DEV: Extend specs coverage for non-admin access to admin endpoints (#18833)

Replace base controller class inheritance specs with explicit specs for non-staff and moderator access to admin resources
2025-05-31 21:41:47 +08:00 · 2022-11-03 03:42:44 +00:00
parent 612ab8710a
commit 52be5b3782
31 changed files with 7047 additions and 3433 deletions
--- a/spec/requests/admin/impersonate_controller_spec.rb
+++ b/spec/requests/admin/impersonate_controller_spec.rb
@ -1,28 +1,48 @@
 # frozen_string_literal: true

 RSpec.describe Admin::ImpersonateController do
+  fab!(:admin) { Fabricate(:admin) }
+  fab!(:moderator) { Fabricate(:moderator) }
+  fab!(:user) { Fabricate(:user) }
+  fab!(:another_admin) { Fabricate(:admin) }

-  it "is a subclass of AdminController" do
-    expect(Admin::ImpersonateController < Admin::AdminController).to eq(true)
-  end
+  describe '#index' do
+    context "when logged in as an admin" do
+      before { sign_in(admin) }

-  context 'while logged in as an admin' do
-    fab!(:admin) { Fabricate(:admin) }
-    fab!(:user) { Fabricate(:user) }
-    fab!(:another_admin) { Fabricate(:admin) }
-
-    before do
-      sign_in(admin)
-    end
-
-    describe '#index' do
      it 'returns success' do
        get "/admin/impersonate.json"
+
        expect(response.status).to eq(200)
      end
    end

-    describe '#create' do
+    shared_examples "impersonation inaccessible" do
+      it "denies access with a 404 response" do
+        get "/admin/impersonate.json"
+
+        expect(response.status).to eq(404)
+        expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
+      end
+    end
+
+    context "when logged in as a moderator" do
+      before { sign_in(moderator) }
+
+      include_examples "impersonation inaccessible"
+    end
+
+    context "when logged in as a non-staff user" do
+      before { sign_in(user) }
+
+      include_examples "impersonation inaccessible"
+    end
+  end
+
+  describe '#create' do
+    context "when logged in as an admin" do
+      before { sign_in(admin) }
+
      it 'requires a username_or_email parameter' do
        post "/admin/impersonate.json"
        expect(response.status).to eq(400)
@ -58,5 +78,32 @@ RSpec.describe Admin::ImpersonateController do
        end
      end
    end
+
+    shared_examples "impersonation not allowed" do
+      it "prevents impersonation with a with 404 response" do
+        expect do
+          post "/admin/impersonate.json", params: { username_or_email: user.username }
+        end.not_to change { UserHistory.where(action: UserHistory.actions[:impersonate]).count }
+
+        expect(response.status).to eq(404)
+        expect(session[:current_user_id]).to eq(current_user.id)
+      end
+    end
+
+    context "when logged in as a moderator" do
+      before { sign_in(moderator) }
+
+      include_examples "impersonation not allowed" do
+        let(:current_user) { moderator }
+      end
+    end
+
+    context "when logged in as a non-staff user" do
+      before { sign_in(user) }
+
+      include_examples "impersonation not allowed" do
+        let(:current_user) { user }
+      end
+    end
  end
 end