Hyc 1694 delete filesets bug (#984)

* HYC-1694 add override for dropdown view file * HYC-1694 try to find work * HYC-1694 add override to get related work * HYC-1694 add method to filesets presenter override * HYC-1694 delete unnecessary override * HYC-1694 find work the old way * HYC-1694 fix fileset permissions with overrides * HYC-1694 define work in the view * HYC-1694 trying restriction in another way * HYC-1694 move controller code to override class eval syntax * HYC-1694 try same logic in this partial * HYC-1694 only admins may delete filesets * HYC-1694 updating logic * HYC-1694 updating base file for override to 3.6 * HYC-1694 add view tests * HYC-1694 fix tests * HYC-1694 rubocop * HYC-1694 add test * HYC-1694 fix up tests * HYC-1694 stub virus checker * HYC-1694 fix GH tests * HYC-1694 move allow statement around --------- Co-authored-by: Sharon Luong <snluong@email.lib.unc.edu>
UNC-Libraries · Jul 7, 2023 · 615cbb3 · 615cbb3
1 parent be9cf57
commit 615cbb3
Show file tree

Hide file tree

Showing 6 changed files with 258 additions and 0 deletions.
diff --git a/app/overrides/controllers/hyrax/file_sets_controller_override.rb b/app/overrides/controllers/hyrax/file_sets_controller_override.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+# https://github.com/samvera/hyrax/blob/3.5/app/controllers/hyrax/file_sets_controller.rb
+
+Hyrax::FileSetsController.class_eval do
+  # [hyc-override] Only allow deletions by admins
+  before_action :ensure_admin!, only: :destroy
+
+  private
+
+  def ensure_admin!
+    authorize! :read, :admin_dashboard
+  end
+end
diff --git a/app/views/hyrax/file_sets/_actions.html.erb b/app/views/hyrax/file_sets/_actions.html.erb
@@ -0,0 +1,57 @@
+<%# [hyc-override] Overriding to see if user can delete the work, to be able to delete the fileset %>
+<%# https://github.com/samvera/hyrax/blob/hyrax-v3.6.0/app/views/hyrax/file_sets/_actions.html.erb %>
+<% if (can?(:download, file_set.id) || can?(:destroy, file_set.id) || can?(:edit, file_set.id)) && !workflow_restriction?(@parent) %>
+  <% if can?(:download, file_set.id) && !(can?(:edit, file_set.id) || can?(:destroy, file_set.id)) %>
+  <%= link_to t('.download'),
+              hyrax.download_path(file_set),
+              class: 'btn btn-default btn-sm',
+              title: t('.download_title', file_set: file_set),
+              target: "_blank",
+              id: "file_download",
+              data: { label: file_set.id, work_id: @presenter.id, collection_ids: @presenter.member_of_collection_ids } %>
+  <% else %>
+  <div class="btn-group">
+    <button class="btn btn-default dropdown-toggle" data-toggle="dropdown" type="button" id="dropdownMenu_<%= file_set.id %>" aria-haspopup="true" aria-expanded="false">
+      <span class="sr-only"><%= t('.press_to') %> </span>
+      <%= t('.header') %>
+      <span class="caret" aria-hidden="true"></span>
+    </button>
+
+    <ul role="menu" class="dropdown-menu dropdown-menu-right" aria-labelledby="dropdownMenu_<%= file_set.id %>">
+    <% if can?(:edit, file_set.id) %>
+      <li role="menuitem" tabindex="-1">
+        <%= link_to t('.edit'), edit_polymorphic_path([main_app, file_set]),
+          { title: t('.edit_title', file_set: file_set) } %>
+      </li>
+
+      <li role="menuitem" tabindex="-1">
+        <%= link_to t('.versions'),  edit_polymorphic_path([main_app, file_set], anchor: 'versioning_display'),
+          { title: t('.versions_title') } %>
+      </li>
+    <% end %>
+
+    <%# [hyc-override] only admins may delete filesets %>
+    <% if current_ability.admin? %>
+      <li role="menuitem" tabindex="-1">
+        <%= link_to t('.delete'), polymorphic_path([main_app, file_set]),
+          method: :delete, title: t('.delete_title', file_set: file_set),
+          data: { confirm: t('.delete_confirm', file_set: file_set, application_name: application_name) } %>
+      </li>
+    <% end %>
+
+    <% if can?(:download, file_set.id) %>
+      <li role="menuitem" tabindex="-1">
