5 files changed, 114 insertions, 60 deletions

diff --git a/spec/integration/admin_spec.rb b/spec/integration/admin_spec.rb
index 8a5e59ba2..25872fb4a 100644
--- a/spec/integration/admin_spec.rb
+++ b/spec/integration/admin_spec.rb
@@ -1,21 +1,27 @@
 require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
-
-require "base64"
+require File.expand_path(File.dirname(__FILE__) + '/alaveteli_dsl')
 
 describe "When administering the site" do
+
+    before do
+        AlaveteliConfiguration.stub!(:skip_admin_auth).and_return(false)
+    end
+
     it "allows an admin to log in as another user" do
         # First log in as Joe Admin
-        admin_user = users(:admin_user)
-        admin_user.email_confirmed = true
-        admin_user.save!
-        post_via_redirect "/profile/sign_in", :user_signin => {:email => admin_user.email, :password => "jonespassword"}
-        response.should be_success
-        
+        confirm(:admin_user)
+        admin = login(:admin_user)
+
         # Now fetch the "log in as" link to log in as Bob
-        get_via_redirect "/admin/user/login_as/#{users(:bob_smith_user).id}", nil, {
-          "Authorization" => "Basic " + Base64.encode64("#{AlaveteliConfiguration::admin_username}:#{AlaveteliConfiguration::admin_password}").strip
-        }
-        response.should be_success
-        session[:user_id].should == users(:bob_smith_user).id
+        admin.get_via_redirect "/admin/user/login_as/#{users(:bob_smith_user).id}"
+        admin.response.should be_success
+        admin.session[:user_id].should == users(:bob_smith_user).id
+    end
+
+    it 'does not allow a non-admin user to login as another user' do
+        robin = login(:robin_user)
+        robin.get_via_redirect "/admin/user/login_as/#{users(:bob_smith_user).id}"
+        robin.response.should be_success
+        robin.session[:user_id].should_not == users(:bob_smith_user).id
     end
 end
diff --git a/spec/integration/alaveteli_dsl.rb b/spec/integration/alaveteli_dsl.rb
new file mode 100644
index 000000000..7e7ffcf07
--- /dev/null
+++ b/spec/integration/alaveteli_dsl.rb
@@ -0,0 +1,51 @@
+module AlaveteliDsl
+
+  def browses_request(url_title)
+    get "/request/#{url_title}"
+    assert_response :success
+  end
+
+  def creates_request_unregistered
+    params = { :info_request => { :public_body_id => public_bodies(:geraldine_public_body).id,
+                                  :title => "Why is your quango called Geraldine?",
+                                  :tag_string => "" },
+               :outgoing_message => { :body => "This is a silly letter. It is too short to be interesting." },
+               :submitted_new_request => 1,
+               :preview => 0
+    }
+
+    # Initially we are not logged in. Try to create a new request.
+    post "/new", params
+    # We expect to be redirected to the login page
+    post_redirect = PostRedirect.get_last_post_redirect
+    response.should redirect_to(:controller => 'user', :action => 'signin', :token => post_redirect.token)
+    follow_redirect!
+    response.should render_template("user/sign")
+    response.body.should match(/To send your FOI request, please sign in or make a new account./)
+  end
+
+end
+
+def login(user)
+  open_session do |sess|
+    sess.extend(AlaveteliDsl)
+    u = users(user)
+    sess.visit signin_path
+    sess.fill_in "Your e-mail:", :with => u.email
+    sess.fill_in "Password:", :with => "jonespassword"
+    sess.click_button "Sign in"
+    assert sess.session[:user_id] == u.id
+  end
+end
+
+def without_login
+  open_session do |sess|
+    sess.extend(AlaveteliDsl)
+  end
+end
+
+def confirm(user)
+    u = users(user)
+    u.email_confirmed = true
+    u.save!
+end
diff --git a/spec/integration/create_request_spec.rb b/spec/integration/create_request_spec.rb
index 4efbf94ee..84fad12f9 100644
--- a/spec/integration/create_request_spec.rb
+++ b/spec/integration/create_request_spec.rb
@@ -1,51 +1,36 @@
 require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/alaveteli_dsl')
 
 describe "When creating requests" do
 
-    def create_request_unregistered
-      params = { :info_request => { :public_body_id => public_bodies(:geraldine_public_body).id,
-                                    :title => "Why is your quango called Geraldine?",
-                                    :tag_string => "" },
-                 :outgoing_message => { :body => "This is a silly letter. It is too short to be interesting." },
-                 :submitted_new_request => 1,
-                 :preview => 0
-      }
-
-      # Initially we are not logged in. Try to create a new request.
-      post "/new", params
-      # We expect to be redirected to the login page
-      post_redirect = PostRedirect.get_last_post_redirect
-      response.should redirect_to(:controller => 'user', :action => 'signin', :token => post_redirect.token)
-      follow_redirect!
-      response.should render_template("user/sign")
-      response.body.should match(/To send your FOI request, please sign in or make a new account./)
-    end
+
 
     it "should associate the request with the requestor, even if it is approved by an admin" do
+
+        unregistered = without_login
         # This is a test for https://github.com/mysociety/alaveteli/issues/446
-        create_request_unregistered
+        unregistered.creates_request_unregistered
         post_redirect = PostRedirect.get_last_post_redirect
         # Now log in as an unconfirmed user.
-        post "/profile/sign_in", :user_signin => {:email => users(:unconfirmed_user).email, :password => "jonespassword"}, :token => post_redirect.token
+        unregistered.post "/profile/sign_in", :user_signin => {:email => users(:unconfirmed_user).email, :password => "jonespassword"}, :token => post_redirect.token
         # This will trigger a confirmation mail. Get the PostRedirect for later.
-        response.should render_template("user/confirm")
+        unregistered.response.body.should match('Now check your email!')
         post_redirect = PostRedirect.get_last_post_redirect
 
