From eb079015c43d5e673c236727739fc77b99398aa7 Mon Sep 17 00:00:00 2001
From: Samuel Couillard <43917914+scouillard@users.noreply.github.com>
Date: Fri, 7 Jul 2023 09:49:57 -0400
Subject: [PATCH] Fix Tenants access (#5314)

* Fix Tenants access

* Add :with_super_admin traits in user factory
---
 app/controllers/api/v1/admin/tenants_controller.rb  | 2 +-
 app/controllers/concerns/authorizable.rb            | 4 ++++
 app/javascript/components/admin/tenants/Tenants.jsx | 7 +++++++
 spec/controllers/admin/tenants_controller_spec.rb   | 2 +-
 spec/factories/user_factory.rb                      | 8 ++++++++
 5 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/v1/admin/tenants_controller.rb b/app/controllers/api/v1/admin/tenants_controller.rb
index b14634ab..11569c53 100644
--- a/app/controllers/api/v1/admin/tenants_controller.rb
+++ b/app/controllers/api/v1/admin/tenants_controller.rb
@@ -21,7 +21,7 @@ module Api
     module Admin
       class TenantsController < ApiController
         before_action do
-          # TODO: - ahmad: Add role check
+          ensure_super_admin
         end
 
         # GET /api/v1/admin/tenants
diff --git a/app/controllers/concerns/authorizable.rb b/app/controllers/concerns/authorizable.rb
index 95364c83..5de6097d 100644
--- a/app/controllers/concerns/authorizable.rb
+++ b/app/controllers/concerns/authorizable.rb
@@ -41,6 +41,10 @@ module Authorizable
     ).call
   end
 
+  def ensure_super_admin
+    return render_error status: :forbidden unless current_user.super_admin?
+  end
+
   private
 
   # Ensures that requests to the API are explicit enough.
diff --git a/app/javascript/components/admin/tenants/Tenants.jsx b/app/javascript/components/admin/tenants/Tenants.jsx
index 4be513f0..70a1630e 100644
--- a/app/javascript/components/admin/tenants/Tenants.jsx
+++ b/app/javascript/components/admin/tenants/Tenants.jsx
@@ -16,6 +16,7 @@
 
 import React, { useState } from 'react';
 import Card from 'react-bootstrap/Card';
+import { Navigate } from 'react-router-dom';
 import {
   Button,
   Col, Container, Row, Stack, Tab,
@@ -29,10 +30,16 @@ import NoSearchResults from '../../shared_components/search/NoSearchResults';
 import TenantsTable from './TenantsTable';
 import Modal from '../../shared_components/modals/Modal';
 import CreateTenantForm from './forms/CreateTenantForm';
+import { useAuth } from '../../../contexts/auth/AuthProvider';
 
 export default function Tenants() {
   const { t } = useTranslation();
   const [page, setPage] = useState();
+  const currentUser = useAuth();
+
+  if (!currentUser.isSuperAdmin) {
+    return <Navigate to="/" />;
+  }
 
   const [searchInput, setSearchInput] = useState();
   const { data: tenants, isLoading } = useTenants({ search: searchInput, page });
diff --git a/spec/controllers/admin/tenants_controller_spec.rb b/spec/controllers/admin/tenants_controller_spec.rb
index 699e47b9..2563f837 100644
--- a/spec/controllers/admin/tenants_controller_spec.rb
+++ b/spec/controllers/admin/tenants_controller_spec.rb
@@ -19,7 +19,7 @@
 require 'rails_helper'
 
 RSpec.describe Api::V1::Admin::TenantsController, type: :controller do
-  let(:user) { create(:user) }
+  let(:user) { create(:user, :with_super_admin) }
   let(:valid_tenant_params) do
     {
       name: 'new_provider',
diff --git a/spec/factories/user_factory.rb b/spec/factories/user_factory.rb
index d07008f8..e59a4f63 100644
--- a/spec/factories/user_factory.rb
+++ b/spec/factories/user_factory.rb
@@ -29,6 +29,14 @@ FactoryBot.define do
     language { %w[en fr es ar].sample }
     verified { true }
 
+    trait :with_super_admin do
+      after(:create) do |user|
+        user.provider = 'bn'
+        user.role = create(:role, :with_super_admin)
+        user.save
+      end
+    end
+
     trait :with_manage_users_permission do
       after(:create) do |user|
         create(:role_permission, role: user.role, permission: create(:permission, name: 'ManageUsers'), value: 'true')
-- 
GitLab