+        <%= link_to t('.download'),
+                    hyrax.download_path(file_set),
+                    title: t('.download_title', file_set: file_set),
+                    target: "_blank",
+                    id: "file_download",
+                    class: "download",
+                    data: { label: file_set.id, work_id: @presenter.id, collection_ids: @presenter.member_of_collection_ids } %>
+      </li>
+    <% end %>
+
+    </ul>
+  </div>
+  <% end %>
+<% end %>
diff --git a/app/views/hyrax/file_sets/_show_actions.html.erb b/app/views/hyrax/file_sets/_show_actions.html.erb
@@ -0,0 +1,22 @@
+<%# [hyc-override] Overriding to make only admins able to delete a fileset %>
+<%# https://github.com/samvera/hyrax/blob/hyrax-v3.6.0/app/views/hyrax/file_sets/_show_actions.html.erb %>
+<div class="form-actions">
+  <% if Hyrax.config.analytics? && Hyrax.config.analytics_provider != 'ga4' %>
+    <%# turbolinks needs to be turned off or the page will use the cache and the %>
+    <%# analytics graph will not show unless the page is refreshed. %>
+    <%= link_to t('.analytics'), @presenter.stats_path, id: 'stats', class: 'btn btn-default', data: { turbolinks: false } %>
+  <% end %>
+
+  <% if @presenter.editor? && !workflow_restriction?(@presenter) %>
+      <%= link_to t(".edit_this", type: @presenter.human_readable_type), edit_polymorphic_path([main_app, @presenter]),
+                  class: 'btn btn-default' %>
+    <%# [hyc-override] only admins may delete the fileset %>
+    <% if current_ability.admin? %>
+      <%= link_to t(".delete_this", type: @presenter.human_readable_type), [main_app, @presenter],
+                  class: 'btn btn-danger', data: { confirm: t(".confirm_delete_this", type: @presenter.human_readable_type) },
+                  method: :delete %>
+    <% end %>
+  <% end %>
+
+  <%= render 'social_media' %>
+</div>
diff --git a/spec/controllers/hyrax/file_sets_controller_spec.rb b/spec/controllers/hyrax/file_sets_controller_spec.rb
@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+require 'rails_helper'
+require Rails.root.join('app/overrides/controllers/hyrax/file_sets_controller_override.rb')
+
+RSpec.describe Hyrax::FileSetsController do
+  let(:user) { FactoryBot.create(:user) }
+  let(:admin_user) { FactoryBot.create(:admin) }
+  routes { Rails.application.routes }
+
+  describe '#destroy' do
+    let(:file_set) { FactoryBot.create(:file_set, :public, :with_original_file, user: user) }
+    let(:work) { FactoryBot.create(:work, title: ['test title'], user: user) }
+
+    before do
+      allow(Hyrax::VirusCheckerService).to receive(:file_has_virus?) { false }
+      work.ordered_members << file_set
+      work.save!
+    end
+
+    context 'as a non-admin' do
+      before do
+        sign_in user
+      end
+
+      it 'is not successful' do
+        delete :destroy, params: { id: file_set }
+        expect(response).to redirect_to '/?locale=en'
+        expect(flash[:alert]).to eq 'You are not authorized to access this page.'
+        expect(response.status).to eq 302
+      end
+    end
+
+    context 'as an admin' do
+      before do
+        file_set
+        sign_in admin_user
+        expect(controller).to receive(:guard_for_workflow_restriction_on!).and_return(true)
+      end
+
+      it 'is successful' do
+        expect { delete :destroy, params: { id: file_set } }
+            .to change { FileSet.exists?(file_set.id) }
+            .from(true)
+            .to(false)
+        expect(response).to redirect_to '/concern/generals/' + work.id + '?locale=en'
+        expect(flash[:notice]).to eq 'The file has been deleted.'
+        expect(response.status).to eq 302
+      end
+    end
+
+    context 'as an unauthenticated user' do
+      it 'is not successful' do
+        delete :destroy, params: { id: file_set }
+        expect(response.status).to redirect_to '/users/sign_in'
+        expect(flash[:alert]).to eq 'You need to sign in or sign up before continuing.'
