Update jobs controller and test to block anonymous access to unpublished jobs

Author: constantine-nikolaou

app/controllers/application_controller.rb

@@ -32,6 +32,10 @@ def authenticate_admin
     end
   end
 
+  def user_is_owner?(objkt)
+    (user_signed_in? && current_user.id == objkt.user_id)
+  end
+
   def user_is_admin?
     (user_signed_in? && current_user.admin?)
   end

app/controllers/jobs_controller.rb

@@ -35,6 +35,12 @@ def list_jobs
 
   # GET /jobs/1
   def show
+    unless @job.approved?
+      unless (user_is_owner?(@job) || user_is_admin?)
+        render_404
+      end
+    end
+
     @page_title       = @job.title
     @page_description = @job.title + ' at ' + @job.company_name
     @page_keywords    = AppSettings.meta_tags_keywords
@@ -78,7 +84,9 @@ def edit
   # PATCH/PUT /jobs/1
   def update
     if @job.update(job_params)
-      @job.request_edit! unless @job.draft?
+      unless(@job.draft? || current_user.admin?)
+        @job.request_edit!
+      end
 
       redirect_to(@job, notice: 'Job post was successfully updated.')
     else

app/views/invitations/index.html.erb

@@ -19,8 +19,6 @@
 
 </section><!-- #page-title end -->
 
-<%= render('shared/flash') %>
-
 <!-- Content
 ============================================= -->
 <section id="content">

app/views/private/api_keys/index.html.erb

@@ -13,8 +13,6 @@
 
 </section><!-- #page-title end -->
 
-<%= render('shared/flash') %>
-
 <!-- Content
 ============================================= -->
 <section id="content">

app/views/profiles/show.html.erb

@@ -1,6 +1,5 @@
 <!-- Content
 ============================================= -->
-<%= render('shared/flash') %>
 
 <section id="content">
 

spec/requests/jobs_spec.rb

@@ -134,6 +134,7 @@
   describe "GET /jobs/show" do
     before do
       @job = create(:job, user: user, aasm_state: 'approved')
+      @unpublished_job = create(:job, user: user, aasm_state: 'draft')
     end
 
     it "should allow anonymous viewing of a job" do
@@ -171,6 +172,13 @@
       expect(page).to have_content('Statistics')
       expect(page).to have_content(member.name)
     end
+
+    it "should not allow anonymous visitors from accessing the job page if job is not published" do
+      visit(job_path(@unpublished_job))
+      
+      expect(page).to have_content('The page you were looking for doesn\'t exist.')
+      expect(page).to have_content('You may have mistyped the address or the page may have moved.')
+    end
   end
 
   describe "DELETE /jobs/1" do
@@ -211,10 +219,77 @@
     end
   end
 
+  describe "PUT /jobs/:id" do
+    before do
+      @pending_job = create(:job, user: user, aasm_state: 'under_review')
+      @profile = create(:profile, user: admin)
+      create(:profile, user: user)
+      create(:profile, user: member)
+
+      allow(SlackNotifierWorker).to receive(:perform_async).and_return(true)
+      allow(BufferNotifierWorker).to receive(:perform_async).and_return(true)
+    end
+    
+    it "should allow admin to update job without changing job state" do
+      sign_in admin
+      visit(list_jobs_admin_path)
+
+      expect(page).to have_content(@pending_job.title)
+
+      click_on('Edit', match: :first)
+
+      expect(page).to have_content('Job title')
+      fill_in 'job_title', with: @pending_job.title + ' 1'
+
+      # not approved yet
+      expect(page).to_not have_content('Share this job:')
+
+      click_on('Save and continue', match: :first)
+
+      expect(@pending_job.reload.aasm_state).to eq("under_review")
+    end
+
+    it "should allow job owner to update job and changing job state back to draft" do
+      sign_in user
+      visit(job_path(@pending_job))
+
+      expect(page).to have_content(@pending_job.title)
+      expect(page).to have_content("Job Post Actions")
+
+      click_on('Edit', match: :first)
+
+      expect(page).to have_content('Job title')
+      fill_in 'job_title', with: @pending_job.title + ' 1'
+
+      # not approved yet
+      expect(page).to_not have_content('Share this job:')
+
+      click_on('Save and continue', match: :first)
+
+      expect(@pending_job.reload.aasm_state).to eq("draft")
+    end
+
+    it "should not allow any member to visit or update job" do
+      sign_in member
+      visit(edit_job_path(@pending_job))
+
+      expect(page).to have_content('The page you were looking for doesn\'t exist.')
+      expect(page).to have_content('If you are the application owner check the logs for more information.')
+    end
+
+    it "should not allow any anonymous visitor to visit an unpublished job post for editing" do
+      visit(edit_job_path(@pending_job))
+
+      expect(page).to have_content('You need to sign in or sign up before continuing.')
+      expect(page).to_not have_content('Edit')
+      expect(page).to_not have_content('Approve')
+    end
+  end
+
   describe "PUT /jobs/:id/pre_approve" do
     before do
       @draft_job = create(:job, user: user, aasm_state: 'draft')
-      @profile = create(:profile, user: user)
+      create(:profile, user: user)
 
