AO3-6760 Check admin roles in UnsortedTagsController

app/controllers/unsorted_tags_controller.rb

@@ -5,13 +5,17 @@ class UnsortedTagsController < ApplicationController
   before_action :check_permission_to_wrangle
 
   def index
+    authorize :wrangling if logged_in_as_admin?
+
     @tags = UnsortedTag.page(params[:page])
     @counts = tag_counts_per_category
   end
 
   def mass_update
-    unless params[:tags].blank?
-      params[:tags].delete_if {|tag_id, tag_type| tag_type.blank? }
+    authorize :wrangling if logged_in_as_admin?
+
+    if params[:tags].present?
+      params[:tags].delete_if { |_, tag_type| tag_type.blank? }
       tags = UnsortedTag.where(id: params[:tags].keys)
       tags.each do |tag|
         new_type = params[:tags][tag.id.to_s]

app/policies/wrangling_policy.rb

@@ -2,13 +2,20 @@
 
 class WranglingPolicy < ApplicationPolicy
   FULL_ACCESS_ROLES = %w[superadmin tag_wrangling].freeze
+  VIEW_ACCESS_ROLES = (FULL_ACCESS_ROLES + %w[policy_and_abuse]).freeze
 
   def full_access?
     user_has_roles?(FULL_ACCESS_ROLES)
   end
 
+  def view_access?
+    user_has_roles?(VIEW_ACCESS_ROLES)
+  end
+
   alias create? full_access?
   alias destroy? full_access?
+  alias index? view_access?
+  alias mass_update? full_access?
   alias show? full_access?
   alias report_csv? full_access?
 end

features/step_definitions/tag_steps.rb

@@ -427,6 +427,11 @@
   assert tag.type == tag_type
 end
 
+Then "the {string} tag should be an unsorted tag" do |tagname|
+  tag = Tag.find_by(name: tagname)
+  expect(tag).to be_a(UnsortedTag)
+end
+
 Then(/^the "([^"]*)" tag should (be|not be) canonical$/) do |tagname, canonical|
   tag = Tag.find_by(name: tagname)
   expected = canonical == "be"

features/tags_and_wrangling/tag_wrangling_unsorted.feature

@@ -58,3 +58,49 @@ Feature: Tag Wrangling - Unsorted Tags
     When I select "UnsortedTag" from "tag_type"
       And I press "Save changes"
     Then I should see "Tag was updated."
+
+  Scenario Outline: Editing unsorted tags as a fully authorized admin
+    Given an unsorted_tag exists with name: "Admin unsorted tag"
+      And I am logged in as a "<role>" admin
+    When I go to the unsorted_tags page
+      And I select "Freeform" for the unsorted tag "Admin unsorted tag"
+      And I press "Update"
+    Then I should see "Tags were successfully sorted"
+      And the "Admin unsorted tag" tag should be a "Freeform" tag
+
+    Examples:
+      | role             |
+      | superadmin       |
+      | tag_wrangling    |
+
+  Scenario Outline: Editing unsorted tags as a view-only admin
+    Given an unsorted_tag exists with name: "Admin unsorted tag"
+      And I am logged in as a "<role>" admin
+    When I go to the unsorted_tags page
+      And I select "Freeform" for the unsorted tag "Admin unsorted tag"
+      And I press "Update"
+    Then I should see "Sorry, only an authorized admin can access the page you were trying to reach."
+      And the "Admin unsorted tag" tag should be an unsorted tag
+
+    Examples:
+      | role             |
+      | policy_and_abuse |
+
+  Scenario Outline: Editing unsorted tags as an unauthorized admin
+    Given an unsorted_tag exists with name: "Admin unsorted tag"
+      And I am logged in as a "<role>" admin
+    When I go to the unsorted_tags page
+    Then I should see "Sorry, only an authorized admin can access the page you were trying to reach."
+
+    Examples:
+      | role                       |
+      | board                      |
+      | board_assistants_team      |
+      | communications             |
+      | development_and_membership |
+      | docs                       |
+      | elections                  |
+      | legal                      |
+      | translation                |
+      | support                    |
+      | open_doors                 |

spec/controllers/unsorted_tags_controller_spec.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+describe UnsortedTagsController do
+  include LoginMacros
+  include RedirectExpectationHelper
+
+  describe "POST #mass_update" do
+    context "when accessing as a guest" do
+      before do
+        post :mass_update
+      end
+
+      it "redirects with an error" do
+        it_redirects_to_with_error(
+          new_user_session_path,
+          "Sorry, you don't have permission to access the page you were trying to reach. Please log in."
+        )
+      end
+    end
+
+    context "when logged in as a non-tag-wrangler user" do
+      let(:user) { create(:user) }
+
+      before do
+        fake_login_known_user(user)
+        post :mass_update
+      end
+
+      it "redirects with an error" do
+        it_redirects_to_with_error(
+          user_path(user),
+          "Sorry, you don't have permission to access the page you were trying to reach."
+        )
+      end
+    end
+
+    context "when logged in as an admin with no roles" do
+      before do
+        fake_login_admin(create(:admin))
+        post :mass_update
+      end
+
+      it "redirects with an error" do
+        it_redirects_to_with_error(root_path, "Sorry, only an authorized admin can access the page you were trying to reach.")
+      end
+    end
+
+    (Admin::VALID_ROLES - %w[superadmin tag_wrangling]).each do |admin_role|
+      context "when logged in as a #{admin_role} admin" do
+        before do
+          fake_login_admin(create(:admin, roles: [admin_role]))
+          post :mass_update
+        end
+
+        it "redirects with an error" do
+          it_redirects_to_with_error(root_path, "Sorry, only an authorized admin can access the page you were trying to reach.")
+        end
+      end
+    end
+  end
+end