Use normal user authentication to control access to /admin

- Adds is_superuser flag to User - Logged-in user must be a superuser or have from_body set in order to access anything within /admin - has_permission_to on a superuser will always return true - Only superusers can create/grant superusers - New `createsuperuser` command for creating superusers
author: Matthew Somerville <matthew-github@dracos.co.uk> 2016-07-06 18:07:22 +0100
committer: Dave Arter <davea@mysociety.org> 2016-07-19 17:56:22 +0100
commit: 6afbfe45183412e35e8e846fd0d4a9d846c8644b (patch)
tree: 3f5cb6173c08a571811f0a31508b45acf31d69f7 /t/app/controller
parent: 65545553b5171f1ef1d611ea93c38f138451fb31 (diff)
1 files changed, 80 insertions, 0 deletions
diff --git a/t/app/controller/admin.t b/t/app/controller/admin.t
index d7fcb30e6..9b083ce42 100644
--- a/t/app/controller/admin.t
+++ b/t/app/controller/admin.t
@@ -17,6 +17,17 @@ my $user2 =
   ->find_or_create( { email => 'test2@example.com', name => 'Test User 2' } );
 ok $user2, "created second test user";
 
+my $superuser =
+  FixMyStreet::App->model('DB::User')
+  ->find_or_create( { email => 'superuser@example.com', name => 'Super User', is_superuser => 1 } );
+ok $superuser, "created superuser";
+
+my $oxfordshire = $mech->create_body_ok(2237, 'Oxfordshire County Council', id => 2237 );
+my $counciluser =
+  FixMyStreet::App->model('DB::User')
+  ->find_or_create( { email => 'counciluser@example.com', name => 'Council User', from_body => $oxfordshire->id } );
+ok $counciluser, "created council user";
+
 
 my $user3 =
   FixMyStreet::App->model('DB::User')
@@ -70,6 +81,8 @@ my $alert = FixMyStreet::App->model('DB::Alert')->find_or_create(
     },
 );
 
+$mech->log_in_ok( $superuser->email );
+
 subtest 'check summary counts' => sub {
     my $problems = FixMyStreet::App->model('DB::Problem')->search( { state => { -in => [qw/confirmed fixed closed investigating planned/, 'in progress', 'fixed - user', 'fixed - council'] } } );
 
@@ -1131,6 +1144,7 @@ for my $test (
             body => $haringey->id,
             phone => '',
             flagged => undef,
+            is_superuser => undef,
         },
         changes => {
             name => 'Changed User',
@@ -1146,6 +1160,7 @@ for my $test (
             body => $haringey->id,
             phone => '',
             flagged => undef,
+            is_superuser => undef,
         },
         changes => {
             email => 'changed@example.com',
@@ -1161,6 +1176,7 @@ for my $test (
             body => $haringey->id,
             phone => '',
             flagged => undef,
+            is_superuser => undef,
         },
         changes => {
             body => $southend->id,
@@ -1176,6 +1192,7 @@ for my $test (
             body => $southend->id,
             phone => '',
             flagged => undef,
+            is_superuser => undef,
         },
         changes => {
             flagged => 'on',
@@ -1191,6 +1208,7 @@ for my $test (
             body => $southend->id,
             phone => '',
             flagged => 'on',
+            is_superuser => undef,
         },
         changes => {
             flagged => undef,
@@ -1198,6 +1216,38 @@ for my $test (
         log_count => 4,
         log_entries => [qw/edit edit edit edit/],
     },
+    {
+        desc => 'edit user add is_superuser',
+        fields => {
+            name => 'Changed User',
+            email => 'changed@example.com',
+            body => $southend->id,
+            phone => '',
+            flagged => undef,
+            is_superuser => undef,
+        },
+        changes => {
+            is_superuser => 'on',
+        },
+        log_count => 5,
+        log_entries => [qw/edit edit edit edit edit/],
+    },
+    {
+        desc => 'edit user remove is_superuser',
+        fields => {
+            name => 'Changed User',
+            email => 'changed@example.com',
+            body => $southend->id,
+            phone => '',
+            flagged => undef,
+            is_superuser => 'on',
+        },
+        changes => {
+            is_superuser => undef,
+        },
+        log_count => 5,
+        log_entries => [qw/edit edit edit edit edit/],
+    },
 ) {
     subtest $test->{desc} => sub {
         $mech->get_ok( '/admin/user_edit/' . $user->id );
@@ -1237,9 +1287,39 @@ subtest "Check admin_base_url" => sub {
         'get_admin_url OK');
 };
 
+# Finished with the superuser tests
+$mech->log_out_ok;
+
+subtest "Users without from_body can't access admin" => sub {
+    $user->from_body( undef );
+    $user->update;
+
+    $mech->log_in_ok( $user->email );
+
+    $mech->get_ok('/admin');
+    is $mech->uri->path, '/my', "redirected to correct page";
+    is $mech->res->code, 200, "got 200 for final destination";
+    is $mech->res->previous->code, 302, "got 302 for redirect";
+
+    $mech->log_out_ok;
+};
+
+subtest "Users with from_body can access admin" => sub {
+    $mech->log_in_ok( $counciluser->email );
+
+    $mech->get_ok('/admin');
+    $mech->content_contains( 'FixMyStreet admin:' );
+
+    $mech->log_out_ok;
+};
+
+
+
 $mech->delete_user( $user );
 $mech->delete_user( $user2 );
 $mech->delete_user( $user3 );
+$mech->delete_user( $superuser );
+$mech->delete_user( $counciluser );
 $mech->delete_user( 'test4@example.com' );
 
 done_testing();
author	Matthew Somerville <matthew-github@dracos.co.uk>	2016-07-06 18:07:22 +0100
committer	Dave Arter <davea@mysociety.org>	2016-07-19 17:56:22 +0100
commit	6afbfe45183412e35e8e846fd0d4a9d846c8644b (patch)
tree	3f5cb6173c08a571811f0a31508b45acf31d69f7 /t/app/controller
parent	65545553b5171f1ef1d611ea93c38f138451fb31 (diff)