diff options
| -rw-r--r-- | CHANGELOG.md | 4 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Dashboard.pm | 14 | ||||
| -rw-r--r-- | t/app/controller/dashboard.t | 45 |
3 files changed, 53 insertions, 10 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b71e3081..b0892c176 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,8 +9,10 @@ - Bugfixes: - Add perl 5.26/5.28 support. - Fix subcategory issues when visiting /report/new directly #2276 + - Development improvements: + - Add cobrand hook for dashboard viewing permission. #2285 - Internal things: - - Move send-comments code to package for testing. + - Move send-comments code to package for testing. #2109 #2170 * v2.4.1 (2nd October 2018) - New features: diff --git a/perllib/FixMyStreet/App/Controller/Dashboard.pm b/perllib/FixMyStreet/App/Controller/Dashboard.pm index 5ebdff31b..4b43be081 100644 --- a/perllib/FixMyStreet/App/Controller/Dashboard.pm +++ b/perllib/FixMyStreet/App/Controller/Dashboard.pm @@ -54,6 +54,18 @@ Checks if we can view this page, and if not redirect to 404. sub check_page_allowed : Private { my ( $self, $c ) = @_; + # dashboard_permission can return undef (if not present, or to carry on + # with default behaviour), a body ID to use that body for results, or 0 + # to refuse access entirely + my $cobrand_check = $c->cobrand->call_hook('dashboard_permission'); + if (defined $cobrand_check) { + if ($cobrand_check) { + $cobrand_check = $c->model('DB::Body')->find({ id => $cobrand_check }); + } + $c->detach( '/page_error_404_not_found' ) if !$cobrand_check; + return $cobrand_check; + } + $c->detach( '/auth/redirect' ) unless $c->user_exists; $c->detach( '/page_error_404_not_found' ) @@ -94,7 +106,7 @@ sub index : Path : Args(0) { # See if we've had anything from the body dropdowns $c->stash->{category} = $c->get_param('category'); $c->stash->{ward} = $c->get_param('ward'); - if ($c->user->area_id) { + if ($c->user_exists && $c->user->area_id) { $c->stash->{ward} = $c->user->area_id; $c->stash->{body_name} = join "", map { $children->{$_}->{name} } grep { $children->{$_} } $c->user->area_id; } diff --git a/t/app/controller/dashboard.t b/t/app/controller/dashboard.t index 3a031bec3..a5fa8772a 100644 --- a/t/app/controller/dashboard.t +++ b/t/app/controller/dashboard.t @@ -1,4 +1,17 @@ use Test::MockTime ':all'; + +package FixMyStreet::Cobrand::Tester; +use parent 'FixMyStreet::Cobrand::Default'; +# Allow access if CSV export for a body, otherwise deny +sub dashboard_permission { + my $self = shift; + my $c = $self->{c}; + return 0 unless $c->get_param('export'); + return $c->get_param('body') || 0; +} + +package main; + use strict; use warnings; @@ -230,21 +243,37 @@ FixMyStreet::override_config { $mech->get_ok('/dashboard?export=1'); like $mech->res->header('Content-type'), qr'text/csv'; $mech->content_contains('Report ID'); + $mech->delete_header('Authorization'); + }; +}; + +FixMyStreet::override_config { + ALLOWED_COBRANDS => 'tester', + MAPIT_URL => 'http://mapit.uk/', +}, sub { + subtest 'no body or export, 404' => sub { + $mech->get('/dashboard'); + is $mech->status, '404', 'No parameters, 404'; + $mech->get('/dashboard?export=1'); + is $mech->status, '404', 'If no body, 404'; + $mech->get("/dashboard?body=$body_id"); + is $mech->status, '404', 'If no export, 404'; + }; + + subtest 'body and export, okay' => sub { + $mech->get_ok("/dashboard?body=$body_id&export=1"); }; }; sub test_table { my ($content, @expected) = @_; my $res = $categories->scrape( $mech->content ); - my $i = 0; + my @actual; foreach my $row ( @{ $res->{rows} }[1 .. 11] ) { - foreach my $col ( @{ $row->{cols} } ) { - is $col, $expected[$i++]; - } + push @actual, @{$row->{cols}} if $row->{cols}; } + is_deeply \@actual, \@expected; } -END { - restore_time; - done_testing(); -} +restore_time; +done_testing(); |