diff options
| author | Dave Arter <davea@mysociety.org> | 2016-07-19 17:52:18 +0100 |
|---|---|---|
| committer | Dave Arter <davea@mysociety.org> | 2016-07-19 18:10:04 +0100 |
| commit | 7792c5328962a58ab60c6975a1fdba7ebb2786e9 (patch) | |
| tree | 8b0b1c43f827eea5cc601984eb1b5cc177683256 | |
| parent | 6afbfe45183412e35e8e846fd0d4a9d846c8644b (diff) | |
[UK Councils] Council users can only see their own council's admin
| -rw-r--r-- | perllib/FixMyStreet/Cobrand/UKCouncils.pm | 7 | ||||
| -rw-r--r-- | t/app/controller/admin.t | 52 |
2 files changed, 50 insertions, 9 deletions
diff --git a/perllib/FixMyStreet/Cobrand/UKCouncils.pm b/perllib/FixMyStreet/Cobrand/UKCouncils.pm index 6e98f4ae0..43f10130a 100644 --- a/perllib/FixMyStreet/Cobrand/UKCouncils.pm +++ b/perllib/FixMyStreet/Cobrand/UKCouncils.pm @@ -150,4 +150,11 @@ sub base_url_for_report { } } +sub admin_allow_user { + my ( $self, $user ) = @_; + return 1 if $user->is_superuser; + return undef unless defined $user->from_body; + return $user->from_body->id == $self->council_id; +} + 1; diff --git a/t/app/controller/admin.t b/t/app/controller/admin.t index 9b083ce42..0f6f9744c 100644 --- a/t/app/controller/admin.t +++ b/t/app/controller/admin.t @@ -23,10 +23,10 @@ my $superuser = ok $superuser, "created superuser"; my $oxfordshire = $mech->create_body_ok(2237, 'Oxfordshire County Council', id => 2237 ); -my $counciluser = +my $oxfordshireuser = FixMyStreet::App->model('DB::User') - ->find_or_create( { email => 'counciluser@example.com', name => 'Council User', from_body => $oxfordshire->id } ); -ok $counciluser, "created council user"; + ->find_or_create( { email => 'counciluser@example.com', name => 'Council User', from_body => $oxfordshire } ); +ok $oxfordshireuser, "created council user"; my $user3 = @@ -1304,13 +1304,47 @@ subtest "Users without from_body can't access admin" => sub { $mech->log_out_ok; }; -subtest "Users with from_body can access admin" => sub { - $mech->log_in_ok( $counciluser->email ); +subtest "Users with from_body can access their own council's admin" => sub { + FixMyStreet::override_config { + ALLOWED_COBRANDS => [ 'oxfordshire' ], + }, sub { + $mech->log_in_ok( $oxfordshireuser->email ); - $mech->get_ok('/admin'); - $mech->content_contains( 'FixMyStreet admin:' ); + $mech->get_ok('/admin'); + $mech->content_contains( 'FixMyStreet admin:' ); - $mech->log_out_ok; + $mech->log_out_ok; + }; +}; + +subtest "Users with from_body can't access another council's admin" => sub { + FixMyStreet::override_config { + ALLOWED_COBRANDS => [ 'bristol' ], + }, sub { + $mech->log_in_ok( $oxfordshireuser->email ); + + $mech->get_ok('/admin'); + is $mech->uri->path, '/my', "redirected to correct page"; + is $mech->res->code, 200, "got 200 for final destination"; + is $mech->res->previous->code, 302, "got 302 for redirect"; + + $mech->log_out_ok; + }; +}; + +subtest "Users with from_body can't access fixmystreet.com admin" => sub { + FixMyStreet::override_config { + ALLOWED_COBRANDS => [ 'fixmystreet' ], + }, sub { + $mech->log_in_ok( $oxfordshireuser->email ); + + $mech->get_ok('/admin'); + is $mech->uri->path, '/my', "redirected to correct page"; + is $mech->res->code, 200, "got 200 for final destination"; + is $mech->res->previous->code, 302, "got 302 for redirect"; + + $mech->log_out_ok; + }; }; @@ -1319,7 +1353,7 @@ $mech->delete_user( $user ); $mech->delete_user( $user2 ); $mech->delete_user( $user3 ); $mech->delete_user( $superuser ); -$mech->delete_user( $counciluser ); +$mech->delete_user( $oxfordshireuser ); $mech->delete_user( 'test4@example.com' ); done_testing(); |