g5_authenticatable 0.4.2 → 0.5.0

data/spec/features/default_role_authorization_spec.rb

@@ -0,0 +1,254 @@
+require 'spec_helper'
+
+describe 'Default role-based authorization UI' do
+  describe 'Posts index' do
+    let(:visit_posts_index) { visit_path_and_login_with(posts_path, user) }
+
+    let!(:post) { FactoryGirl.create(:post, author: user) }
+    let!(:other_post) { FactoryGirl.create(:post) }
+
+    before { visit_posts_index }
+
+    context 'when authenticated user is a super admin' do
+      let(:user) { FactoryGirl.create(:g5_authenticatable_super_admin) }
+
+      it 'renders the posts index page' do
+        expect(current_path).to eq(posts_path)
+      end
+
+      it 'shows the first post' do
+        expect(page).to have_content(post.content)
+      end
+
+      it 'shows the second post' do
+        expect(page).to have_content(other_post.content)
+      end
+    end
+
+    context 'when authenticated user is not a super admin' do
+      let(:user) { FactoryGirl.create(:g5_authenticatable_user) }
+
+      it 'displays an error message' do
+        expect(page).to have_content(/forbidden/i)
+      end
+
+      it 'does not show the first post' do
+        expect(page).to_not have_content(post.content)
+      end
+
+      it 'does not show the second post' do
+        expect(page).to_not have_content(other_post.content)
+      end
+    end
+  end
+
+  describe 'Show post' do
+    let(:show_post) { visit_path_and_login_with(post_path(post.id), user) }
+
+    let!(:post) { FactoryGirl.create(:post, author: user) }
+
+    before { show_post }
+
+    context 'when authenticated user is a super_admin' do
+      let(:user) { FactoryGirl.create(:g5_authenticatable_super_admin) }
+
+      it 'renders the show post page' do
+        expect(current_path).to eq(post_path(post.id))
+      end
+
+      it 'shows the post content' do
+        expect(page).to have_content(post.content)
+      end
+    end
+
+    context 'when authenticated user is not a super_admin' do
+      let(:user) { FactoryGirl.create(:g5_authenticatable_user) }
+
+      it 'displays an error message' do
+        expect(page).to have_content(/forbidden/i)
+      end
+
+      it 'does not show the post content' do
+        expect(page).to_not have_content(post.content)
+      end
+    end
+  end
+
+  describe 'New post' do
+    let(:visit_new_post) { visit_path_and_login_with(new_post_path, user) }
+
+    before { visit_new_post }
+
+    context 'when authenticated user is a super admin' do
+      let(:user) { FactoryGirl.create(:g5_authenticatable_super_admin) }
+
+      it 'renders the new post page' do
+        expect(current_path).to eq(new_post_path)
+      end
+
+      it 'renders a form that accepts post content' do
+        expect(page).to have_field('Content')
+      end
+    end
+
+    context 'when authenticated user is not a super admin' do
+      let(:user) { FactoryGirl.create(:g5_authenticatable_user) }
+
+      it 'displays an error message' do
+        expect(page).to have_content(/forbidden/i)
+      end
+
+      it 'does not render a form that accepts post content' do
+        expect(page).to_not have_field('Content')
+      end
+    end
+  end
+
+  describe 'Create post' do
+    subject(:create_post) { click_button 'Create Post' }
+
+    before do
+      visit_path_and_login_with(new_post_path, user)
+      fill_in 'Content', with: post.content
+    end
+
+    let(:post) { FactoryGirl.build(:post, author: user) }
+    let(:user) { FactoryGirl.create(:g5_authenticatable_super_admin) }
+
+    context 'when authenticated user is a super admin' do
+      it 'renders the flash message' do
+        create_post
+        expect(page).to have_content('Post was successfully created.')
+      end
+
+      it 'renders the post content' do
+        create_post
+        expect(page).to have_content(post.content)
+      end
+
+      it 'creates a post in the db' do
+        expect { create_post }.to change { Post.count }.by(1)
+      end
+    end
+
+    context 'when authenticated user is not a super admin on form submission' do
+      before do
+        user.roles.clear
+      end
+
+      it 'displays an error message' do
+        create_post
+        expect(page).to have_content(/forbidden/i)
+      end
+
+      it 'does not create a post' do
+        expect { create_post }.to_not change { Post.count }
+      end
+    end
+  end
+
+  describe 'Edit post' do
+    subject(:edit_post) { visit_path_and_login_with(edit_post_path(post.id), user) }
+    before { edit_post }
+
+    let(:post) { FactoryGirl.create(:post, author: user) }
+
+    context 'when authenticated user is a super admin' do
+      let(:user) { FactoryGirl.create(:g5_authenticatable_super_admin) }
+
+      it 'renders the edit post page' do
+        expect(current_path).to eq(edit_post_path(post.id))
+      end
+
+      it 'renders a form that accepts post content' do
+        expect(page).to have_field('Content', with: post.content)
+      end
+    end
+
+    context 'when authenticated user is not a super admin' do
+      let(:user) { FactoryGirl.create(:g5_authenticatable_user) }
+
+      it 'displays an error message' do
+        expect(page).to have_content(/forbidden/i)
+      end
+
+      it 'does not render a form that accepts post content' do
+        expect(page).to_not have_field('Content')
+      end
+    end
+  end
+
+  describe 'Update post' do
+    subject(:update_post) { click_button 'Update Post' }
+
+    before do
+      visit_path_and_login_with(edit_post_path(post.id), user)
+      fill_in 'Content', with: new_content
+    end
+
+    let(:post) { FactoryGirl.create(:post, author: user) }
+    let(:user) { FactoryGirl.create(:g5_authenticatable_super_admin) }
+    let(:new_content) { 'My updated post content' }
+
+    context 'when authenticated user is a super admin' do
+      it 'renders the flash message' do
+        update_post
+        expect(page).to have_content('Post was successfully updated.')
+      end
+
+      it 'renders the post content' do
+        update_post
+        expect(page).to have_content(new_content)
+      end
+    end
+
+    context 'when authenticated user is not a super admin on form submission' do
+      before do
+        user.roles.clear
+      end
+
+      it 'displays an error message' do
+        update_post
+        expect(page).to have_content(/forbidden/i)
+      end
+
+      it 'does not update post content' do
+        update_post
+        expect(page).to_not have_content(new_content)
+      end
+    end
+  end
+
+  describe 'Delete post' do
+    subject(:delete_post) { click_link 'Destroy' }
+
+    let!(:post) { FactoryGirl.create(:post, author: user) } 
+    let(:user) { FactoryGirl.create(:g5_authenticatable_super_admin) }
+
+    before { visit_path_and_login_with(posts_path, user) }
+
+    context 'when authenticated user is a super admin' do
+      it 'renders the flash message' do
+        delete_post
+        expect(page).to have_content('Post was successfully destroyed.')
+      end
+
+      it 'deletes the post' do
+        expect { delete_post }.to change { Post.count }.by(-1)
+      end
+    end
+
+    context 'when authenticated user is not a super admin' do
+      before { user.roles.clear }
+
+      it 'displays an error message' do
+        delete_post
+        expect(page).to have_content(/forbidden/i)
+      end
+
+      it 'does not delete the post' do
+        expect { delete_post }.to_not change { Post.count }
+      end
+    end
+  end
+end

