From 0a2468869f4b6439f22182f6e7db5bb134842b56 Mon Sep 17 00:00:00 2001
From: Ryan Bigg <radar@lifx.co>
Date: Sun, 16 Nov 2014 22:12:10 +1100
Subject: [PATCH] Section 7.2.2: Lock down specific projects controller actions
 for admins only

---
 ticketee/app/helpers/application_helper.rb  |  4 ++
 ticketee/app/views/projects/index.html.erb  |  4 +-
 ticketee/app/views/projects/show.html.erb   | 22 ++++----
 ticketee/spec/features/hidden_links_spec.rb | 60 +++++++++++++++++++++
 ticketee/spec/rails_helper.rb               |  2 +-
 ticketee/spec/support/capybara_helpers.rb   | 15 ++++++
 6 files changed, 95 insertions(+), 12 deletions(-)
 create mode 100644 ticketee/spec/features/hidden_links_spec.rb
 create mode 100644 ticketee/spec/support/capybara_helpers.rb

diff --git a/ticketee/app/helpers/application_helper.rb b/ticketee/app/helpers/application_helper.rb
index 1f1fea7..4457356 100644
--- a/ticketee/app/helpers/application_helper.rb
+++ b/ticketee/app/helpers/application_helper.rb
@@ -6,4 +6,8 @@ def title(*parts)
       end
     end
   end
+
+  def admins_only(&block)
+    block.call if current_user.try(:admin?)
+  end
 end
diff --git a/ticketee/app/views/projects/index.html.erb b/ticketee/app/views/projects/index.html.erb
index ebb5bc6..5175af5 100644
--- a/ticketee/app/views/projects/index.html.erb
+++ b/ticketee/app/views/projects/index.html.erb
@@ -1,4 +1,6 @@
-<%= link_to "New Project", new_project_path, class: "new" %>
+<% admins_only do %>
+  <%= link_to "New Project", new_project_path, class: "new" %>
+<% end %>
 
 <h2>Projects</h2>
 <ul>
diff --git a/ticketee/app/views/projects/show.html.erb b/ticketee/app/views/projects/show.html.erb
index 2957325..82e5a2f 100644
--- a/ticketee/app/views/projects/show.html.erb
+++ b/ticketee/app/views/projects/show.html.erb
@@ -1,16 +1,18 @@
 <% title(@project.name, "Projects") %>
 <h2><%= @project.name %></h2>
-<%= link_to "Edit Project",
-    edit_project_path(@project),
-    class: "edit" %>
+<% admins_only do %>
+  <%= link_to "Edit Project",
+      edit_project_path(@project),
+      class: "edit" %>
 
-<%= link_to "Delete Project",
-     project_path(@project),
-     method: :delete,
-     data: { confirm:
-               "Are you sure you want to delete this project?"
-           },
-     class: "delete" %>
+  <%= link_to "Delete Project",
+       project_path(@project),
+       method: :delete,
+       data: { confirm:
+                 "Are you sure you want to delete this project?"
+             },
+       class: "delete" %>
+<% end %>
 
 <%= link_to "New Ticket",
    new_project_ticket_path(@project),
diff --git a/ticketee/spec/features/hidden_links_spec.rb b/ticketee/spec/features/hidden_links_spec.rb
new file mode 100644
index 0000000..12643f1
--- /dev/null
+++ b/ticketee/spec/features/hidden_links_spec.rb
@@ -0,0 +1,60 @@
+require "rails_helper"
+
+feature "hidden links" do
+  let(:user) { FactoryGirl.create(:user) }
+  let(:admin) { FactoryGirl.create(:admin_user) }
+  let(:project) { FactoryGirl.create(:project) }
+
+  context "anonymous users" do
+    scenario "cannot see the New Project link" do
+      visit "/"
+      assert_no_link_for "New Project"
+    end
+
+    scenario "cannot see the Edit Project link" do
+      visit project_path(project)
+      assert_no_link_for "Edit Project"
+    end
+
+    scenario "cannot see the Delete Project link" do
+      visit project_path(project)
+      assert_no_link_for "Delete Project"
+    end
+  end
+
+  context "regular users" do
+    before { login_as(user) }
+    scenario "cannot see the New Project link" do
+      visit "/"
+      assert_no_link_for "New Project"
+    end
+
+    scenario "cannot see the Edit Project link" do
+      visit project_path(project)
+      assert_no_link_for "Edit Project"
+    end
+
+    scenario "cannot see the Delete Project link" do
+      visit project_path(project)
+      assert_no_link_for "Delete Project"
+    end
+  end
+
+  context "admin users" do
+    before { login_as(admin) }
+    scenario "can see the New Project link" do
+      visit "/"
+      assert_link_for "New Project"
+    end
+
+    scenario "can see the Edit Project link" do
+      visit project_path(project)
+      assert_link_for "Edit Project"
+    end
+
+    scenario "can see the Delete Project link" do
+      visit project_path(project)
+      assert_link_for "Delete Project"
+    end
+  end
+end
diff --git a/ticketee/spec/rails_helper.rb b/ticketee/spec/rails_helper.rb
index 8e165bd..f1cdd44 100644
--- a/ticketee/spec/rails_helper.rb
+++ b/ticketee/spec/rails_helper.rb
@@ -18,7 +18,7 @@
 # directory. Alternatively, in the individual `*_spec.rb` files, manually
 # require only the support files necessary.
 #
-# Dir[Rails.root.join("spec/support/**/*.rb")].each { |f| require f }
+Dir[Rails.root.join("spec/support/**/*.rb")].each { |f| require f }
 
 # Checks for pending migrations before tests are run.
 # If you are not using ActiveRecord, you can remove this line.
diff --git a/ticketee/spec/support/capybara_helpers.rb b/ticketee/spec/support/capybara_helpers.rb
new file mode 100644
index 0000000..bd0e28e
--- /dev/null
+++ b/ticketee/spec/support/capybara_helpers.rb
@@ -0,0 +1,15 @@
+module CapybaraHelpers
+  def assert_no_link_for(text)
+    expect(page).to_not(have_css("a", :text => text),
+      "Expected not to see the #{text.inspect} link, but did.")
+  end
+
+  def assert_link_for(text)
+    expect(page).to(have_css("a", :text => text),
+      "Expected to see the #{text.inspect} link, but did not.")
+  end
+end
+
+RSpec.configure do |config|
+  config.include CapybaraHelpers, :type => :feature
+end