[FEATURE] Require 'system_administrator' permission to '/plugins/caas…

…_next_refid' endpoint Smithsonian#19
lorawoodford · Feb 6, 2025 · f6e2961 · f6e2961
1 parent 6964f4f
commit f6e2961
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/backend/controllers/caas_next_refid.rb b/backend/controllers/caas_next_refid.rb
@@ -3,7 +3,7 @@ class ArchivesSpaceService < Sinatra::Base
   Endpoint.post('/plugins/caas_next_refid')
     .description("Get next ref_id for provided resource")
     .params(["resource_id", Integer, "The resource id", :required => "true"])
-    .permissions([])
+    .permissions([:administer_system])
     .returns([200, "{'resource_id', 'ID', 'next_refid', N}"]) \
   do
     existing_refid_record = CaasAspaceRefid.find(resource_id: params[:resource_id])

diff --git a/backend/spec/controller_caas_next_refid_spec.rb b/backend/spec/controller_caas_next_refid_spec.rb
@@ -43,6 +43,22 @@
           expect(JSON(last_response.body)['next_refid']).to eq(41)
         end
       end
+
+      context 'when a user without administer system permissions' do
+        before do
+          make_test_user('archivist')
+        end
+
+        it 'denies access' do
+          as_test_user('archivist') do
+            post '/plugins/caas_next_refid', params = { resource_id: 1 }
+
+            expect(last_response).not_to be_ok
+            expect(last_response.status).to eq(403)
+            expect(last_response.body).to match(/Access denied/)
+          end
+        end
+      end
     end
   end