+      end
+    end
+  end
+end
diff --git a/spec/views/hyrax/file_sets/_actions.html.erb_spec.rb b/spec/views/hyrax/file_sets/_actions.html.erb_spec.rb
@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+# [hyc-override] only admins may see delete option in fileset action dropdown
+require 'rails_helper'
+
+RSpec.describe 'hyrax/file_sets/_actions.html.erb', type: :view do
+  let(:solr_document) { double('Solr Doc', id: 'file_set_id') }
+  let(:file_set_model) { FactoryBot.create(:file_set) }
+  let(:user) { FactoryBot.create(:user) }
+  let(:ability) { Ability.new(user) }
+  let(:file_set) { Hyrax::FileSetPresenter.new(solr_document, ability) }
+  let(:work_solr_document) do
+    SolrDocument.new(id: '900', title_tesim: ['My Title'])
+  end
+  let(:parent_presenter) { Hyrax::WorkShowPresenter.new(work_solr_document, ability) }
+
+  before do
+    allow(controller).to receive(:current_ability).and_return(ability)
+    allow(file_set).to receive(:parent).and_return(:parent)
+    allow(file_set).to receive(:id).and_return('fake')
+    assign(:presenter, parent_presenter)
+    allow(view).to receive(:workflow_restriction?).and_return(false)
+    allow(view).to receive(:can?).with(:edit, file_set.id).and_return(true)
+    allow(view).to receive(:can?).with(:destroy, file_set.id).and_return(true)
+    allow(view).to receive(:can?).with(:download, file_set.id).and_return(true)
+    allow(solr_document).to receive(:to_model).and_return(file_set_model)
+  end
+
+  context 'as an admin' do
+    before do
+      allow(ability).to receive(:admin?).and_return(true)
+      render 'hyrax/file_sets/actions', file_set: file_set
+    end
+
+    it 'shows delete action in dropdown' do
+      expect(rendered).to have_link('Delete')
+    end
+  end
+
+  context 'as a regular user' do
+    before do
+      allow(ability).to receive(:admin?).and_return(false)
+      render 'hyrax/file_sets/actions', file_set: file_set
+    end
+
+    it 'does not show delete action in dropdown' do
+      expect(rendered).not_to have_link('Delete')
+    end
+  end
+end
diff --git a/spec/views/hyrax/file_sets/_show_actions.html.erb_spec.rb b/spec/views/hyrax/file_sets/_show_actions.html.erb_spec.rb
@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+# [hyc-override] only admins may view delete filesets button
+require 'rails_helper'
+
+RSpec.describe 'hyrax/file_sets/_show_actions.html.erb', type: :view do
+  let(:user) { FactoryBot.create(:user) }
+  let(:object_profile) { ["{'id':'999'}"] }
+  let(:contributor) { ['Frodo'] }
+  let(:creator)     { ['Bilbo'] }
+  let(:solr_document) do
+    SolrDocument.new(
+      id: '999',
+      object_profile_ssm: object_profile,
+      has_model_ssim: ['FileSet'],
+      human_readable_type_tesim: ['File'],
+      contributor_tesim: contributor,
+      creator_tesim: creator,
+      rights_tesim: ['http://creativecommons.org/licenses/by/3.0/us/']
+    )
+  end
+  let(:decorated_solr_document) { Hyrax::SolrDocument::OrderedMembers.decorate(solr_document) }
+  let(:ability) { Ability.new(user) }
+  let(:presenter) do
+    Hyrax::WorkShowPresenter.new(solr_document, ability)
+  end
+  let(:page) { Capybara::Node::Simple.new(rendered) }
+
+  before do
+    allow(controller).to receive(:current_ability).and_return(ability)
+    allow(presenter).to receive(:editor?).and_return(true)
+    allow(view).to receive(:workflow_restriction?).and_return(false)
+    assign(:presenter, presenter)
+  end
+
+  context 'as an admin' do
+    before do
+      allow(ability).to receive(:admin?).and_return(true)
+      view.lookup_context.view_paths.push 'app/views/hyrax/base'
+      render
+    end
+
+    it 'shows delete button' do
+      expect(page).to have_link('Delete This File')
+    end
+  end
+
+  context 'as a regular user' do
+    before do
+      allow(ability).to receive(:admin?).and_return(false)
+      view.lookup_context.view_paths.push 'app/views/hyrax/base'
+      render
+    end
+
+    it 'does not show delete button' do
+      expect(page).not_to have_link('Delete This File')
+    end
+  end
+end