Merge pull request #103 from MITLibraries/tco-76-permissions

Default to authenticated required

app/controllers/application_controller.rb

@@ -2,6 +2,8 @@
 
 class ApplicationController < ActionController::Base
   helper Mitlibraries::Theme::Engine.helpers
+  before_action :require_user
+  skip_before_action :require_user, only: :new_session_path
 
   rescue_from CanCan::AccessDenied do
     redirect_to root_path, alert: 'Not authorized.'
@@ -10,4 +12,12 @@ class ApplicationController < ActionController::Base
   def new_session_path(_scope)
     root_path
   end
+
+  private
+
+  def require_user
+    return if current_user
+
+    redirect_to root_path, alert: 'Please sign in to continue'
+  end
 end

app/controllers/graphql_controller.rb

@@ -5,6 +5,7 @@ class GraphqlController < ApplicationController
   # This allows for outside API access while preventing CSRF attacks,
   # but you'll have to authenticate your user separately
   protect_from_forgery with: :null_session
+  skip_before_action :require_user
 
   def execute
     variables = prepare_variables(params[:variables])

app/controllers/static_controller.rb

@@ -1,5 +1,13 @@
 # frozen_string_literal: true
 
 class StaticController < ApplicationController
+  skip_before_action :require_user, only: :index
+
   def index; end
+
+  def playground
+    authorize! :view, :playground
+
+    render layout: false
+  end
 end

app/controllers/users/omniauth_callbacks_controller.rb

@@ -6,6 +6,7 @@
 module Users
   class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     include FakeAuthConfig
+    skip_before_action :require_user
 
     def openid_connect
       @user = User.from_omniauth(request.env['omniauth.auth'])

app/models/ability.rb

@@ -10,6 +10,9 @@ def initialize(user)
     return if user.blank?
     # Rules will go here.
 
+    # all authenticated
+    # can :view, :playground
+
     return unless user.admin?
 
     can :manage, :all

app/views/layouts/_site_nav.html.erb

@@ -13,6 +13,9 @@
             <% if can? :index, Term %>
               <%= link_to('Admin', admin_root_path, class: 'nav-item') %>
             <% end %>
+            <% if can? :view, :playground %>
+              <%= link_to('Playground', '/playground', class: 'nav-item') %>
+            <% end %>
           <% end %>
         </nav>
         <nav class="nav-user" aria-label="User menu">

config/routes.rb

@@ -25,6 +25,8 @@
   # Can be used by load balancers and uptime monitors to verify that the app is live.
   get 'up' => 'rails/health#show', as: :rails_health_check
 
+  get 'playground', to: 'static#playground'
+
   # Defines the root path route ("/")
   root to: 'static#index'
 end

test/controllers/static_controller_test.rb

@@ -0,0 +1,37 @@
+require 'test_helper'
+
+class StaticControllerTest < ActionDispatch::IntegrationTest
+  test 'root url is accessible without authentication' do
+    get '/'
+
+    assert_response :success
+  end
+
+  test 'playground url is not accessible without authentication' do
+    get '/playground'
+
+    assert_redirected_to '/'
+    follow_redirect!
+
+    assert_select 'div.alert', text: 'Please sign in to continue', count: 1
+  end
+
+  test 'playground url is accessible to admins when authenticated' do
+    sign_in users(:admin)
+
+    get '/playground'
+
+    assert_response :success
+  end
+
+  test 'playground url is not accessible to basic users when authenticated' do
+    sign_in users(:basic)
+
+    get '/playground'
+
+    assert_redirected_to '/'
+    follow_redirect!
+
+    assert_select 'div.alert', text: 'Not authorized.', count: 1
+  end
+end

test/test_helper.rb

@@ -19,6 +19,12 @@
   config.hook_into :webmock
 end
 
+module ActionDispatch
+  class IntegrationTest
+    include Devise::Test::IntegrationHelpers
+  end
+end
+
 module ActiveSupport
   class TestCase
     # Run tests in parallel with specified workers