secure organisations configuration page

Author: giosakti

app/controllers/organisations_controller.rb

@@ -1,4 +1,5 @@
 class OrganisationsController < ApplicationController
+  before_action :authorize_user, except: [:index]
   before_action :load_org, only: %i(
     config_saml_app update show setup_saml save_config_saml_app
     remove_user_saml_app add_user_saml_app
@@ -75,10 +76,6 @@ def create
   end
 
   def update
-    unless current_user.admin?
-      return redirect_to organisations_path, notice: 'Unauthorized access'
-    end
-
     @org.update_profile(organisation_params.to_h || {})
     if @org.errors.blank?
       flash[:success] = 'Successfully updated organisation'
@@ -105,6 +102,15 @@ def setup_saml
 
   private
 
+  def authorize_user
+    unless current_user.admin?
+      respond_to do |format|
+        format.html { redirect_to organisations_path, notice: 'Unauthorized access' }
+        format.json { render json: {}, status: :unauthorized }
+      end
+    end
+  end
+
   def load_org
     id = params[:id] || params[:organisation_id]
     @org = Organisation.where(id: id).first

spec/controllers/organisations_controller_spec.rb

@@ -27,6 +27,19 @@
     }
   end
 
+  describe 'GET #index' do
+    context 'authenticated as non admin' do
+      it 'should respond with 200' do
+        create(:user)
+        non_admin = create(:user, admin: false)
+        sign_in non_admin
+        organisation = create(:organisation, valid_attributes)
+        get :index
+        expect(response.status).to eq(200)
+      end
+    end
+  end
+
   describe 'PATCH #update' do
     context 'authenticated as admin' do
       it 'should update requested organisations' do
@@ -89,4 +102,26 @@
       end
     end
   end
+
+  describe 'GET #config_saml_app' do
+    context 'authenticated as non admin' do
+      it 'should redirect to organisations path' do
+        create(:user)
+        non_admin = create(:user, admin: false)
+        sign_in non_admin
+        organisation = create(:organisation, valid_attributes)
+        get :config_saml_app, params: { organisation_id: organisation.id, app_name: 'datadog' }
+        expect(response).to redirect_to(organisations_path)
+      end
+
+      it 'should flash unauthorized access' do
+        create(:user)
+        non_admin = create(:user, admin: false)
+        sign_in non_admin
+        organisation = create(:organisation, valid_attributes)
+        get :config_saml_app, params: { organisation_id: organisation.id, app_name: 'datadog' }
+        expect(flash[:notice]).to eq('Unauthorized access')
+      end
+    end
+  end
 end