       allow(SlackNotifierWorker).to receive(:perform_async).and_return(true)
       allow(BufferNotifierWorker).to receive(:perform_async).and_return(true)
@@ -238,7 +313,7 @@
   describe "PUT /jobs/:id/approve" do
     before do
       @pending_job = create(:job, user: user, aasm_state: 'under_review')
-      @profile = create(:profile, user: admin)
+      create(:profile, user: admin)
 
       allow(SlackNotifierWorker).to receive(:perform_async).and_return(true)
       allow(BufferNotifierWorker).to receive(:perform_async).and_return(true)
@@ -277,7 +352,7 @@
   describe "PUT /jobs/:id/take_down" do
     before do
       @approved_job = create(:job, user: user, aasm_state: 'approved')
-      @profile = create(:profile, user: admin)
+      create(:profile, user: admin)
 
       allow(SlackNotifierWorker).to receive(:perform_async).and_return(true)
       allow(BufferNotifierWorker).to receive(:perform_async).and_return(true)
@@ -301,7 +376,7 @@
   describe "PUT /jobs/:id/feedback" do
     before do
       @offline_job = create(:job, user: user, aasm_state: 'disabled')
-      @profile = create(:profile, user: user)
+      create(:profile, user: user)
 
       allow(SlackNotifierWorker).to receive(:perform_async).and_return(true)
       allow(BufferNotifierWorker).to receive(:perform_async).and_return(true)

spec/requests/members_spec.rb

@@ -20,7 +20,7 @@
         expect(page).to have_content(user_1.name)
         expect(page).to have_content(user_2.name)
         expect(page).to have_content(user_3.name)
-        expect(page).to have_content('My profile')
+        expect(page).to have_content('My Account')
         expect(page).to have_content('Logout')
       end
     end
@@ -35,7 +35,7 @@
 
         expect(page).not_to have_content(user_2.name)
         expect(page).not_to have_content(user_3.name)
-        expect(page).to have_content('My profile')
+        expect(page).to have_content('My Account')
         expect(page).to have_content('Logout')
       end
     end

spec/requests/profiles_spec.rb

@@ -13,7 +13,7 @@
     it "should show user their profile" do
       visit(user_profile_path(user))
       expect(page).to have_content(user.name.titleize)
-      expect(page).to have_content('My profile')
+      expect(page).to have_content('My Account')
       expect(page).to have_content('Logout')
       expect(page).to have_content(user.email)
     end

spec/requests/users_spec.rb

@@ -23,7 +23,7 @@
 
       click_on('Log in')
 
-      expect(page).to have_content("My profile")
+      expect(page).to have_content("My Account")
       expect(page).to have_content("Logout")
     end
 
@@ -136,7 +136,7 @@
 
       click_on('Log in')
 
-      expect(page).to have_content("My profile")
+      expect(page).to have_content("My Account")
       expect(page).to have_content("Logout")
     end
 
@@ -212,7 +212,7 @@
         expect(page).to have_content(open_profile_member.email)
         expect(page).to have_content(open_profile_member.name.titleize)
         expect(page).not_to have_content(member.email)
-        expect(page).to have_content('My profile')
+        expect(page).to have_content('My Account')
         expect(page).to have_content('Logout')
       end
     end