Merge pull request #1539 from betagouv/stats_policy_tests

Add stats policy and authorize team link

app/controllers/pages_controller.rb

@@ -2,6 +2,7 @@ class PagesController < SharedController
   # Abstract Controller for the public pages
   # implicitly uses the 'pages' layout
   include GeocoderIp
+  include Pundit
 
   ## Configuration for honeypot-captcha
   #

app/controllers/stats/base_controller.rb

@@ -1,7 +1,5 @@
 module Stats
   class BaseController < PagesController
-    include Pundit
-
     private
 
     def stats_params

app/views/pages/_footer.haml

@@ -25,6 +25,6 @@
       %li= link_to t('about.mentions_d_information.title'), mentions_d_information_path
       %li= link_to t('about.mentions_legales.title'), mentions_legales_path
       %li= link_to t('usage_stats'), public_index_path
-      - if current_user&.is_admin?
+      - if policy(Stats::All).team?
         %li= link_to t('usage_team_stats'), team_index_path
       %li= link_to t('.service_presentation'), '/book.pdf', 'aria-label': t('.service_presentation_title'), target: '_blank', rel: 'noopener'

spec/policies/stats/all_policy_spec.rb

@@ -0,0 +1,20 @@
+require 'rails_helper'
+
+RSpec.describe Stats::AllPolicy, type: :policy do
+  let(:no_user) { nil }
+  let(:user) { create :user }
+  let(:admin) { create :user, is_admin: true }
+
+  subject { described_class }
+
+  permissions :team? do
+    context "grants access to admin" do
+      it { is_expected.to permit(admin, Stats::All) }
+    end
+
+    context "denies access to no admin user" do
+      it { is_expected.not_to permit(user, Stats::All) }
+      it { is_expected.not_to permit(no_user, Stats::All) }
+    end
+  end
+end