[FEATURE] Require 'system_administrator' permission to '/plugins/caas…

…_next_refid' endpoint #19
Smithsonian · Jan 17, 2025 · 5847ce3 · 5847ce3
1 parent 9de88ee
commit 5847ce3
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -0,0 +1,9 @@
+inherit_from: ../../.rubocop.yml
+
+inherit_mode:
+  merge:
+    - Include
+
+AllCops:
+  Include:
+    - .
diff --git a/backend/controllers/caas_next_refid.rb b/backend/controllers/caas_next_refid.rb
@@ -3,7 +3,7 @@ class ArchivesSpaceService < Sinatra::Base
   Endpoint.post('/plugins/caas_next_refid')
     .description("Get next ref_id for provided resource")
     .params(["resource_id", Integer, "The resource id", :required => "true"])
-    .permissions([])
+    .permissions([:administer_system])
     .returns([200, "{'resource_id', 'ID', 'next_refid', N}"]) \
   do
     current_refid = CaasAspaceRefid.find(resource_id: params[:resource_id])

diff --git a/backend/spec/controller_caas_next_refid_spec.rb b/backend/spec/controller_caas_next_refid_spec.rb
@@ -15,10 +15,26 @@
     let(:resource) { create_resource }
 
     it 'creates a next_refid' do
-      post '/plugins/caas_next_refid', params = { "resource_id" => resource.id}
+      post '/plugins/caas_next_refid', params = { "resource_id" => resource.id }
 
       expect(last_response).to be_ok
       expect(last_response.status).to eq(200)
     end
+
+    context 'when a user without administer system permissions' do
+      before do
+        make_test_user('archivist')
+      end
+
+      it 'denies access' do
+        as_test_user('archivist') do
+          post '/plugins/caas_next_refid', params = { resource_id: 1 }
+
+          expect(last_response).not_to be_ok
+          expect(last_response.status).to eq(403)
+          expect(last_response.body).to match(/Access denied/)
+        end
+      end
+    end
   end
 end