Merge branch 'dashboard-permission-hook'

3 files changed, 53 insertions, 10 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8b71e3081..b0892c176 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,8 +9,10 @@
     - Bugfixes:
         - Add perl 5.26/5.28 support.
         - Fix subcategory issues when visiting /report/new directly #2276
+    - Development improvements:
+        - Add cobrand hook for dashboard viewing permission. #2285
     - Internal things:
-        - Move send-comments code to package for testing.
+        - Move send-comments code to package for testing. #2109 #2170
 
 * v2.4.1 (2nd October 2018)
     - New features:
diff --git a/perllib/FixMyStreet/App/Controller/Dashboard.pm b/perllib/FixMyStreet/App/Controller/Dashboard.pm
index 5ebdff31b..4b43be081 100644
--- a/perllib/FixMyStreet/App/Controller/Dashboard.pm
+++ b/perllib/FixMyStreet/App/Controller/Dashboard.pm
@@ -54,6 +54,18 @@ Checks if we can view this page, and if not redirect to 404.
 sub check_page_allowed : Private {
     my ( $self, $c ) = @_;
 
+    # dashboard_permission can return undef (if not present, or to carry on
+    # with default behaviour), a body ID to use that body for results, or 0
+    # to refuse access entirely
+    my $cobrand_check = $c->cobrand->call_hook('dashboard_permission');
+    if (defined $cobrand_check) {
+        if ($cobrand_check) {
+            $cobrand_check = $c->model('DB::Body')->find({ id => $cobrand_check });
+        }
+        $c->detach( '/page_error_404_not_found' ) if !$cobrand_check;
+        return $cobrand_check;
+    }
+
     $c->detach( '/auth/redirect' ) unless $c->user_exists;
 
     $c->detach( '/page_error_404_not_found' )
@@ -94,7 +106,7 @@ sub index : Path : Args(0) {
         # See if we've had anything from the body dropdowns
         $c->stash->{category} = $c->get_param('category');
         $c->stash->{ward} = $c->get_param('ward');
-        if ($c->user->area_id) {
+        if ($c->user_exists && $c->user->area_id) {
             $c->stash->{ward} = $c->user->area_id;
             $c->stash->{body_name} = join "", map { $children->{$_}->{name} } grep { $children->{$_} } $c->user->area_id;
         }
diff --git a/t/app/controller/dashboard.t b/t/app/controller/dashboard.t
index 3a031bec3..a5fa8772a 100644
--- a/t/app/controller/dashboard.t
+++ b/t/app/controller/dashboard.t
@@ -1,4 +1,17 @@
 use Test::MockTime ':all';
+
+package FixMyStreet::Cobrand::Tester;
+use parent 'FixMyStreet::Cobrand::Default';
+# Allow access if CSV export for a body, otherwise deny
+sub dashboard_permission {
+    my $self = shift;
+    my $c = $self->{c};
+    return 0 unless $c->get_param('export');
+    return $c->get_param('body') || 0;
+}
+
+package main;
+
 use strict;
 use warnings;
 
@@ -230,21 +243,37 @@ FixMyStreet::override_config {
         $mech->get_ok('/dashboard?export=1');
         like $mech->res->header('Content-type'), qr'text/csv';
         $mech->content_contains('Report ID');
+        $mech->delete_header('Authorization');
+    };
+};
+
+FixMyStreet::override_config {
+    ALLOWED_COBRANDS => 'tester',
+    MAPIT_URL => 'http://mapit.uk/',
+}, sub {
+    subtest 'no body or export, 404' => sub {
+        $mech->get('/dashboard');
+        is $mech->status, '404', 'No parameters, 404';
+        $mech->get('/dashboard?export=1');
+        is $mech->status, '404', 'If no body, 404';
+        $mech->get("/dashboard?body=$body_id");
+        is $mech->status, '404', 'If no export, 404';
+    };
+
+    subtest 'body and export, okay' => sub {
+        $mech->get_ok("/dashboard?body=$body_id&export=1");
     };
 };
 
 sub test_table {
     my ($content, @expected) = @_;
     my $res = $categories->scrape( $mech->content );
-    my $i = 0;
+    my @actual;
     foreach my $row ( @{ $res->{rows} }[1 .. 11] ) {
-        foreach my $col ( @{ $row->{cols} } ) {
-            is $col, $expected[$i++];
-        }
+        push @actual, @{$row->{cols}} if $row->{cols};
     }
+    is_deeply \@actual, \@expected;
 }
 
-END {
-    restore_time;
-    done_testing();
-}
+restore_time;
+done_testing();