fix translations authorization access (#2819)

* fix translations authorization access * fix rubocop
health-connector · Oct 29, 2024 · 8bdde0f · 8bdde0f
1 parent 33f722a
commit 8bdde0f
Show file tree

Hide file tree

Showing 3 changed files with 122 additions and 0 deletions.
diff --git a/app/controllers/translations_controller.rb b/app/controllers/translations_controller.rb
@@ -1,4 +1,5 @@
 class TranslationsController < ApplicationController
+  before_action :translations_authorized?
   before_action :set_translation, only: [:show, :edit, :update, :destroy]
 
   def index
@@ -55,6 +56,12 @@ def set_translation
     @translation = Translation.find(params[:id])
   end
 
+  def translations_authorized?
+    return if authorize HbxProfile, :can_view_or_change_translations?
+
+    redirect_to root_path, :flash => { :error => "Access not allowed" }
+  end
+
   def translation_params
     params.require(:translation).permit(:key, :value)
   end

diff --git a/app/policies/hbx_profile_policy.rb b/app/policies/hbx_profile_policy.rb
@@ -25,6 +25,10 @@ def can_submit_time_travel_request?
     role.permission.can_submit_time_travel_request
   end
 
+  def can_view_or_change_translations?
+    user_hbx_staff_role&.permission&.name == "super_admin"
+  end
+
   def send_broker_agency_message?
     role = user_hbx_staff_role
     return false unless role

diff --git a/spec/controllers/translations_controller_spec.rb b/spec/controllers/translations_controller_spec.rb
@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+RSpec.describe TranslationsController, :type => :controller do
+  let!(:super_admin_user) { FactoryBot.create(:user, :with_hbx_staff_role, person: super_admin_person) }
+  let!(:super_admin_permission) { FactoryBot.create(:permission, :super_admin) }
+  let!(:super_admin_person) { FactoryBot.create(:person) }
+  let!(:hbx_profile) { FactoryBot.create(:hbx_profile) }
+  let!(:hbx_super_admin_staff_role) do
+    HbxStaffRole.create!(person: super_admin_person, permission_id: super_admin_permission.id, subrole: super_admin_subrole, hbx_profile_id: hbx_profile.id)
+  end
+  let(:super_admin_subrole) { 'super_admin' }
+  let!(:test_translation) { FactoryBot.build(:translation, id: "1") }
+  let(:test_translation_id) { test_translation.id }
+  before :each do
+    sign_in(super_admin_user)
+    allow(Translation).to receive(:find).with("1").and_return(test_translation)
+  end
+  context "Permissions" do
+    context "#new" do
+      context "super admin" do
+        it "should be authorized" do
+          get :new
+          expect(response.status).to be(200)
+        end
+      end
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          get :new
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+    context "#create" do
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          post :create, params: {translation: {key: "en.translation", value: "This is the translation."}}
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+    context "#edit" do
+      context "super admin" do
+        it "should be authorized" do
+          get :edit, params: {id: test_translation.id}
+          expect(response.status).to be(200)
+        end
+      end
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          get :edit, params: {id: test_translation.id}
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+    context "#update" do
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          put :update, params: {id: test_translation.id, translation: {key: "en.translation", value: "This is the translation."}}
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+    context "#show" do
+      context "super admin" do
+        it "should be authorized" do
+          get :show, params: {id: test_translation.id}
+          expect(response.status).to be(200)
+        end
+      end
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          get :show, params: {id: test_translation.id}
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+    context "#index" do
+      context "super admin" do
+        it "should be authorized" do
+          get :index
+          expect(response.status).to be(200)
+        end
+      end
+      context "non super admin user" do
+        before do
+          super_admin_permission.update_attributes!(name: "non_super_admin")
+        end
+        it "should not be authorized" do
+          get :index
+          expect(response).to_not eq(200)
+        end
+      end
+    end
+  end
+end