data/spec/features/sign_in_spec.rb

@@ -10,31 +10,127 @@ describe 'Signing in' do
 
     context 'when user exists locally' do
       before do
-        stub_g5_omniauth(user)
-        login
+        OmniAuth.config.mock_auth[:g5] = OmniAuth::AuthHash.new({
+          uid: user.uid,
+          provider: user.provider,
+          info: {
+            email: user.email,
+            name: "#{updated_first_name} #{updated_last_name}",
+            first_name: updated_first_name,
+            last_name: updated_last_name,
+            phone: updated_phone_number
+          },
+          credentials: {
+            token: updated_access_token,
+            expires: true,
+            expires_at: Time.now + 1000
+          },
+          extra: {
+            title: updated_title,
+            organization_name: updated_organization_name,
+            roles: [{name: updated_role.name}],
+            raw_info: {}
+          }
+        })
       end
 
+      let(:updated_first_name) { "Updated #{user.first_name}" }
+      let(:updated_last_name) { "Updated #{user.last_name}" }
+      let(:updated_phone_number) { "#{user.phone_number} x1234" }
+      let(:updated_title) { "Updated #{user.title}" }
+      let(:updated_organization_name) { "Updated #{user.organization_name}" }
+      let(:updated_access_token) { "updated-#{user.g5_access_token}-123" }
+      let(:updated_role) { FactoryGirl.create(:g5_authenticatable_super_admin_role) }
+
       it 'should sign in the user successfully' do
+        login
         expect(page).to have_content('Signed in successfully.')
       end
 
