Only allow Site managers to create new sites

This adds authorization that only people with the `Site manager` role in GOV.UK Signon can create new sites. This is so that we can safely test new features before we officially archive Transition Config.
alphagov · Sep 5, 2023 · 6f6e253 · 6f6e253
1 parent 5df662e
commit 6f6e253
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 4 deletions.
diff --git a/app/controllers/sites_controller.rb b/app/controllers/sites_controller.rb
@@ -2,6 +2,7 @@ class SitesController < ApplicationController
   before_action :find_site, only: %i[edit update show]
   before_action :find_organisation, only: %i[new create]
   before_action :check_user_is_gds_editor, only: %i[edit update]
+  before_action :check_user_is_site_manager, only: %i[new create]
 
   def new
     @site_form = SiteForm.new(organisation_slug: @organisation.whitehall_slug)
@@ -72,4 +73,11 @@ def check_user_is_gds_editor
       redirect_to site_path(@site), alert: message
     end
   end
+
+  def check_user_is_site_manager
+    unless current_user.site_manager?
+      message = "Only Site Managers can access that."
+      redirect_to organisation_path(@organisation), alert: message
+    end
+  end
 end
diff --git a/app/views/organisations/show.html.erb b/app/views/organisations/show.html.erb
@@ -10,7 +10,9 @@
   <%= render 'in_conjunction_with' %>
 </header>
 
-<%= link_to "Add a transition site", new_organisation_site_path(@organisation), class: "btn btn-default" %>
+<% if current_user.site_manager? %>
+  <%= link_to "Add a transition site", new_organisation_site_path(@organisation), class: "btn btn-default" %>
+<% end %>
 
 <% unless @sites.empty? %>
   <h2>Sites</h2>

diff --git a/features/site.feature b/features/site.feature
@@ -103,7 +103,7 @@ Scenario: Jumping to a non-existent site
   Then I should see the header "Unknown site"
 
 Scenario: Creating a site
-  Given I have logged in as a GDS Editor
+  Given I have logged in as a Site Manager
   And there are these organisations without sites:
     | whitehall_slug  | title                         |
     | ukti            | UK Trade & Industry           |

diff --git a/spec/controllers/sites_controller_spec.rb b/spec/controllers/sites_controller_spec.rb
@@ -3,17 +3,47 @@
 describe SitesController do
   let(:site)    { create :site, abbr: "moj" }
   let(:gds_bob) { create(:gds_editor, name: "Bob Terwhilliger") }
+  let(:site_manager) { create(:site_manager) }
 
   describe "#new" do
     let(:organisation) { create(:organisation) }
 
-    before { login_as gds_bob }
+    before { login_as site_manager }
 
     it "returns a success response" do
       get :new, params: { organisation_id: organisation.whitehall_slug }
 
       expect(response.status).to eql(200)
     end
+
+    context "when the user does not have permission" do
+      def make_request
+        get :new, params: { organisation_id: organisation.whitehall_slug }
+      end
+
+      it_behaves_like "disallows editing by non-Site managers"
+    end
+  end
+
+  describe "#create" do
+    let(:organisation) { create(:organisation) }
+    let(:params) { attributes_for(:site_form) }
+
+    before { login_as site_manager }
+
+    it "returns a success response" do
+      post :create, params: { organisation_id: organisation.whitehall_slug, site_form: params }
+
+      expect(response.status).to eql(200)
+    end
+
+    context "when the user does not have permission" do
+      def make_request
+        post :create, params: { organisation_id: organisation.whitehall_slug, site_form: params }
+      end
+
+      it_behaves_like "disallows editing by non-Site managers"
+    end
   end
 
   describe "#edit" do

diff --git a/spec/requests/site_creation_spec.rb b/spec/requests/site_creation_spec.rb
@@ -1,7 +1,7 @@
 require "rails_helper"
 
 describe "Site creation", type: :request do
-  let!(:gds_bob) { create(:gds_editor, name: "Bob Terwhilliger") }
+  let!(:site_manager) { create(:site_manager) }
   let(:organisation) { create(:organisation, whitehall_slug: "air-accidents-investigation-branch") }
   let(:params) { attributes_for :site_form, :with_optional_fields, :with_aliases, organisation_slug: "air-accidents-investigation-branch" }
 

diff --git a/spec/support/shared_examples/authentication.rb b/spec/support/shared_examples/authentication.rb
@@ -28,6 +28,21 @@
   end
 end
 
+shared_examples "disallows editing by non-Site managers" do
+  before do
+    login_as stub_user
+    make_request
+  end
+
+  it "redirects to the organisation page" do
+    expect(response).to redirect_to organisation_path(organisation)
+  end
+
+  it "sets a flash message" do
+    expect(flash[:alert]).to eql("Only Site Managers can access that.")
+  end
+end
+
 shared_examples "disallows editing of a global site" do
   before do
     make_request