Impersonation (#1325)

* Initial impersonation * Impersonation audit * Keep super admin separate * Remove vscode settings * Comment cleanup * Comment out impersonation fixtures for now * Remove unused controlelr * Add impersonation testing (#1326) * Add impersonation testing * Remove unused method * Update schema.rb * Update brakeman --------- Co-authored-by: Zach Gollwitzer <zach@maybe.co>
2025-07-25 08:09:38 +02:00 · 2024-10-18 11:26:58 -05:00 · 2024-10-18 11:26:58 -05:00 · c7c281073f
commit c7c281073f
parent 4a3685f503
29 changed files with 477 additions and 16 deletions
--- a/test/controllers/impersonation_sessions_controller_test.rb
+++ b/test/controllers/impersonation_sessions_controller_test.rb
@ -0,0 +1,112 @@
+require "test_helper"
+
+class ImpersonationSessionsControllerTest < ActionDispatch::IntegrationTest
+  test "impersonation session logs all activity for auditing" do
+    sign_in impersonator = users(:maybe_support_staff)
+    impersonated = users(:family_member)
+
+    impersonator_session = impersonation_sessions(:in_progress)
+
+    post join_impersonation_sessions_path, params: { impersonation_session_id: impersonator_session.id }
+
+    assert_difference "impersonator_session.logs.count", 2 do
+      get root_path
+      get account_path(impersonated.family.accounts.first)
+    end
+  end
+
+  test "super admin can request an impersonation session" do
+    sign_in users(:maybe_support_staff)
+
+    post impersonation_sessions_path, params: { impersonation_session: { impersonated_id: users(:family_member).id } }
+
+    assert_equal "Request sent to user. Waiting for approval.", flash[:notice]
+    assert_redirected_to root_path
+  end
+
+  test "super admin can join and leave an in progress impersonation session" do
+    sign_in super_admin = users(:maybe_support_staff)
+
+    impersonator_session = impersonation_sessions(:in_progress)
+
+    super_admin_session = super_admin.sessions.order(created_at: :desc).first
+
+    assert_nil super_admin_session.active_impersonator_session
+
+    # Joining the session
+    post join_impersonation_sessions_path, params: { impersonation_session_id: impersonator_session.id }
+    assert_equal impersonator_session, super_admin_session.reload.active_impersonator_session
+    assert_equal "Joined session", flash[:notice]
+    assert_redirected_to root_path
+
+    follow_redirect!
+
+    # Leaving the session
+    delete leave_impersonation_sessions_path
+    assert_nil super_admin_session.reload.active_impersonator_session
+    assert_equal "Left session", flash[:notice]
+    assert_redirected_to root_path
+
+    # Impersonation session still in progress because nobody has ended it yet
+    assert_equal "in_progress", impersonator_session.reload.status
+  end
+
+  test "super admin can complete an impersonation session" do
+    sign_in super_admin = users(:maybe_support_staff)
+
+    impersonator_session = impersonation_sessions(:in_progress)
+
+    put complete_impersonation_session_path(impersonator_session)
+
+    assert_equal "Session completed", flash[:notice]
+    assert_nil super_admin.sessions.order(created_at: :desc).first.active_impersonator_session
+    assert_equal "complete", impersonator_session.reload.status
+    assert_redirected_to root_path
+  end
+
+  test "regular user can complete an impersonation session" do
+    sign_in regular_user = users(:family_member)
+
+    impersonator_session = impersonation_sessions(:in_progress)
+
+    put complete_impersonation_session_path(impersonator_session)
+
+    assert_equal "Session completed", flash[:notice]
+    assert_equal "complete", impersonator_session.reload.status
+    assert_redirected_to root_path
+  end
+
+  test "super admin cannot accept an impersonation session" do
+    sign_in super_admin = users(:maybe_support_staff)
+
+    impersonator_session = impersonation_sessions(:in_progress)
+
+    put approve_impersonation_session_path(impersonator_session)
+
+    assert_response :not_found
+  end
+
+  test "regular user can accept an impersonation session" do
+    sign_in regular_user = users(:family_member)
+
+    impersonator_session = impersonation_sessions(:in_progress)
+
+    put approve_impersonation_session_path(impersonator_session)
+
+    assert_equal "Request approved", flash[:notice]
+    assert_equal "in_progress", impersonator_session.reload.status
+    assert_redirected_to root_path
+  end
+
+  test "regular user can reject an impersonation session" do
+    sign_in regular_user = users(:family_member)
+
+    impersonator_session = impersonation_sessions(:in_progress)
+
+    put reject_impersonation_session_path(impersonator_session)
+
+    assert_equal "Request rejected", flash[:notice]
+    assert_equal "rejected", impersonator_session.reload.status
+    assert_redirected_to root_path
+  end
+end
--- a/test/fixtures/impersonation_session_logs.yml
+++ b/test/fixtures/impersonation_session_logs.yml
@ -0,0 +1,11 @@
+# Read about fixtures at https://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
+
+# This model initially had no columns defined. If you add columns to the
+# model remove the "{}" from the fixture names and add the columns immediately
+# below each fixture, per the syntax in the comments below
+#
+#one: {}
+# column: value
+#
+#two: {}
+# column: value
--- a/test/fixtures/impersonation_sessions.yml
+++ b/test/fixtures/impersonation_sessions.yml
@ -0,0 +1,4 @@
+in_progress:
+  impersonator: maybe_support_staff
+  impersonated: family_member
+  status: in_progress
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@ -5,6 +5,14 @@ empty:
  email: user1@email.com
  password_digest: <%= BCrypt::Password.create('password') %>

+maybe_support_staff:
+  family: empty
+  first_name: Support
+  last_name: Admin
+  email: support@maybe.co
+  password_digest: <%= BCrypt::Password.create('password') %>
+  role: super_admin
+
 family_admin:
  family: dylan_family
  first_name: Bob
--- a/test/models/impersonation_session_log_test.rb
+++ b/test/models/impersonation_session_log_test.rb
@ -0,0 +1,7 @@
+require "test_helper"
+
+class ImpersonationSessionLogTest < ActiveSupport::TestCase
+  # test "the truth" do
+  #   assert true
+  # end
+end
--- a/test/models/impersonation_session_test.rb
+++ b/test/models/impersonation_session_test.rb
@ -0,0 +1,40 @@
+require "test_helper"
+
+class ImpersonationSessionTest < ActiveSupport::TestCase
+  test "only super admin can impersonate" do
+    regular_user = users(:family_member)
+
+    assert_not regular_user.super_admin?
+
+    assert_raises(ActiveRecord::RecordInvalid) do
+      ImpersonationSession.create!(
+        impersonator: regular_user,
+        impersonated: users(:maybe_support_staff)
+      )
+    end
+  end
+
+  test "super admin cannot be impersonated" do
+    super_admin = users(:maybe_support_staff)
+
+    assert super_admin.super_admin?
+
+    assert_raises(ActiveRecord::RecordInvalid) do
+      ImpersonationSession.create!(
+        impersonator: users(:family_member),
+        impersonated: super_admin
+      )
+    end
+  end
+
+  test "impersonation session must have different impersonator and impersonated" do
+    super_admin = users(:maybe_support_staff)
+
+    assert_raises(ActiveRecord::RecordInvalid) do
+      ImpersonationSession.create!(
+        impersonator: super_admin,
+        impersonated: super_admin
+      )
+    end
+  end
+end