generic_file].title).to eq(['new_title'])
+        end
+
+        it "should go back to edit on an error" do
+          allow_any_instance_of(GenericFile).to receive(:valid?).and_return(false)
+          post :update, id: generic_file, generic_file:
+            {title: ['new_title'], tag: [''], permissions_attributes: [{ type: 'person', name: 'archivist1', access: 'edit'}]}
+          expect(response).to be_successful
+          expect(response).to render_template('edit')
+          expect(assigns[:generic_file]).to eq generic_file
+        end
+
+        it "should add a new groups and users" do
+          post :update, id: generic_file, generic_file:
+            { title: ['new_title'], tag: [''], permissions_attributes: [{ type: 'group', name: 'group1', access: 'read'}, { type: 'person', name: 'user1', access: 'edit'}]}
+
+          expect(assigns[:generic_file].read_groups).to eq ["group1"]
+          expect(assigns[:generic_file].edit_users).to include("user1")
+        end
+
+        it "should update existing groups and users" do
+          generic_file.read_groups = ['group3']
+          generic_file.save! # TODO slow , more than one save.
+          post :update, id: generic_file, generic_file:
+            { title: ['new_title'], tag: [''], permissions_attributes:[{ type: 'group', name: 'group3', access: 'edit'}] }
+          expect(assigns[:generic_file].edit_groups).to eq ["group3"]
+        end
+
+        context "updating visibility" do
+          it "should apply public" do
+            new_visibility = Hydra::AccessControls::AccessRight::VISIBILITY_TEXT_VALUE_PUBLIC
+            post :update, id: generic_file, generic_file: {visibility: new_visibility, embargo_release_date:""}
+            expect(generic_file.reload.visibility).to eq new_visibility
+          end
+
+          it "should apply embargo" do
+            post :update, id: generic_file, generic_file: {
+              visibility: 'embargo',
+              visibility_during_embargo: "restricted",
+              embargo_release_date: "2099-09-05",
+              visibility_after_embargo: "open",
+              visibility_during_lease: "open",
+              lease_expiration_date: "2099-09-05",
+              visibility_after_lease: "restricted"
+            }
+            generic_file.reload
+            expect(generic_file).to be_under_embargo
+            expect(generic_file).to_not be_active_lease
+          end
+        end
+      end
+
+      context "updating file content" do
+        it "should be successful" do
+          s2 = double('one')
+          expect(CharacterizeJob).to receive(:new).with(generic_file.id).and_return(s2)
+          expect(CurationConcerns.queue).to receive(:push).with(s2).once
+          post :update, id: generic_file, files: [file]
+          expect(response).to redirect_to main_app.curation_concerns_generic_file_path(generic_file)
+          skip "pending hydra-works#89"
+          expect(generic_file.reload.label).to eq 'image.png'
+        end
+      end
+
+      context "restoring an old version" do
+        before do
+          allow(CurationConcerns.queue).to receive(:push) # don't run characterization jobs
+          # Create version 1
+          Hydra::Works::AddFileToGenericFile.call(generic_file, File.open(fixture_file_path('small_file.txt')), :original_file)
+          # Create version 2
+          Hydra::Works::AddFileToGenericFile.call(generic_file, File.open(fixture_file_path('curation_concerns_generic_stub.txt')), :original_file)
+        end
+
+        it "should be successful" do
+          expect(generic_file.latest_content_version.label).to eq('version2')
+          expect(generic_file.original_file.content).to eq("This is a test fixture for curation_concerns: <%= @id %>.\n")
+          post :update, id: generic_file, revision: 'version1'
+          expect(response).to redirect_to main_app.curation_concerns_generic_file_path(generic_file)
+          reloaded = generic_file.reload.original_file
+          expect(reloaded.versions.last.label).to eq 'version3'
+          expect(reloaded.content).to eq "small\n"
+          expect(reloaded.mime_type).to eq 'text/plain'
+        end
+      end
+    end
+  end
+
+  context "someone elses files" do
+    let(:generic_file) do
+      generic_file = GenericFile.new.tap do |gf|
+        gf.apply_depositor_metadata('archivist1@example.com')
+        gf.read_groups = ['public']
+        gf.save!
+      end
+      parent.generic_files << generic_file
+      generic_file
+    end
+    after do
+      # GenericFile.find('curation_concerns:5').destroy
+    end
+    describe "edit" do
+      it "should give me a flash error" do
+        get :edit, id: generic_file
+        expect(response).to fail_redirect_and_flash(main_app.curation_concerns_generic_file_path(generic_file), 'You are not authorized to access this page.')
+      end
+    end
+    describe "view" do
+      it "should show me the file" do
+        get :show, id: generic_file
+        expect(response).to be_success
+      end
+    end
+    it "should not let the user submit if they logout" do
+      get :new, parent_id: parent
+      expect(response).to fail_redirect_and_flash(main_app.new_user_session_path, 'You are not authorized to access this page.')
+    end
+  end
+end

