Admin Endpoints verification (#4067)

* Initial commit

* Remove createRoom perm from RoomConfigs

app/controllers/api/v1/admin/invitations_controller.rb

@@ -4,7 +4,7 @@ module Api
   module V1
     module Admin
       class InvitationsController < ApiController
-        before_action only: %i[index create] do
+        before_action do
           ensure_authorized('ManageUsers')
         end
 

app/controllers/api/v1/admin/role_permissions_controller.rb

@@ -4,7 +4,7 @@ module Api
   module V1
     module Admin
       class RolePermissionsController < ApiController
-        before_action only: %i[index update] do
+        before_action do
           ensure_authorized('ManageRoles')
         end
 

app/controllers/api/v1/admin/rooms_configurations_controller.rb

@@ -4,6 +4,10 @@ module Api
   module V1
     module Admin
       class RoomsConfigurationsController < ApiController
+        before_action do
+          ensure_authorized('ManageSiteSettings')
+        end
+
         # PUT /api/v1/admin/rooms_configurations/:name.json
         # Expects: { RoomsConfig: { :value } }
         # Returns: { data: Array[serializable objects] , errors: Array[String] }

app/controllers/api/v1/admin/users_controller.rb

@@ -4,10 +4,31 @@ module Api
   module V1
     module Admin
       class UsersController < ApiController
-        before_action only: %i[verified_users pending update] do
+        before_action do
           ensure_authorized('ManageUsers')
         end
 
+        def update
+          user = User.find(params[:id])
+
+          if user.update(user_params)
+            render_data status: :ok
+          else
+            render_error errors: user.errors.to_a
+          end
+        end
+
+        def pending
+          pending_users = User.includes(:role)
+                              .with_provider(current_provider)
+                              .where(status: 'pending')
+                              .search(params[:search])
+
+          pagy, pending_users = pagy(pending_users)
+
+          render_data data: pending_users, meta: pagy_metadata(pagy), serializer: UserSerializer, status: :ok
+        end
+
         def verified_users
           sort_config = config_sorting(allowed_columns: %w[name roles.name])
 
@@ -36,27 +57,6 @@ module Api
           render_data data: users, meta: pagy_metadata(pagy), serializer: UserSerializer, status: :ok
         end
 
-        def pending
-          pending_users = User.includes(:role)
-                              .with_provider(current_provider)
-                              .where(status: 'pending')
-                              .search(params[:search])
-
-          pagy, pending_users = pagy(pending_users)
-
-          render_data data: pending_users, meta: pagy_metadata(pagy), serializer: UserSerializer, status: :ok
-        end
-
-        def update
-          user = User.find(params[:id])
-
-          if user.update(user_params)
-            render_data status: :ok
-          else
-            render_error errors: user.errors.to_a
-          end
-        end
-
         private
 
         def user_params

app/javascript/components/admin/roles/forms/EditRoleForm.jsx

@@ -14,7 +14,7 @@ import useUpdateRole from '../../../../hooks/mutations/admin/roles/useUpdateRole
 import Modal from '../../../shared_components/modals/Modal';
 import DeleteRoleForm from './DeleteRoleForm';
 import useUpdateRolePermission from '../../../../hooks/mutations/admin/role_permissions/useUpdateRolePermissions';
-import useRoomConfigs from '../../../../hooks/queries/admin/room_configuration/useRoomConfigs';
+import useRoomConfigs from '../../../../hooks/queries/rooms/useRoomConfigs';
 import useRolePermissions from '../../../../hooks/queries/admin/role_permissions/useRolePermissions';
 import RolePermissionRow from '../RolePermissionRow';
 import { useAuth } from '../../../../contexts/auth/AuthProvider';

app/javascript/components/admin/room_configuration/RoomConfig.jsx

@@ -7,7 +7,7 @@ import { useTranslation } from 'react-i18next';
 import AdminNavSideBar from '../AdminNavSideBar';
 import RoomConfigRow from './RoomConfigRow';
 import useUpdateRoomConfig from '../../../hooks/mutations/admin/room_configuration/useUpdateRoomConfig';
-import useRoomConfigs from '../../../hooks/queries/admin/room_configuration/useRoomConfigs';
+import useRoomConfigs from '../../../hooks/queries/rooms/useRoomConfigs';
 import Spinner from '../../shared_components/utilities/Spinner';
 
