AO3-6762: Restrict access to actions on TagsController (#4917)

* made changes to tags controller + add UTs * address rubocop and fix cucumber tests * fix rubocop * trigger build to hopefully fix flaky UT * add check for wrangle, refactored UTs * figure out how paramaterization works with shared examples * apply requested formatting changes
otwcode · Nov 28, 2024 · a3602f8 · a3602f8
1 parent 634e7fe
commit a3602f8
Show file tree

Hide file tree

Showing 11 changed files with 151 additions and 53 deletions.
diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb
@@ -56,12 +56,14 @@ def search
     flash_search_warnings(@tags)
   end
 
-  # if user is Admin or Tag Wrangler, show them details about the tag
+  # if user is admin with view access or Tag Wrangler, show them details about the tag
   # if user is not logged in or a regular user, show them
   #   1. the works, if the tag had been wrangled and we can redirect them to works using it or its canonical merger
   #   2. the tag, the works and the bookmarks using it, if the tag is unwrangled (because we can't redirect them
   #       to the works controller)
   def show
+    authorize :wrangling, :read_access? if logged_in_as_admin?
+
     @page_subtitle = @tag.name
     if @tag.is_a?(Banned) && !logged_in_as_admin?
       flash[:error] = ts('Please log in as admin')
@@ -166,6 +168,8 @@ def show_hidden
 
   # GET /tags/new
   def new
+    authorize :wrangling if logged_in_as_admin?
+
     @tag = Tag.new
 
     respond_to do |format|
@@ -209,6 +213,8 @@ def create
   end
 
   def edit
+    authorize :wrangling, :read_access? if logged_in_as_admin?
+
     @page_subtitle = ts('%{tag_name} - Edit', tag_name: @tag.name)
 
     if @tag.is_a?(Banned) && !logged_in_as_admin?
@@ -241,6 +247,8 @@ def edit
   end
 
   def update
+    authorize :wrangling if logged_in_as_admin?
+
     # update everything except for the synonym,
     # so that the associations are there to move when the synonym is created
     syn_string = params[:tag].delete(:syn_string)
@@ -272,6 +280,8 @@ def update
   end
 
   def wrangle
+    authorize :wrangling, :read_access? if logged_in_as_admin?
+
     @page_subtitle = ts('%{tag_name} - Wrangle', tag_name: @tag.name)
     @counts = {}
     @tag.child_types.map { |t| t.underscore.pluralize.to_sym }.each do |tag_type|
@@ -303,6 +313,8 @@ def wrangle
   end
 
   def mass_update
+    authorize :wrangling if logged_in_as_admin?
+
     params[:page] = '1' if params[:page].blank?
     params[:sort_column] = 'name' unless valid_sort_column(params[:sort_column], 'tag')
     params[:sort_direction] = 'ASC' unless valid_sort_direction(params[:sort_direction])

diff --git a/app/policies/wrangling_policy.rb b/app/policies/wrangling_policy.rb
@@ -2,13 +2,20 @@
 
 class WranglingPolicy < ApplicationPolicy
   FULL_ACCESS_ROLES = %w[superadmin tag_wrangling].freeze
+  READ_ACCESS_ROLES = (FULL_ACCESS_ROLES + %w[policy_and_abuse]).freeze
 
   def full_access?
     user_has_roles?(FULL_ACCESS_ROLES)
   end
 
+  def read_access?
+    user_has_roles?(READ_ACCESS_ROLES)
+  end
+
   alias create? full_access?
   alias destroy? full_access?
+  alias mass_update? full_access?
+  alias new? full_access?
   alias show? full_access?
   alias report_csv? full_access?
   alias new? full_access?

diff --git a/features/bookmarks/bookmark_indexing.feature b/features/bookmarks/bookmark_indexing.feature
@@ -63,7 +63,7 @@ Feature: Bookmark Indexing
     Given a canonical fandom "Veronica Mars"
       And a canonical fandom "Veronica Mars (TV)"
       And bookmarks of external works and series tagged with the fandom tag "Veronica Mars"
-      And I am logged in as an admin
+      And I am logged in as a "tag_wrangling" admin
     When I syn the tag "Veronica Mars" to "Veronica Mars (TV)"
       And I go to the bookmarks tagged "Veronica Mars (TV)"
     Then I should see "BookmarkedExternalWork"

diff --git a/features/tags_and_wrangling/tag_wrangling.feature b/features/tags_and_wrangling/tag_wrangling.feature
@@ -311,7 +311,7 @@ Feature: Tag wrangling
   Scenario: An admin can see the troubleshoot button on a tag page
 
     Given a canonical fandom "Cowboy Bebop"
-      And I am logged in as an admin
+      And I am logged in as a "tag_wrangling" admin
     When I view the tag "Cowboy Bebop"
     Then I should see "Troubleshoot"
 

diff --git a/features/tags_and_wrangling/tag_wrangling_admin.feature b/features/tags_and_wrangling/tag_wrangling_admin.feature
@@ -11,7 +11,7 @@ Feature: Tag wrangling
       And I go to my bookmarks page
       And I go to my works page
       And I go to the work "Luncheon"
-    When I am logged in as an admin
+    When I am logged in as a "tag_wrangling" admin
       And I edit the tag "Amelie"
       And I fill in "Synonym of" with "Amélie"
       And I press "Save changes"
@@ -34,7 +34,7 @@ Feature: Tag wrangling
 