data/spec/controllers/curation_concerns/generic_works_controller_spec.rb

@@ -0,0 +1,167 @@
+require 'spec_helper'
+
+describe CurationConcerns::GenericWorksController do
+  let(:public_work_factory_name) { :public_generic_work }
+  let(:private_work_factory_name) { :work }
+
+  let(:user) { FactoryGirl.create(:user) }
+  before { sign_in user }
+
+  describe "#show" do
+    context "my own private work" do
+      let(:a_work) { FactoryGirl.create(private_work_factory_name, user: user) }
+      it "should show me the page" do
+        get :show, id: a_work
+        expect(response).to be_success
+      end
+    end
+
+    context "someone elses private work" do
+      let(:a_work) { FactoryGirl.create(private_work_factory_name) }
+      it "should redirect and show unauthorized message" do
+        get :show, id: a_work
+        expect(response).to fail_redirect_and_flash(main_app.root_path, 'You are not authorized to access this page.')
+      end
+    end
+
+    context "someone elses public work" do
+      let(:a_work) { FactoryGirl.create(public_work_factory_name) }
+      it "should show me the page" do
+        get :show, id: a_work
+        expect(response).to be_success
+      end
+    end
+
+    context "when I am a repository manager" do
+      before { allow_any_instance_of(User).to receive(:groups).and_return(['admin']) }
+      let(:a_work) { FactoryGirl.create(private_work_factory_name) }
+      it "someone elses private work should show me the page" do
+        get :show, id: a_work
+        expect(response).to be_success
+      end
+    end
+  end
+
+  describe "#new" do
+    context "my work" do
+      it "should show me the page" do
+        get :new
+        expect(response).to be_success
+      end
+    end
+  end
+
+  describe "#create" do
+    it "should create a work" do
+      expect {
+        post :create, generic_work: { title: ["a title"] }
+      }.to change { GenericWork.count }.by(1)
+      expect(response).to redirect_to main_app.curation_concerns_generic_work_path(assigns[:curation_concern])
+    end
+  end
+
+  describe "#edit" do
+    context "my own private work" do
+      let(:a_work) { FactoryGirl.create(private_work_factory_name, user: user) }
+      it "should show me the page" do
+        get :edit, id: a_work
+        expect(response).to be_success
+      end
+    end
+
+    context "someone elses private work" do
+      routes { Rails.application.class.routes }
+      let(:a_work) { FactoryGirl.create(private_work_factory_name) }
+      it "should redirect and show unauthorized message" do
+        get :edit, id: a_work
+        expect(response).to fail_redirect_and_flash(main_app.curation_concerns_generic_work_path(assigns[:curation_concern]), 'You are not authorized to access this page.')
+      end
+    end
+
+    context "someone elses public work" do
+      let(:a_work) { FactoryGirl.create(public_work_factory_name) }
+      it "should show me the page" do
+        get :edit, id: a_work
+        expect(response).to fail_redirect_and_flash(main_app.curation_concerns_generic_work_path(assigns[:curation_concern]), 'You are not authorized to access this page.')
+      end
+    end
+
+    context "when I am a repository manager" do
+      before { allow_any_instance_of(User).to receive(:groups).and_return(['admin']) }
+      let(:a_work) { FactoryGirl.create(private_work_factory_name) }
+      it "someone elses private work should show me the page" do
+        get :edit, id: a_work
+        expect(response).to be_success
+      end
+    end
+  end
+
+  describe "#update" do
+    let(:a_work) { FactoryGirl.create(private_work_factory_name, user: user) }
+
+    it "should update the work " do
+      patch :update, id: a_work, generic_work: {  }
+      expect(response).to redirect_to main_app.curation_concerns_generic_work_path(a_work)
+    end
+
+    describe "changing rights" do
+      it "should prompt to change the files access" do
+        allow(controller).to receive(:actor).and_return(double(update: true, visibility_changed?: true))
+        patch :update, id: a_work
+        expect(response).to redirect_to main_app.confirm_curation_concerns_permission_path(controller.curation_concern)
+      end
+    end
+
+    describe "failure" do
+      it "renders the form" do
+        allow(controller).to receive(:actor).and_return(double(update: false, visibility_changed?: false))
+        patch :update, id: a_work
+        expect(response).to render_template('edit')
+      end
+    end
+
+    context "someone elses public work" do
+      let(:a_work) { FactoryGirl.create(public_work_factory_name) }
+      it "should redirect and show unauthorized message" do
+        get :update, id: a_work
+        expect(response).to fail_redirect_and_flash(main_app.root_path, 'You are not authorized to access this page.')
+      end
+    end
+
+    context "when I am a repository manager" do
+      before { allow_any_instance_of(User).to receive(:groups).and_return(['admin']) }
+      let(:a_work) { FactoryGirl.create(private_work_factory_name) }
+      it "someone elses private work should update the work" do
+        patch :update, id: a_work, generic_work: {  }
+        expect(response).to redirect_to main_app.curation_concerns_generic_work_path(a_work)
+      end
+    end
+  end
+
+  describe "#destroy" do
+    let(:work_to_be_deleted) { FactoryGirl.create(private_work_factory_name, user: user) }
+
+    it "should delete the work" do
+      delete :destroy, id: work_to_be_deleted
+      expect(response).to redirect_to main_app.catalog_index_path()
+      expect { GenericWork.find(work_to_be_deleted.id) }.to raise_error
+    end
+
+    context "someone elses public work" do
+      let(:work_to_be_deleted) { FactoryGirl.create(private_work_factory_name) }
+      it "should redirect and show unauthorized message" do
+        delete :destroy, id: work_to_be_deleted
+        expect(response).to fail_redirect_and_flash(main_app.root_path, 'You are not authorized to access this page.')
+      end
+    end
+
+    context "when I am a repository manager" do
+      let(:work_to_be_deleted) { FactoryGirl.create(private_work_factory_name) }
+      before { allow_any_instance_of(User).to receive(:groups).and_return(['admin']) }
+      it "someone elses private work should delete the work" do
+        delete :destroy, id: work_to_be_deleted
+        expect { GenericWork.find(work_to_be_deleted.id) }.to raise_error
+      end
+    end
+  end
+end

