From ae89907ee858bf197349a9d1a5b7185a5a4423b7 Mon Sep 17 00:00:00 2001
From: "James R. Griffin III" <1443986+jrgriffiniii@users.noreply.github.com>
Date: Mon, 16 Dec 2024 15:30:06 -0500
Subject: [PATCH] Ensures that the directory path is disabled for editing
 projects (unless the user is a system administrator) (#1090)

* Ensures that the directory path is disabled for editing projects (unless the user is a system administrator)

* Removing the redundant form field for cases where the Project is persisted within Mediaflux and implementing the missing tests

---------

Co-authored-by: carolyncole <1599081+carolyncole@users.noreply.github.com>
---
 app/views/projects/_edit_form.html.erb | 33 ++++++++++++------
 spec/system/project_spec.rb            | 46 +++++++++++++++++++++++++-
 2 files changed, 67 insertions(+), 12 deletions(-)

diff --git a/app/views/projects/_edit_form.html.erb b/app/views/projects/_edit_form.html.erb
index d66e4853..b72e1a1a 100644
--- a/app/views/projects/_edit_form.html.erb
+++ b/app/views/projects/_edit_form.html.erb
@@ -131,18 +131,29 @@
                </div>
             </div>  <!-- row -->
          <% end %>
-      <% end %>
 
-      <div class="row">
-        <div class="col-md-3">
-          <label for="project_directory">Directory Path</label>
-          <div class="required-field">Required</div>
-        </div>
-        <div class="col-md-9">
-          <span class="path-info"><%= @project.project_directory_parent_path %>/ </span>
-          <input type="text" aria-label="project directory" id="project_directory" name="project_directory" required oninvalid="this.setCustomValidity('')" oninput="this.setCustomValidity('')" value="<%= @project.project_directory_short %>" pattern="[\w\p{L}\-]{1,64}" />
-        </div>
-      </div><!-- row -->
+      <% else %>
+
+        <div class="row">
+          <div class="col-md-3">
+            <label for="project_directory">Directory Path</label>
+            <div class="required-field">Required</div>
+          </div>
+          <div class="col-md-9">
+            <span class="path-info"><%= @project.project_directory_parent_path %>/ </span>
+            <% if @project.persisted? %>
+              <% if (current_user.superuser? || current_user.eligible_sysadmin?) %>
+                <input type="text" aria-label="project directory" id="project_directory" name="project_directory" required oninvalid="this.setCustomValidity('')" oninput="this.setCustomValidity('')" value="<%= @project.project_directory_short %>" pattern="[\w\p{L}\-]{1,64}" />
+              <% else %>
+                <input type="text" aria-label="project directory" id="project_directory" name="project_directory" readonly value="<%= @project.project_directory_short %>" />
+              <% end %>
+            <% else %>
+              <input type="text" aria-label="project directory" id="project_directory" name="project_directory" required oninvalid="this.setCustomValidity('')" oninput="this.setCustomValidity('')" value="<%= @project.project_directory_short %>" pattern="[\w\p{L}\-]{1,64}" />
+            <% end %>
+          </div>
+        </div><!-- row -->
+
+      <% end %>
 
       <div class="row">
         <div class="col-md-3">
diff --git a/spec/system/project_spec.rb b/spec/system/project_spec.rb
index a0faf80e..071d077a 100644
--- a/spec/system/project_spec.rb
+++ b/spec/system/project_spec.rb
@@ -5,6 +5,7 @@
 RSpec.describe "Project Page", connect_to_mediaflux: true, type: :system  do
   let(:sponsor_user) { FactoryBot.create(:project_sponsor, uid: "pul123", mediaflux_session: SystemUser.mediaflux_session) }
   let(:sysadmin_user) { FactoryBot.create(:sysadmin, uid: "puladmin", mediaflux_session: SystemUser.mediaflux_session) }
+  let(:superuser) { FactoryBot.create(:superuser, uid: "root", mediaflux_session: SystemUser.mediaflux_session) }
   let!(:data_manager) { FactoryBot.create(:data_manager, uid: "pul987", mediaflux_session: SystemUser.mediaflux_session) }
   let(:read_only) { FactoryBot.create :user }
   let(:read_write) { FactoryBot.create :user }
@@ -126,6 +127,10 @@
         expect(project_in_mediaflux.metadata[:project_directory]).to eq "project-123"
       end
 
+      it "prevents sponsor users from editing the directory field" do
+        expect(page.find_all("#project_directory[readonly]").count).to eq(1)
+      end
+
       it "loads existing Data Sponsor" do
         expect(page.find("#non-editable-data-sponsor").text).to eq sponsor_user.uid
       end
@@ -162,6 +167,44 @@
         expect(page).to have_content(project_in_mediaflux.title)
       end
     end
+
+    context "when authenticated as a superuser" do
+      context "when the project is not persisted within Mediaflux" do
+        before do
+          project_not_in_mediaflux
+          project_not_in_mediaflux.metadata_model.status = Project::APPROVED_STATUS
+          project_not_in_mediaflux.save!
+          project_not_in_mediaflux.reload
+
+          sign_in superuser
+
+          visit "/projects/#{project_not_in_mediaflux.id}/edit"
+        end
+
+        it "permits superusers to edit the directory field" do
+          expect(page.find_all("#project_directory[readonly]").count).to eq(0)
+        end
+      end
+    end
+
+    context "when authenticated as a sysadmin user" do
+      context "when the project is not persisted within Mediaflux" do
+        before do
+          project_not_in_mediaflux
+          project_not_in_mediaflux.metadata_model.status = Project::APPROVED_STATUS
+          project_not_in_mediaflux.save!
+          project_not_in_mediaflux.reload
+
+          sign_in sysadmin_user
+
+          visit "/projects/#{project_not_in_mediaflux.id}/edit"
+        end
+
+        it "permits sysadmin users to edit the directory field" do
+          expect(page.find_all("#project_directory[readonly]").count).to eq(0)
+        end
+      end
+    end
   end
 
   context "Create page" do
@@ -324,7 +367,8 @@
         fill_in_and_out "ro-user-uid-to-add", with: read_only.uid
         fill_in_and_out "rw-user-uid-to-add", with: read_write.uid
         select "Research Data and Scholarship Services", from: "departments"
-        fill_in "project_directory", with: FFaker::Name.name.tr(" ", "_")
+        project_directory = FFaker::Name.name.tr(" ", "_")
+        fill_in "project_directory", with: project_directory
         fill_in "title", with: "My test project"
         expect(page).to have_content("/td-test-001/")
         expect(page.find_all("input:invalid").count).to eq(0)