+
         # Now log in as an admin user, then follow the confirmation link in the email that was sent to the unconfirmed user
-        admin_user = users(:admin_user)
-        admin_user.email_confirmed = true
-        admin_user.save!
-        post_via_redirect "/profile/sign_in", :user_signin => {:email => admin_user.email, :password => "jonespassword"}
-        response.should be_success
-        get "/c/" + post_redirect.email_token
-        follow_redirect!
-        response.location.should =~ %r(/request/(.+)/new)
-        response.location =~ %r(/request/(.+)/new)
+        confirm(:admin_user)
+        admin = login(:admin_user)
+        admin.get "/c/" + post_redirect.email_token
+        admin.follow_redirect!
+        admin.response.location.should =~ %r(/request/(.+)/new)
+        admin.response.location =~ %r(/request/(.+)/new)
         url_title = $1
         info_request = InfoRequest.find_by_url_title(url_title)
         info_request.should_not be_nil
 
         # Make sure the request is still owned by the user who made it, not the admin who confirmed it
         info_request.user_id.should == users(:unconfirmed_user).id
+
     end
 end
diff --git a/spec/integration/request_controller_spec.rb b/spec/integration/request_controller_spec.rb
index 9e585448b..f5de692b8 100644
--- a/spec/integration/request_controller_spec.rb
+++ b/spec/integration/request_controller_spec.rb
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/alaveteli_dsl')
 
 describe RequestController, "when classifying an information request" do
 
@@ -16,26 +17,22 @@ describe RequestController, "when classifying an information request" do
         describe 'when logged in as the requestor' do
 
             before :each do
-                @request_owner = @dog_request.user
-                visit signin_path
-                fill_in "Your e-mail:", :with => @request_owner.email
-                fill_in "Password:", :with => "jonespassword"
-                click_button "Sign in"
+                @bob = login(:bob_smith_user)
             end
 
             it "should send an email including the message" do
-                visit describe_state_message_path(:url_title => @dog_request.url_title,
+                @bob.visit describe_state_message_path(:url_title => @dog_request.url_title,
                     :described_state => "requires_admin")
-                fill_in "Please tell us more:", :with => "Okay. I don't quite understand."
-                click_button "Submit status and send message"
+                @bob.fill_in "Please tell us more:", :with => "Okay. I don't quite understand."
+                @bob.click_button "Submit status and send message"
 
-                response.should contain "Thank you! We'll look into what happened and try and fix it up."
+                @bob.response.should contain "Thank you! We'll look into what happened and try and fix it up."
 
                 deliveries = ActionMailer::Base.deliveries
                 deliveries.size.should == 1
                 mail = deliveries[0]
                 mail.body.should =~ /as needing admin/
-                mail.body.should =~ /Okay. I don't quite understand./                
+                mail.body.should =~ /Okay. I don't quite understand./
             end
         end
     end
diff --git a/spec/integration/view_request_spec.rb b/spec/integration/view_request_spec.rb
index 3d646cfe7..79453e4c2 100644
--- a/spec/integration/view_request_spec.rb
+++ b/spec/integration/view_request_spec.rb
@@ -1,4 +1,5 @@
 require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+require File.expand_path(File.dirname(__FILE__) + '/alaveteli_dsl')
 
 describe "When viewing requests" do
 
@@ -7,18 +8,32 @@ describe "When viewing requests" do
     end
 
     it "should not make endlessly recursive JSON <link>s" do
-        @dog_request = info_requests(:fancy_dog_request)
-        get "request/#{@dog_request.url_title}?unfold=1"
-        response.body.should_not include("dog?unfold=1.json")
-        response.body.should include("dog.json?unfold=1")
+        unregistered = without_login
+        unregistered.browses_request('why_do_you_have_such_a_fancy_dog?unfold=1')
+        unregistered.response.body.should_not include("dog?unfold=1.json")
+        unregistered.response.body.should include("dog.json?unfold=1")
     end
 
     it 'should not raise a routing error when making a json link for a request with an
        "action" querystring param' do
-       @dog_request = info_requests(:fancy_dog_request)
-       get "request/#{@dog_request.url_title}?action=add"
-       response.should be_success
+       unregistered = without_login
+       unregistered.browses_request('why_do_you_have_such_a_fancy_dog?action=add')
     end
 
+    context 'when a response is hidden' do
+
+        before do
+            useless_message = incoming_messages(:useless_incoming_message)
+            useless_message.prominence = 'hidden'
+            useless_message.save!
+        end
+
+        it 'should show a hidden notice to an unregistered user' do
+            unregistered = without_login
+            response = unregistered.browses_request('why_do_you_have_such_a_fancy_dog')
+            response.body.should include("This message has been hidden.")
+        end
+
+    end
 end