data/spec/controllers/curation_concerns/permissions_controller_spec.rb

@@ -0,0 +1,29 @@
+require 'spec_helper'
+
+describe CurationConcerns::PermissionsController do
+  let(:user) { FactoryGirl.create(:user) }
+  before { sign_in user }
+
+  describe "#confirm" do
+    let(:generic_work) { FactoryGirl.create(:generic_work, user: user) }
+
+    it "should draw the page" do
+      get :confirm, id: generic_work
+      expect(response).to be_success
+    end
+  end
+
+  describe "#copy" do
+    let(:generic_work) { FactoryGirl.create(:generic_work, user: user) }
+    let(:worker) { double }
+
+    it "should add a worker to the queue" do
+      expect(VisibilityCopyWorker).to receive(:new).with(generic_work.id).and_return(worker)
+      expect(CurationConcerns.queue).to receive(:push).with(worker)
+      post :copy, id: generic_work
+      expect(response).to redirect_to main_app.curation_concerns_generic_work_path(generic_work)
+      expect(flash[:notice]).to eq 'Updating file permissions. This may take a few minutes. You may want to refresh your browser or return to this record later to see the updated file permissions.'
+    end
+  end
+
+end

data/spec/controllers/downloads_controller_spec.rb

@@ -0,0 +1,51 @@
+require 'spec_helper'
+
+describe DownloadsController do
+  describe '#show' do
+    let(:user) { FactoryGirl.create(:user) }
+    let(:another_user) { FactoryGirl.create(:user) }
+    let(:generic_file) {
+      FactoryGirl.create(:file_with_work, user: user, content: File.open(fixture_file_path('files/image.png')))
+    }
+
+    it "raise not_found if the object does not exist" do
+      get :show, id: '8675309'
+      expect(response).to be_not_found
+    end
+
+    context "when user doesn't have access" do
+      before do
+        # generic_file
+        sign_in another_user
+      end
+      it "redirects to root" do
+        get :show, id: generic_file.to_param
+        expect(response).to redirect_to root_path
+        expect(flash["alert"]).to eq "You are not authorized to access this page."
+      end
+    end
+
+    context "when user isn't logged in" do
+      # before { generic_file }
+      it "redirects to sign in" do
+        get :show, id: generic_file.to_param
+        expect(response).to redirect_to new_user_session_path
+        expect(flash["alert"]).to eq "You are not authorized to access this page."
+      end
+    end
+
+    it 'sends the file if the user has access' do
+      # generic_file
+      sign_in user
+      get :show, id: generic_file.to_param
+      expect(response.body).to eq generic_file.original_file.content
+    end
+
+    it 'sends requested file content' do
+      Hydra::Works::AddFileToGenericFile.call(generic_file, File.open(fixture_file_path('world.png')), :thumbnail)
+      sign_in user
+      get :show, id: generic_file.to_param, file: 'thumbnail'
+      expect(response.body).to eq generic_file.thumbnail.content
+    end
+  end
+end