ensure the template details and download link only shown if accessible …

…#2084
seek4science · Dec 2, 2024 · 30e2bcc · 30e2bcc
1 parent 3158cac
commit 30e2bcc
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/app/views/sample_types/_template.html.erb b/app/views/sample_types/_template.html.erb
@@ -1,3 +1,5 @@
+<% return unless @sample_type.can_download? %>
+<h2>Template</h2>
 <div id="template-details">
 
   <% if @sample_type.template %>

diff --git a/app/views/sample_types/show.html.erb b/app/views/sample_types/show.html.erb
@@ -11,7 +11,7 @@
     <div class="col-md-9 col-sm-8 box_about_actor">
       <%= item_description h(@sample_type.description) -%>
 
-      <h2>Template</h2>
+
       <%= render :partial => "template" %>
 
       <h2>Attributes</h2>

diff --git a/test/functional/sample_types_controller_test.rb b/test/functional/sample_types_controller_test.rb
@@ -255,6 +255,31 @@ class SampleTypesControllerTest < ActionController::TestCase
     assert_equal 'update', ActivityLog.last.action
   end
 
+  test 'template download link visibility' do
+    person = FactoryBot.create(:person)
+    sample_type = SampleType.new title: 'testing download',
+                                 uploaded_template: true,
+                                 project_ids: person.projects.collect(&:id),
+                                 contributor: person,
+                                 content_blob: FactoryBot.create(:sample_type_template_content_blob),
+                                 policy: FactoryBot.create(:downloadable_public_policy)
+    sample_type.build_attributes_from_template
+    disable_authorization_checks { sample_type.save! }
+    assert sample_type.can_view?
+    assert sample_type.can_download?
+    get :show, params: { id: sample_type }
+    assert_response :success
+    assert_select 'a[href=?]',download_sample_type_content_blob_path(sample_type,sample_type.template), text:'Download'
+
+    sample_type.policy = FactoryBot.create(:publicly_viewable_policy)
+    disable_authorization_checks { sample_type.save! }
+    assert sample_type.can_view?
+    refute sample_type.can_download?
+    get :show, params: { id: sample_type }
+    assert_response :success
+    assert_select 'a[href=?]',download_sample_type_content_blob_path(sample_type,sample_type.template), text:'Download', count:0
+  end
+
   test 'update changing from a CV attribute' do
     sample_type = FactoryBot.create(:apples_controlled_vocab_sample_type, project_ids: @project_ids,
                                                                           contributor: @person)