       it 'should redirect the user to the root path' do
+        login
         expect(current_path).to eq(root_path)
       end
+
+      it 'should not create a new user' do
+        expect { login }.to_not change { G5Authenticatable::User.count }
+      end
+
+      it 'should not update the user email' do
+        login
+        expect(page).to have_content(user.email)
+      end
+
+      it 'should update the first name' do
+        login
+        expect(page).to have_content(updated_first_name)
+      end
+
+      it 'should update the last name' do
+        login
+        expect(page).to have_content(updated_last_name)
+      end
+
+      it 'should update the phone number' do
+        login
+        expect(page).to have_content(updated_phone_number)
+      end
+
+      it 'should update the title' do
+        login
+        expect(page).to have_content(updated_title)
+      end
+
+      it 'should update the organization name' do
+        login
+        expect(page).to have_content(updated_organization_name)
+      end
+
+      it 'should update the access token' do
+        login
+        expect(page).to have_content(updated_access_token)
+      end
+
+      it 'should assign the updated role' do
+        login
+        expect(page).to have_content(updated_role.name)
+      end
+
+      it 'should unassign the previous role' do
+        old_role = user.roles.first
+        login
+        expect(page).to_not have_content(old_role.name)
+      end
     end
 
     context 'when user does not exist locally' do
       before do
         OmniAuth.config.mock_auth[:g5] = OmniAuth::AuthHash.new({
-          uid: uid,
-          provider: 'g5',
-          info: {email: 'new.test.user@test.host'},
-          credentials: {token: g5_access_token}
+          uid: user_attributes[:uid],
+          provider: user_attributes[:provider],
+          info: {
+            email: user_attributes[:email],
+            name: "#{user_attributes[:first_name]} #{user_attributes[:last_name]}",
+            first_name: user_attributes[:first_name],
+            last_name: user_attributes[:last_name],
+            phone: user_attributes[:phone_number]
+          },
+          credentials: {
+            token: user_attributes[:g5_access_token],
+            expires: true,
+            expires_at: Time.now + 1000
+          },
+          extra: {
+            title: user_attributes[:title],
+            organization_name: user_attributes[:organization_name],
+            roles: [{name: role_attributes[:name]}],
+            raw_info: {}
+          }
         })
       end
 
-      let(:uid) { 42 }
-      let(:g5_access_token) { 'my secret token string' }
+      let(:user_attributes) { FactoryGirl.attributes_for(:g5_authenticatable_user) }
+      let(:role_attributes) { FactoryGirl.attributes_for(:g5_authenticatable_editor_role) }
 
       it 'should sign in the user successfully' do
         login
@@ -49,6 +145,46 @@ describe 'Signing in' do
       it 'should create the user locally' do
         expect { login }.to change { G5Authenticatable::User.count }.by(1)
       end
+
+      it 'should save the user email' do
+        login
+        expect(page).to have_content(user_attributes[:email])
+      end
+
+      it 'should save the user first_name' do
+        login
+        expect(page).to have_content(user_attributes[:first_name])
+      end
+
+      it 'should save the user last_name' do
+        login
+        expect(page).to have_content(user_attributes[:last_name])
+      end
+
+      it 'should save the user phone_number' do
+        login
+        expect(page).to have_content(user_attributes[:phone_number])
+      end
+
+      it 'should save the user token' do
+        login
+        expect(page).to have_content(user_attributes[:g5_access_token])
+      end
+
+      it 'should save the user title' do
+        login
+        expect(page).to have_content(user_attributes[:title])
+      end
+
+      it 'should save the user organization_name' do
+        login
+        expect(page).to have_content(user_attributes[:organization_name])
+      end
+
+      it 'should save the user role' do
+        login
+        expect(page).to have_content(role_attributes[:name])
+      end
     end
   end
 

data/spec/lib/generators/g5_authenticatable/install_generator_spec.rb

@@ -12,10 +12,11 @@ describe G5Authenticatable::InstallGenerator, type: :generator do
   before do
     prepare_destination
     setup_routes
+    setup_application_controller
     run_generator
   end
 
-  it 'should copy the migration' do
+  it 'should copy the create user migration' do
     expect(destination_root).to have_structure {
       directory 'db' do
         directory 'migrate' do
@@ -27,6 +28,30 @@ describe G5Authenticatable::InstallGenerator, type: :generator do
     }
   end
 
+  it 'should copy the migration to add user contact info' do
+    expect(destination_root).to have_structure {
+      directory 'db' do
+        directory 'migrate' do
+          migration 'add_g5_authenticatable_users_contact_info' do
+            contains 'class AddG5AuthenticatableUsersContactInfo < ActiveRecord::Migration'
+          end
+        end
+      end
+    }
+  end
+
+  it 'should copy the migration to add user roles' do
+    expect(destination_root).to have_structure {
+      directory 'db' do
+        directory 'migrate' do
+          migration 'create_g5_authenticatable_roles' do
+            contains 'class CreateG5AuthenticatableRoles < ActiveRecord::Migration'
+          end
+        end
+      end
+    }
+  end
+
   it 'should copy the initializer' do
     expect(destination_root).to have_structure {
       directory 'config' do
@@ -49,6 +74,40 @@ describe G5Authenticatable::InstallGenerator, type: :generator do
     }
   end
 
