Merge pull request #285 from wearefine/68563-global-search-authorization

authorize global search results

app/controllers/fae/application_controller.rb

@@ -105,7 +105,18 @@ def all_models
     def load_and_filter_models
       # load of all models since Rails caches activerecord queries.
       Rails.application.eager_load!
-      ActiveRecord::Base.descendants.map.reject { |m| m.name['Fae::'] || !m.instance_methods.include?(:fae_display_field) || Fae.dashboard_exclusions.include?(m.name) }
+      ActiveRecord::Base.descendants.map.reject { |m| m.name['Fae::'] || !m.instance_methods.include?(:fae_display_field) || Fae.dashboard_exclusions.include?(m.name) || !authorize_model(m) }
+    end
+
+    def authorize_model(model)
+      return false if current_user.blank? || current_user.role.blank? || current_user.role.name.blank?
+
+      users_role           = current_user.role.name.downcase
+      tableized_model      = model.name.tableize
+      role_group_for_model = Fae::Authorization.access_map[tableized_model]
+
+      return true if role_group_for_model.blank? || (role_group_for_model.present? && role_group_for_model.include?(users_role))
+      false
     end
 
   end

spec/dummy/app/models/concerns/fae/authorization_concern.rb

@@ -20,10 +20,11 @@ module ClassMethods
       # }
       def access_map
         {
-          'people' => ['super admin', 'admin'],
+          'people' => ['super admin', 'admin', 'user'],
           'locations' => ['super admin', 'admin'],
           'validation_testers' => ['super admin', 'admin'],
           'releases' => ['super admin', 'admin'],
+          'beers' => ['super admin', 'admin'],
           'selling_points' => ['super admin', 'admin'],
           'jerseys' => ['super admin', 'admin'],
           'content_blocks/about_us' => ['super admin']

spec/dummy/app/models/concerns/fae/navigation_concern.rb

@@ -20,6 +20,7 @@ def structure
           item('Locations', path: admin_locations_path),
           item('Validation Testers', path: admin_validation_testers_path),
         ]),
+        item('Beers', path: admin_beers_path),
         item('Pages', path: fae.pages_path, subitems: [
           item('Home', path: fae.edit_content_block_path('home')),
           item('Contact Us', path: fae.edit_content_block_path('contact_us')),

spec/features/global_search_spec.rb

@@ -34,4 +34,34 @@
     end
   end
 
+  # see dummy app's authorization concern for auth mapping used here
+  scenario "search results get authorized", js: true do
+    FactoryGirl.create(:release, name: '2012 Chardonnay')
+    FactoryGirl.create(:person, name: 'Rupert')
+
+    user_login
+    visit fae_path
+
+    within('#js-utility-search') do
+      # user hovers on the search icon
+      first('a').hover
+
+      # doesn't see unauthorized stuff
+      # object
+      fill_in('js-global-search', with: 'char')
+      expect(page).to_not have_content('2012 Chardonnay')
+      # page
+      fill_in('js-global-search', with: 'abou')
+      expect(page).to_not have_content('About Us')
+
+      # sees authorized stuff
+      # object
+      fill_in('js-global-search', with: 'rup')
+      expect(page).to have_content('Rupert')
+      # page
+      fill_in('js-global-search', with: 'home')
+      expect(page).to have_content('Home')
+    end
+  end
+
 end

spec/requests/nav_spec.rb

@@ -54,11 +54,11 @@
       expect(response.body).to_not include('<a href="/admin/root">Root Settings</a>')
     end
 
-    it 'should not display events top nav item' do
+    it 'should not display beers top nav item' do
       user_login
       get fae_path
 
-      expect(response.body).to_not include('<a href="#">Events</a>')
+      expect(response.body).to_not include('<a href="#">Beers</a>')
     end
   end