   Scenario: Admin can rename a tag using Eastern characters
 
-  Given I am logged in as an admin
+  Given I am logged in as a "tag_wrangling" admin
     And a fandom exists with name: "先生", canonical: false
   When I edit the tag "先生"
     And I fill in "Name" with "てりやき"

diff --git a/features/tags_and_wrangling/tag_wrangling_characters.feature b/features/tags_and_wrangling/tag_wrangling_characters.feature
@@ -53,7 +53,7 @@ Scenario: character wrangling - syns, mergers, characters, autocompletes
   When I follow "Edit The First Doctor"
   Then I should not see "Make tag non-canonical and unhook all associations"
 
-  Given I am logged in as an admin
+  Given I am logged in as a "tag_wrangling" admin
   When I edit the tag "The First Doctor"
   Then I should see "Make tag non-canonical and unhook all associations"
     And I should see "The Doctor (1st)"
@@ -129,7 +129,7 @@ Scenario: character wrangling - syns, mergers, characters, autocompletes
   When I follow "First Doctor"
   Then I should see "John Smith"
     And I should see "The Doctor"
-  When I am logged in as an admin
+  When I am logged in as a "tag_wrangling" admin
     And I edit the tag "First Doctor"
     And I fill in "Synonym of" with "First Doctor (DW)"
     And I press "Save changes"

diff --git a/features/tags_and_wrangling/tag_wrangling_fandoms.feature b/features/tags_and_wrangling/tag_wrangling_fandoms.feature
@@ -116,7 +116,7 @@ Scenario: fandoms wrangling - syns, mergers, autocompletes, metatags
   When I edit the tag "Stargate SG-1"
   Then I should see "Stargate SG-1: Ark of Truth" within "div#child_SubTag_associations_to_remove_checkboxes"
     And I should see "Stargate Franchise" within "div#parent_MetaTag_associations_to_remove_checkboxes"
-  When I am logged in as an admin
+  When I am logged in as a "tag_wrangling" admin
     And I edit the tag "Stargate SG-1"
     And I fill in "Synonym of" with "Stargate SG-1: Greatest Show in the Universe"
     And I press "Save changes"

diff --git a/features/tags_and_wrangling/tag_wrangling_freeforms.feature b/features/tags_and_wrangling/tag_wrangling_freeforms.feature
@@ -95,7 +95,7 @@ Scenario: freeforms wrangling - syns, mergers, autocompletes, metatags
   Then I should see "Tag was updated"
   When I follow "Alternate Universe Pirates"
   Then I should see "Alternate Universe Space Pirates"
-  When I am logged in as an admin
+  When I am logged in as a "tag_wrangling" admin
     And I edit the tag "Alternate Universe Pirates"
     And I fill in "Synonym of" with "Alternate Universe Pirrrates"
     And I press "Save changes"

diff --git a/features/tags_and_wrangling/tag_wrangling_more.feature b/features/tags_and_wrangling/tag_wrangling_more.feature
@@ -222,7 +222,7 @@ Feature: Tag wrangling: assigning wranglers, using the filters on the Wranglers
     When I am logged in as a random user
      And I view the tag "Cowboy Bebop"
     Then I should see "Sorry, you don't have permission to access the page you were trying to reach."
-    When I am logged in as an admin
+    When I am logged in as a "tag_wrangling" admin
      And I view the tag "Cowboy Bebop"
     Then I should not see "Please log in as an admin"
      And I should see "Cowboy Bebop"

diff --git a/features/tags_and_wrangling/tag_wrangling_relationships.feature b/features/tags_and_wrangling/tag_wrangling_relationships.feature
@@ -126,7 +126,7 @@ Scenario: relationship wrangling - syns, mergers, characters, autocompletes
   When I follow "Jack Harkness/Ianto Jones"
   Then I should see "Jack Harkness/Robot Ianto Jones"
     And I should see "Jack Harkness/Male Character"
-  When I am logged in as an admin
+  When I am logged in as a "tag_wrangling" admin
     And I edit the tag "Jack Harkness/Ianto Jones"
     And I fill in "Synonym of" with "Captain Jack Harkness/Ianto Jones"
     And I press "Save changes"
@@ -270,7 +270,7 @@ Scenario: AO3-2147 Creating a new merger to a non-can tag while adding character
     And I should see "Testypants/Testyskirt"
     And the "Canonical" checkbox should be checked and disabled
 
-  When I am logged in as an admin
+  When I am logged in as a "tag_wrangling" admin
     And I edit the tag "Testing McTestypants/Testing McTestySkirt"
     And I fill in "Synonym of" with "Dame Tester/Sir Tester"
     And I press "Save changes"