DEV: Extend specs coverage for non-admin access to admin endpoints (#18833)

Replace base controller class inheritance specs with explicit specs
for non-staff and moderator access to admin resources

spec/requests/admin/dashboard_controller_spec.rb

@@ -1,60 +1,116 @@
 # frozen_string_literal: true
 
 RSpec.describe Admin::DashboardController do
+  fab!(:admin) { Fabricate(:admin) }
+  fab!(:moderator) { Fabricate(:moderator) }
+  fab!(:user) { Fabricate(:user) }
+
   before do
     AdminDashboardData.stubs(:fetch_cached_stats).returns(reports: [])
     Jobs::VersionCheck.any_instance.stubs(:execute).returns(true)
   end
 
-  it "is a subclass of StaffController" do
-    expect(Admin::DashboardController < Admin::StaffController).to eq(true)
+  def populate_new_features
+    sample_features = [
+      {
+        "id" => "1",
+        "emoji" => "🤾",
+        "title" => "Cool Beans",
+        "description" => "Now beans are included",
+        "created_at" => Time.zone.now - 40.minutes
+      },
+      {
+        "id" => "2",
+        "emoji" => "🙈",
+        "title" => "Fancy Legumes",
+        "description" => "Legumes too!",
+        "created_at" => Time.zone.now - 20.minutes
+      }
+    ]
+
+    Discourse.redis.set('new_features', MultiJson.dump(sample_features))
   end
 
-  context 'while logged in as an admin' do
-    fab!(:admin) { Fabricate(:admin) }
+  describe '#index' do
+    shared_examples "version info present" do
+      it "returns discourse version info" do
+        get "/admin/dashboard.json"
 
-    def populate_new_features
-      sample_features = [
-        { "id" => "1", "emoji" => "🤾", "title" => "Cool Beans", "description" => "Now beans are included", "created_at" => Time.zone.now - 40.minutes },
-        { "id" => "2", "emoji" => "🙈", "title" => "Fancy Legumes", "description" => "Legumes too!",  "created_at" => Time.zone.now - 20.minutes }
-      ]
-
-      Discourse.redis.set('new_features', MultiJson.dump(sample_features))
+        expect(response.status).to eq(200)
+        expect(response.parsed_body["version_check"]).to be_present
+      end
     end
 
-    before do
-      sign_in(admin)
+    shared_examples "version info absent" do
+      before do
+        SiteSetting.version_checks = false
+      end
+
+      it "does not return discourse version info" do
+        get "/admin/dashboard.json"
+
+        expect(response.status).to eq(200)
+        json = response.parsed_body
+        expect(json["version_check"]).not_to be_present
+      end
     end
 
-    describe '#index' do
-      context 'when version checking is enabled' do
+    context "when logged in as an admin" do
+      before { sign_in(admin) }
+
+      context "when version checking is enabled" do
         before do
           SiteSetting.version_checks = true
         end
 
-        it 'returns discourse version info' do
-          get "/admin/dashboard.json"
-
-          expect(response.status).to eq(200)
-          expect(response.parsed_body['version_check']).to be_present
-        end
+        include_examples "version info present"
       end
 
-      context 'when version checking is disabled' do
+      context "when version checking is disabled" do
         before do
           SiteSetting.version_checks = false
         end
 
-        it 'does not return discourse version info' do
-          get "/admin/dashboard.json"
-          expect(response.status).to eq(200)
-          json = response.parsed_body
-          expect(json['version_check']).not_to be_present
-        end
+        include_examples "version info absent"
       end
     end
 
