Fix admins being disallowed from tags pages

otwcode · Dec 23, 2024 · f72c5fe · f72c5fe
1 parent 6caa157
commit f72c5fe
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 11 deletions.
diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb
@@ -56,25 +56,23 @@ def search
     flash_search_warnings(@tags)
   end
 
-  # if user is admin with view access or Tag Wrangler, show them details about the tag
-  # if user is not logged in or a regular user, show them
-  #   1. the works, if the tag had been wrangled and we can redirect them to works using it or its canonical merger
-  #   2. the tag, the works and the bookmarks using it, if the tag is unwrangled (because we can't redirect them
-  #       to the works controller)
   def show
-    authorize :wrangling, :read_access? if logged_in_as_admin?
-
     @page_subtitle = @tag.name
-    if @tag.is_a?(Banned) && !logged_in_as_admin?
+    if @tag.is_a?(Banned) 
+      if !logged_in_as_admin?
       flash[:error] = ts('Please log in as admin')
       redirect_to(tag_wranglings_path) && return
+      elsif !policy(:wrangling).read_access?
+      flash[:error] = ts('Sorry, only an authorized admin can access the page you were trying to reach.')
+      redirect_to(root_path) && return
+      end
     end
     # if tag is NOT wrangled, prepare to show works and bookmarks that are using it
     if !@tag.canonical && !@tag.merger
       if logged_in? # current_user.is_a?User
         @works = @tag.works.visible_to_registered_user.paginate(page: params[:page])
       elsif logged_in_as_admin?
-        @works = @tag.works.visible_to_owner.paginate(page: params[:page])
+        @works = @tag.works.visible_to_admin.paginate(page: params[:page])
       else
         @works = @tag.works.visible_to_all.paginate(page: params[:page])
       end

diff --git a/app/helpers/tags_helper.rb b/app/helpers/tags_helper.rb
@@ -99,7 +99,7 @@ def tag_category_name(tag_type)
 
   # Should the current user be able to access tag wrangling pages?
   def can_wrangle?
-    logged_in_as_admin? || (current_user.is_a?(User) && current_user.is_tag_wrangler?)
+    policy(:wrangling).read_access? || (current_user.is_a?(User) && current_user.is_tag_wrangler?)
   end
 
   # Determines whether or not to display warnings for a creation

diff --git a/spec/controllers/tags_controller_spec.rb b/spec/controllers/tags_controller_spec.rb
@@ -288,10 +288,35 @@
   end
 
   describe "show" do   
+    context "displays the tag information page" do
+      let(:tag) { create(:tag) }
+
+      subject { get :show, params: { id: tag.name } }
+      let(:success) do
+        expect(response).to have_http_status(:success)
+      end
+
+      it "for guests" do
+        subject
+        success
+      end
+
+      it "for users" do
+        fake_login
+        subject
+        success
+      end
+
+      it "for admins" do
+        fake_login_admin(create(:admin))
+        subject
+        success
+      end
+    end
     context "when showing a banned tag" do
       let(:tag) { create(:banned) } 
 
-      subject { get :edit, params: { id: tag.name } }
+      subject { get :show, params: { id: tag.name } }
       let(:success) do
         expect(response).to have_http_status(:success)
       end