From 0b3c8257534677bb13b06beb6719a48fa6fc31dc Mon Sep 17 00:00:00 2001
From: Ryan Eddy <44847768+RyanEddyIC@users.noreply.github.com>
Date: Tue, 29 Oct 2024 13:36:56 -0400
Subject: [PATCH] add auth to orphans controller show action (#2817)

Co-authored-by: Sri Harsha <sriharsha.poosa@gmail.com>
---
 app/controllers/users/orphans_controller.rb   |  1 +
 .../users/orphans_controller_spec.rb          | 31 +++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 spec/controllers/users/orphans_controller_spec.rb

diff --git a/app/controllers/users/orphans_controller.rb b/app/controllers/users/orphans_controller.rb
index 1bb83c73219..c1644b00b96 100644
--- a/app/controllers/users/orphans_controller.rb
+++ b/app/controllers/users/orphans_controller.rb
@@ -8,6 +8,7 @@ def index
   end
 
   def show
+    authorize User, :staff_can_access_user_account_tab?
   end
 
   def destroy
diff --git a/spec/controllers/users/orphans_controller_spec.rb b/spec/controllers/users/orphans_controller_spec.rb
new file mode 100644
index 00000000000..42275706b86
--- /dev/null
+++ b/spec/controllers/users/orphans_controller_spec.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe Users::OrphansController, dbclean: :after_each do
+  let(:admin_person) { FactoryBot.create(:person, :with_hbx_staff_role) }
+  let(:admin_user) {FactoryBot.create(:user, :with_hbx_staff_role, :person => admin_person)}
+  let(:admin_permission) { FactoryBot.create(:permission, :super_admin) }
+
+  let(:consumer_person) { FactoryBot.create(:person, :with_consumer_role, :with_family) }
+  let(:consumer_user) {FactoryBot.create(:user, :person => consumer_person)}
+
+  let(:orphan_user) { FactoryBot.create(:user) }
+
+  context "show" do
+    it "should respond successfully to users with correct permissions" do
+      admin_permission.update_attributes!(can_access_user_account_tab: true)
+      admin_person.hbx_staff_role.update_attributes(permission_id: admin_permission.id)
+
+      sign_in(admin_user)
+      get :show, params: { id: orphan_user.id}, xhr: true
+      expect(response).to have_http_status(:success)
+    end
+
+    it "should redirect users without permission" do
+      sign_in(consumer_user)
+      get :show, params: { id: orphan_user.id}, xhr: true
+      expect(response).to have_http_status(:forbidden)
+    end
+  end
+end