 export default function RoomConfig() {

app/javascript/components/rooms/room/room_settings/RoomSettings.jsx

@@ -9,7 +9,7 @@ import useDeleteRoom from '../../../../hooks/mutations/rooms/useDeleteRoom';
 import RoomSettingsRow from './RoomSettingsRow';
 import Modal from '../../../shared_components/modals/Modal';
 import DeleteRoomForm from '../forms/DeleteRoomForm';
-import useRoomConfigs from '../../../../hooks/queries/admin/room_configuration/useRoomConfigs';
+import useRoomConfigs from '../../../../hooks/queries/rooms/useRoomConfigs';
 import AccessCodeRow from './AccessCodeRow';
 import useUpdateRoomSetting from '../../../../hooks/mutations/room_settings/useUpdateRoomSetting';
 import { useAuth } from '../../../../contexts/auth/AuthProvider';

app/javascript/hooks/queries/admin/room_configuration/useRoomConfigs.jsx → app/javascript/hooks/queries/rooms/useRoomConfigs.jsx

 import { useQuery } from 'react-query';
-import axios from '../../../../helpers/Axios';
+import axios from '../../../helpers/Axios';
 
 export default function useRoomConfigs() {
   return useQuery(

app/services/permissions_checker.rb

@@ -50,6 +50,8 @@ class PermissionsChecker
   end
 
   def authorize_shared_room
+    return false if @friendly_id.blank?
+
     @current_user.shared_rooms.exists?(friendly_id: @friendly_id)
   end
 

spec/controllers/admin/rooms_configurations_controller_spec.rb

@@ -4,10 +4,11 @@ require 'rails_helper'
 
 RSpec.describe Api::V1::Admin::RoomsConfigurationsController, type: :controller do
   let(:user) { create(:user) }
+  let(:user_with_manage_site_settings_permission) { create(:user, :with_manage_site_settings_permission) }
 
   before do
     request.headers['ACCEPT'] = 'application/json'
-    sign_in_user(user)
+    sign_in_user(user_with_manage_site_settings_permission)
   end
 
   describe 'rooms_configurations#update' do
@@ -44,5 +45,16 @@ RSpec.describe Api::V1::Admin::RoomsConfigurationsController, type: :controller
 
       expect(response).to have_http_status(:bad_request)
     end
+
+    context 'user without ManageSiteSettings permission' do
+      before do
+        sign_in_user(user)
+      end
+
+      it 'cannot update the Room Configurations' do
+        put :update, params: { name: 'Option', RoomsConfig: { value: 'true' } }
+        expect(response).to have_http_status(:forbidden)
+      end
+    end
   end
 end

spec/controllers/recordings_controller_spec.rb

@@ -165,24 +165,6 @@ RSpec.describe Api::V1::RecordingsController, type: :controller do
     end
   end
 
-  # TODO: - Uncomment once delete_recordings is no longer in destroy
-  # describe '#destroy' do
-  #   it 'deletes recording from the database' do
-  #     recording = create(:recording)
-  #     expect { delete :destroy, params: { id: recording.id } }.to change(Recording, :count).by(-1)
-  #   end
-  #   it 'admin without ManageRecordings permission cannot delete recording from the database' do
-  #     recording = create(:recording)
-  #     expect { delete :destroy, params: { id: recording.id } }.not_to change(Recording, :count)
-  #     expect(response).to have_http_status(:forbidden)
-  #   end
-  #   it 'deletes formats associated with the recording from the database' do
-  #     recording = create(:recording)
-  #     create_list(:format, 5, recording:)
-  #     expect { delete :destroy, params: { id: recording.id } }.to change(Format, :count).by(-5)
-  #   end
-  # end
-
   describe '#update_visibility' do
     let(:room) { create(:room, user:) }
     let(:published_recording) { create(:recording, room:, visibility: 'Published') }