Adding a test to make sure only system admins and super users can app…

…rove projects (#633)
pulibrary · Apr 11, 2024 · 706401e · 706401e
1 parent dde4574
commit 706401e
Showing 1 changed file with 50 additions and 1 deletion.
diff --git a/spec/system/project_roles_spec.rb b/spec/system/project_roles_spec.rb
@@ -5,6 +5,8 @@
 RSpec.describe "Project Edit Page Roles Validation", type: :system do
   let(:sponsor_user) { FactoryBot.create(:project_sponsor, uid: "pul123") }
   let(:data_manager) { FactoryBot.create(:data_manager, uid: "pul987") }
+  let(:system_admin) { FactoryBot.create(:sysadmin, uid: "pul777") }
+  let(:superuser) { FactoryBot.create(:superuser, uid: "pul999") }
   let(:read_only) { FactoryBot.create :user }
   let(:read_write) { FactoryBot.create :user }
   before do
@@ -14,6 +16,7 @@
     data_manager
     read_only
     read_write
+    system_admin
   end
 
   it "allows the user fill in only valid users for roles" do
@@ -101,7 +104,7 @@
       click_on "New Project"
       expect(page).to have_content "New Project Request"
     end
-    it "does not give anyone else the New Project button" do
+    it "does not give the data manager the New Project button" do
       sign_in data_manager
       visit "/"
       expect(page).not_to have_content "New Project"
@@ -111,6 +114,16 @@
       visit "/projects/new"
       expect(current_path).to eq root_path
     end
+    it "does not give the sytem admin New Project button" do
+      sign_in system_admin
+      visit "/"
+      expect(page).not_to have_content "New Project"
+    end
+    it "does not allow the system administrato to load New Projects page" do
+      sign_in system_admin
+      visit "/projects/new"
+      expect(current_path).to eq root_path
+    end
   end
   context "The Data Sponsor who initiates the request is automatically assigned as the Data Sponsor for that project" do
     let(:data_sponsor) { FactoryBot.create(:project_sponsor) }
@@ -198,4 +211,40 @@
       expect(page).to have_content rw_data_user.display_name
     end
   end
+
+  context "only system admins and super users can approve a project" do
+    let(:project) { FactoryBot.create(:project, status: Project::PENDING_STATUS) }
+
+    it "allows a system admins user to approve the project" do
+      sign_in system_admin
+      visit project_approve_path(project)
+      click_on "Approve"
+      expect(page).to have_content "Approve this project by appending a mediaflux id"
+    end
+
+    it "allows a super user to approve the project" do
+      sign_in superuser
+      visit project_approve_path(project)
+      click_on "Approve"
+      expect(page).to have_content "Approve this project by appending a mediaflux id"
+    end
+
+    it "does not allow a data sponsor to approve the project" do
+      sign_in sponsor_user
+      visit project_approve_path(project)
+      expect(page).not_to have_content "Approve this project by appending a mediaflux id"
+    end
+
+    it "does not allow a data manager to approve the project" do
+      sign_in data_manager
+      visit project_approve_path(project)
+      expect(page).not_to have_content "Approve this project by appending a mediaflux id"
+    end
+
+    it "does not allow a data user to approve the project" do
+      sign_in read_only
+      visit project_approve_path(project)
+      expect(page).not_to have_content "Approve this project by appending a mediaflux id"
+    end
+  end
 end