[FEATURE] Require 'system_administrator' permission to '/plugins/caas…

…_next_refid' endpoint Smithsonian#19
lorawoodford · Jan 21, 2025 · 11f5905 · 11f5905
1 parent f9682c7
commit 11f5905
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 1 deletion.
diff --git a/.github/workflows/codescan.yml b/.github/workflows/codescan.yml
@@ -0,0 +1,33 @@
+name: Code Scan
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+
+jobs:
+  backend_plugins:
+    runs-on: ubuntu-latest
+    env:
+      PROD_ARCHIVESSPACE_VERSION: v3.3.1
+
+    steps:
+    - name: Checkout ArchivesSpace
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ env.PROD_ARCHIVESSPACE_VERSION }}
+        repository: Smithsonian/archivesspace
+
+    - name: Checkout plugin
+      uses: actions/checkout@v4
+      with:
+        path: ${{ github.event.repository.name }}
+
+    - name: Copy plugin to ArchivesSpace
+      run: |
+        cp -r ${{ github.workspace }}/${{ github.event.repository.name }} ${{ github.workspace }}/plugins
+
+    - name: Run Rubocop
+      run: |
+        ./build/run rubocop -Ddir="plugins/${{ github.event.repository.name }}"
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -0,0 +1,9 @@
+inherit_from: ../../.rubocop.yml
+
+inherit_mode:
+  merge:
+    - Include
+
+AllCops:
+  Include:
+    - .
diff --git a/backend/controllers/caas_next_refid.rb b/backend/controllers/caas_next_refid.rb
@@ -3,7 +3,7 @@ class ArchivesSpaceService < Sinatra::Base
   Endpoint.post('/plugins/caas_next_refid')
     .description("Get next ref_id for provided resource")
     .params(["resource_id", Integer, "The resource id", :required => "true"])
-    .permissions([])
+    .permissions([:administer_system])
     .returns([200, "{'resource_id', 'ID', 'next_refid', N}"]) \
   do
     current_refid = CaasAspaceRefid.find(resource_id: params[:resource_id])

diff --git a/backend/spec/controller_caas_next_refid_spec.rb b/backend/spec/controller_caas_next_refid_spec.rb
@@ -21,6 +21,22 @@
         expect(last_response).to be_ok
         expect(last_response.status).to eq(200)
       end
+
+      context 'when a user without administer system permissions' do
+        before do
+          make_test_user('archivist')
+        end
+
+        it 'denies access' do
+          as_test_user('archivist') do
+            post '/plugins/caas_next_refid', params = { resource_id: 1 }
+
+            expect(last_response).not_to be_ok
+            expect(last_response.status).to eq(403)
+            expect(last_response.body).to match(/Access denied/)
+          end
+        end
+      end
     end
   end