Enforce permissions to export results

openpoke · Oct 5, 2020 · 90db955 · 90db955
1 parent 748bd64
commit 90db955
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 2 deletions.
diff --git a/app/controllers/decidim/action_delegator/admin/exports_controller.rb b/app/controllers/decidim/action_delegator/admin/exports_controller.rb
@@ -4,13 +4,15 @@ module Decidim
   module ActionDelegator
     module Admin
       class ExportsController < ActionDelegator::Admin::ApplicationController
+        include NeedsPermission
         include Consultations::NeedsConsultation
 
         def create
+          enforce_permission_to :export_results, :consultation
+
           ExportConsultationResultsJob.perform_later(current_user, current_consultation)
 
           flash[:notice] = t("decidim.admin.exports.notice")
-
           redirect_back(fallback_location: decidim_admin_consultations.results_consultation_path(current_consultation))
         end
       end

diff --git a/app/permissions/decidim/action_delegator/permissions.rb b/app/permissions/decidim/action_delegator/permissions.rb
@@ -6,7 +6,8 @@ class Permissions < Decidim::DefaultPermissions
       def permissions
         return permission_action unless user.admin?
         return permission_action unless permission_action.scope == :admin
-        return permission_action unless [:delegation, :setting].include?(permission_action.subject)
+        return permission_action unless action_delegator_subject?
+        return permission_action unless consultation_results_exports_action?
 
         allow! if can_perform_action?(permission_action.action, resource)
 
@@ -15,6 +16,14 @@ def permissions
 
       private
 
+      def consultation_results_exports_action?
+        permission_action.action == :export_results
+      end
+
+      def action_delegator_subject?
+        [:delegation, :setting, :consultation].include?(permission_action.subject)
+      end
+
       def can_perform_action?(action, resource)
         if action == :destroy
           resource.present?

diff --git a/spec/controllers/decidim/action_delegator/admin/exports_controller_spec.rb b/spec/controllers/decidim/action_delegator/admin/exports_controller_spec.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+module Decidim
+  module ActionDelegator
+    describe Admin::ExportsController, type: :controller do
+      routes { Decidim::ActionDelegator::AdminEngine.routes }
+
+      let(:organization) { create(:organization) }
+      let(:user) { create(:user, :admin, :confirmed, organization: organization) }
+      let(:consultation) { create(:consultation, :finished, :unpublished_results, organization: organization) }
+
+      before do
+        request.env["decidim.current_organization"] = organization
+        sign_in user
+      end
+
+      describe "#create" do
+        it "authorizes the action" do
+          expect(controller).to receive(:allowed_to?).with(:export_results, :consultation, {})
+
+          post :create, params: { consultation_slug: consultation.slug }
+        end
+      end
+    end
+  end
+end