From 90db9559aaa8d3b5af1b4f2732219fabafaa79f8 Mon Sep 17 00:00:00 2001
From: Pau Perez <saulopefa@gmail.com>
Date: Mon, 5 Oct 2020 16:53:19 +0200
Subject: [PATCH] Enforce permissions to export results

---
 .../admin/exports_controller.rb               |  4 ++-
 .../decidim/action_delegator/permissions.rb   | 11 +++++++-
 .../admin/exports_controller_spec.rb          | 28 +++++++++++++++++++
 3 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 spec/controllers/decidim/action_delegator/admin/exports_controller_spec.rb

diff --git a/app/controllers/decidim/action_delegator/admin/exports_controller.rb b/app/controllers/decidim/action_delegator/admin/exports_controller.rb
index b465ba71..0b7372e6 100644
--- a/app/controllers/decidim/action_delegator/admin/exports_controller.rb
+++ b/app/controllers/decidim/action_delegator/admin/exports_controller.rb
@@ -4,13 +4,15 @@ module Decidim
   module ActionDelegator
     module Admin
       class ExportsController < ActionDelegator::Admin::ApplicationController
+        include NeedsPermission
         include Consultations::NeedsConsultation
 
         def create
+          enforce_permission_to :export_results, :consultation
+
           ExportConsultationResultsJob.perform_later(current_user, current_consultation)
 
           flash[:notice] = t("decidim.admin.exports.notice")
-
           redirect_back(fallback_location: decidim_admin_consultations.results_consultation_path(current_consultation))
         end
       end
diff --git a/app/permissions/decidim/action_delegator/permissions.rb b/app/permissions/decidim/action_delegator/permissions.rb
index 71f3ce28..71aaece0 100644
--- a/app/permissions/decidim/action_delegator/permissions.rb
+++ b/app/permissions/decidim/action_delegator/permissions.rb
@@ -6,7 +6,8 @@ class Permissions < Decidim::DefaultPermissions
       def permissions
         return permission_action unless user.admin?
         return permission_action unless permission_action.scope == :admin
-        return permission_action unless [:delegation, :setting].include?(permission_action.subject)
+        return permission_action unless action_delegator_subject?
+        return permission_action unless consultation_results_exports_action?
 
         allow! if can_perform_action?(permission_action.action, resource)
 
@@ -15,6 +16,14 @@ def permissions
 
       private
 
+      def consultation_results_exports_action?
+        permission_action.action == :export_results
+      end
+
+      def action_delegator_subject?
+        [:delegation, :setting, :consultation].include?(permission_action.subject)
+      end
+
       def can_perform_action?(action, resource)
         if action == :destroy
           resource.present?
diff --git a/spec/controllers/decidim/action_delegator/admin/exports_controller_spec.rb b/spec/controllers/decidim/action_delegator/admin/exports_controller_spec.rb
new file mode 100644
index 00000000..58d57f85
--- /dev/null
+++ b/spec/controllers/decidim/action_delegator/admin/exports_controller_spec.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+module Decidim
+  module ActionDelegator
+    describe Admin::ExportsController, type: :controller do
+      routes { Decidim::ActionDelegator::AdminEngine.routes }
+
+      let(:organization) { create(:organization) }
+      let(:user) { create(:user, :admin, :confirmed, organization: organization) }
+      let(:consultation) { create(:consultation, :finished, :unpublished_results, organization: organization) }
+
+      before do
+        request.env["decidim.current_organization"] = organization
+        sign_in user
+      end
+
+      describe "#create" do
+        it "authorizes the action" do
+          expect(controller).to receive(:allowed_to?).with(:export_results, :consultation, {})
+
+          post :create, params: { consultation_slug: consultation.slug }
+        end
+      end
+    end
+  end
+end