Merge pull request #6726 from samvera/hyrax-6725

Prevent unauthenticated access to /dashboard/collections/
samvera · Mar 1, 2024 · da11041 · da11041
2 parents 65e0658 + c23aede
commit da11041
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 15 deletions.
diff --git a/app/controllers/hyrax/dashboard/collections_controller.rb b/app/controllers/hyrax/dashboard/collections_controller.rb
@@ -26,9 +26,6 @@ class CollectionsController < Hyrax::My::CollectionsController
       # Catch permission errors
       rescue_from Hydra::AccessDenied, CanCan::AccessDenied, with: :deny_collection_access
 
-      # actions: index, create, new, edit, show, update, destroy, permissions, citation
-      before_action :authenticate_user!, except: [:index]
-
       class_attribute :presenter_class,
                       :form_class,
                       :single_item_search_builder_class,

diff --git a/spec/controllers/hyrax/dashboard/collections_controller_spec.rb b/spec/controllers/hyrax/dashboard/collections_controller_spec.rb
@@ -586,21 +586,31 @@
       end
 
       describe "#show" do
+        before do
+          if collection.is_a? Valkyrie::Resource
+            Hyrax::Collections::CollectionMemberService
+              .add_members(collection_id: collection.id,
+                           new_members: [asset1, asset2, asset3, asset4, asset5],
+                           user: user)
+          else
+            [asset1, asset2, asset3, asset4, asset5].each do |asset|
+              asset.member_of_collections << collection
+              asset.save!
+            end
+          end
+        end
+
+        context "when not signed in" do
+          it "is not successful" do
+            get :show, params: { id: collection }
+
+            expect(response).not_to be_successful
+          end
+        end
+
         context "when signed in" do
           before do
             sign_in user
-
-            if collection.is_a? Valkyrie::Resource
-              Hyrax::Collections::CollectionMemberService
-                .add_members(collection_id: collection.id,
-                             new_members: [asset1, asset2, asset3, asset4, asset5],
-                             user: user)
-            else
-              [asset1, asset2, asset3, asset4, asset5].each do |asset|
-                asset.member_of_collections << collection
-                asset.save!
-              end
-            end
           end
 
           it "returns the collection and its members" do
@@ -803,6 +813,29 @@
           expect(response).to be_successful
         end
       end
+
+      describe "#index" do
+        context "when not signed in" do
+          it "is not successful" do
+            get :index, params: { id: collection }
+
+            expect(response).not_to be_successful
+          end
+        end
+
+        context "when signed in" do
+          before do
+            sign_in user
+          end
+
+          it "sets breadcrumbs" do
+            expect(controller).to receive(:add_breadcrumb).with('Home', root_path(locale: 'en'))
+            expect(controller).to receive(:add_breadcrumb).with('Dashboard', dashboard_path(locale: 'en'))
+            expect(controller).to receive(:add_breadcrumb).with('Collections', my_collections_path(locale: 'en'))
+            get :index, params: { per_page: 1 }
+          end
+        end
+      end
     end
   end
 end