+  it 'should include authorization in the application controller' do
+    expect(destination_root).to have_structure {
+      directory 'app' do
+        directory 'controllers' do
+          file 'application_controller.rb' do
+            contains 'include G5Authenticatable::Authorization'
+          end
+        end
+      end
+    }
+  end
+
+  it 'should create the default application policy' do
+    expect(destination_root).to have_structure {
+      directory 'app' do
+        directory 'policies' do
+          file 'application_policy.rb' do
+            contains 'class ApplicationPolicy < G5Authenticatable::BasePolicy'
+          end
+        end
+      end
+    }
+  end
+
+  it 'should copy the static 403 error page' do
+    expect(destination_root).to have_structure {
+      directory 'public' do
+        file '403.html' do
+          contains 'Access forbidden'
+        end
+      end
+    }
+  end
+
   def setup_routes
     routes = <<-END
       Rails.application.routes.draw do
@@ -64,4 +123,16 @@ describe G5Authenticatable::InstallGenerator, type: :generator do
     FileUtils.mkdir_p(config_dir)
     File.write(File.join(config_dir, 'routes.rb'), routes)
   end
+
+  def setup_application_controller
+    controller = <<-END
+      class ApplicationController < ActionController::Base
+        protect_from_forgery
+      end
+    END
+    controllers_dir = File.join(destination_root, 'app', 'controllers')
+
+    FileUtils.mkdir_p(controllers_dir)
+    File.write(File.join(controllers_dir, 'application_controller.rb'), controller)
+  end
 end

data/spec/models/g5_authenticatable/role_spec.rb

@@ -0,0 +1,81 @@
+require 'spec_helper'
+
+describe G5Authenticatable::Role do
+  subject { role }
+  let(:role) { G5Authenticatable::Role.new(role_attributes) }
+  let(:role_attributes) { FactoryGirl.attributes_for(:g5_authenticatable_role) }
+
+  it { is_expected.to have_and_belong_to_many(:users) }
+  it { is_expected.to belong_to(:resource) }
+
+  it 'should expose the name attribute' do
+    expect(role.name).to eq(role_attributes[:name])
+  end
+
+  describe '.global' do
+    subject(:global) { G5Authenticatable::Role.global }
+    let!(:global_role) { user.roles.first }
+    let(:user) { FactoryGirl.create(:g5_authenticatable_user) }
+
+    let!(:scoped_role) do
+      FactoryGirl.create(:g5_authenticatable_role,
+                         resource: user)
+    end
+
+    it 'should match one role' do
+      expect(global.count).to eq(1)
+    end
+
+    it 'should only match the unscoped role' do
+      expect(global.first).to eq(global_role)
+    end
+  end
+
+  describe '.class_scoped' do
+    subject(:class_scoped) { G5Authenticatable::Role.class_scoped(G5Authenticatable::User) }
+    let!(:global_role) { FactoryGirl.create(:g5_authenticatable_role) }
+    let!(:class_scoped_role) do
+      FactoryGirl.create(:g5_authenticatable_role,
+                         resource_type: 'G5Authenticatable::User')
+    end
+    let!(:instance_scoped_role) do
+      FactoryGirl.create(:g5_authenticatable_role, resource: user)
+    end
+    let(:user) { FactoryGirl.create(:g5_authenticatable_user) }
+
+    it 'should match one role' do
+      expect(class_scoped.count).to eq(1)
+    end
+
+    it 'should only match the class scoped role' do
+      expect(class_scoped.first).to eq(class_scoped_role)
+    end
+  end
+
+  describe '.instance_scoped' do
+    subject(:instance_scoped) { G5Authenticatable::Role.instance_scoped(user) }
+    let!(:global_role) { FactoryGirl.create(:g5_authenticatable_role) }
+    let!(:class_scoped_role) do
+      FactoryGirl.create(:g5_authenticatable_role,
+                         resource_type: 'G5Authenticatable::User')
+    end
+
+    let!(:user_scoped_role) do
+      FactoryGirl.create(:g5_authenticatable_role, resource: user)
+    end
+    let(:user) { FactoryGirl.create(:g5_authenticatable_user) }
+
+    let!(:other_user_scoped_role) do
+      FactoryGirl.create(:g5_authenticatable_role, resource: other_user)
+    end
+    let(:other_user) { FactoryGirl.create(:g5_authenticatable_user) }
+
+    it 'should match one role' do
+      expect(instance_scoped.count).to eq(1)
+    end
+
+    it 'should only match the role scoped to this user instance' do
+      expect(instance_scoped.first).to eq(user_scoped_role)
+    end
+  end
+end