Fix Tenants access (#5314)

* Fix Tenants access * Add :with_super_admin traits in user factory
bigbluebutton · Jul 7, 2023 · eb07901 · eb07901
1 parent ed1d7e6
commit eb07901
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 2 deletions.
diff --git a/app/controllers/api/v1/admin/tenants_controller.rb b/app/controllers/api/v1/admin/tenants_controller.rb
@@ -21,7 +21,7 @@ module V1
     module Admin
       class TenantsController < ApiController
         before_action do
-          # TODO: - ahmad: Add role check
+          ensure_super_admin
         end
 
         # GET /api/v1/admin/tenants

diff --git a/app/controllers/concerns/authorizable.rb b/app/controllers/concerns/authorizable.rb
@@ -41,6 +41,10 @@ def ensure_authorized(permission_names, user_id: nil, friendly_id: nil, record_i
     ).call
   end
 
+  def ensure_super_admin
+    return render_error status: :forbidden unless current_user.super_admin?
+  end
+
   private
 
   # Ensures that requests to the API are explicit enough.

diff --git a/app/javascript/components/admin/tenants/Tenants.jsx b/app/javascript/components/admin/tenants/Tenants.jsx
@@ -16,6 +16,7 @@
 
 import React, { useState } from 'react';
 import Card from 'react-bootstrap/Card';
+import { Navigate } from 'react-router-dom';
 import {
   Button,
   Col, Container, Row, Stack, Tab,
@@ -29,10 +30,16 @@ import NoSearchResults from '../../shared_components/search/NoSearchResults';
 import TenantsTable from './TenantsTable';
 import Modal from '../../shared_components/modals/Modal';
 import CreateTenantForm from './forms/CreateTenantForm';
+import { useAuth } from '../../../contexts/auth/AuthProvider';
 
 export default function Tenants() {
   const { t } = useTranslation();
   const [page, setPage] = useState();
+  const currentUser = useAuth();
+
+  if (!currentUser.isSuperAdmin) {
+    return <Navigate to="/" />;
+  }
 
   const [searchInput, setSearchInput] = useState();
   const { data: tenants, isLoading } = useTenants({ search: searchInput, page });

diff --git a/spec/controllers/admin/tenants_controller_spec.rb b/spec/controllers/admin/tenants_controller_spec.rb
@@ -19,7 +19,7 @@
 require 'rails_helper'
 
 RSpec.describe Api::V1::Admin::TenantsController, type: :controller do
-  let(:user) { create(:user) }
+  let(:user) { create(:user, :with_super_admin) }
   let(:valid_tenant_params) do
     {
       name: 'new_provider',

diff --git a/spec/factories/user_factory.rb b/spec/factories/user_factory.rb
@@ -29,6 +29,14 @@
     language { %w[en fr es ar].sample }
     verified { true }
 
+    trait :with_super_admin do
+      after(:create) do |user|
+        user.provider = 'bn'
+        user.role = create(:role, :with_super_admin)
+        user.save
+      end
+    end
+
     trait :with_manage_users_permission do
       after(:create) do |user|
         create(:role_permission, role: user.role, permission: create(:permission, name: 'ManageUsers'), value: 'true')