-    describe '#problems' do
+    context "when logged in as a moderator" do
+      before { sign_in(moderator) }
+
+      context "when version checking is enabled" do
+        before do
+          SiteSetting.version_checks = true
+        end
+
+        include_examples "version info present"
+      end
+
+      context "when version checking is disabled" do
+        before do
+          SiteSetting.version_checks = false
+        end
+
+        include_examples "version info absent"
+      end
+    end
+
+    context "when logged in as a non-staff user" do
+      before  { sign_in(user) }
+
+      it "denies access with a 404 response" do
+        get "/admin/dashboard.json"
+
+        expect(response.status).to eq(404)
+        expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
+      end
+    end
+  end
+
+  describe '#problems' do
+    context "when logged in as an admin" do
+      before { sign_in(admin) }
+
       context 'when there are no problems' do
         before do
           AdminDashboardData.stubs(:fetch_problems).returns([])
@@ -85,8 +141,40 @@ RSpec.describe Admin::DashboardController do
       end
     end
 
-    describe '#new_features' do
+    context "when logged in as a moderator" do
       before do
+        sign_in(moderator)
+        AdminDashboardData
+          .stubs(:fetch_problems)
+          .returns(['Not enough awesome', 'Too much sass'])
+      end
+
+      it 'returns a list of problems' do
+        get "/admin/dashboard/problems.json"
+
+        expect(response.status).to eq(200)
+        json = response.parsed_body
+        expect(json['problems'].size).to eq(2)
+        expect(json['problems']).to contain_exactly('Not enough awesome', 'Too much sass')
+      end
+    end
+
+    context "when logged in as a non-staff user" do
+      before  { sign_in(user) }
+
+      it "denies access with a 404 response" do
+        get "/admin/dashboard/problems.json"
+
+        expect(response.status).to eq(404)
+        expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
+      end
+    end
+  end
+
+  describe '#new_features' do
+    context "when logged in as an admin" do
+      before do
+        sign_in(admin)
         Discourse.redis.del "new_features_last_seen_user_#{admin.id}"
         Discourse.redis.del "new_features"
       end
@@ -131,7 +219,39 @@ RSpec.describe Admin::DashboardController do
       end
     end
 
-    describe '#mark_new_features_as_seen' do
+    context "when logged in as a moderator" do
+      before { sign_in(moderator) }
+
+      it 'includes new features when available' do
+        populate_new_features
+
+        get "/admin/dashboard/new-features.json"
+
+        json = response.parsed_body
+
+        expect(json['new_features'].length).to eq(2)
+        expect(json['new_features'][0]["emoji"]).to eq("🙈")
+        expect(json['new_features'][0]["title"]).to eq("Fancy Legumes")
+        expect(json['has_unseen_features']).to eq(true)
+      end
+    end
+
+    context "when logged in as a non-staff user" do
+      before { sign_in(user) }
+
+      it "denies access with a 404 response" do
+        get "/admin/dashboard/new-features.json"
+
+        expect(response.status).to eq(404)
+        expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
+      end
+    end
+  end
+
+  describe '#mark_new_features_as_seen' do
+    context "when logged in as an admin" do
+      before { sign_in(admin) }
+
       it 'resets last seen for a given user' do
         populate_new_features
         put "/admin/dashboard/mark-new-features-as-seen.json"
@@ -141,5 +261,30 @@ RSpec.describe Admin::DashboardController do
         expect(DiscourseUpdates.has_unseen_features?(admin.id)).to eq(false)
       end
     end
+
+    context "when logged in as a moderator" do
+      before { sign_in(moderator) }
+
+      it "resets last seen for moderator" do
+        populate_new_features
+
+        put "/admin/dashboard/mark-new-features-as-seen.json"
+
+        expect(response.status).to eq(200)
+        expect(DiscourseUpdates.new_features_last_seen(moderator.id)).not_to eq(nil)
+        expect(DiscourseUpdates.has_unseen_features?(moderator.id)).to eq(false)
+      end
+    end
+
+    context "when logged in as a non-staff user" do
+      before { sign_in(user) }
+
+      it "prevents marking new feature as seen with a 404 response" do
+        put "/admin/dashboard/mark-new-features-as-seen.json"
+
+        expect(response.status).to eq(404)
+        expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
+      end
+    end
   end
 end