Allow officers to view project explorer downloads #3440

Author: chrisala

grails-app/controllers/au/org/ala/merit/DownloadController.groovy

@@ -4,20 +4,24 @@ import grails.core.GrailsApplication
 
 import javax.servlet.http.HttpServletResponse
 
-@PreAuthorise(accessLevel = 'siteReadOnly', redirectController = "home")
 class DownloadController {
 
     private List DOWNLOAD_EXTENSIONS = ['xls', 'xlsx', 'zip', 'json', 'xml', 'pdf', 'csv']
 
     GrailsApplication grailsApplication
     WebService webService
+    UserService userService
 
     /**
      * Deliberately not add .format in urlMapping to support file.extension on purpose
      * @param id - including extension
      * @return
      */
     def get(String id) {
+        if (!userService.userIsSiteAdmin() && !userService.userHasReadOnlyAccess()) {
+            redirect(controller:'home')
+            return
+        }
         if (!id) {
             response.setStatus(400)
             render "A download ID is required"

grails-app/controllers/au/org/ala/merit/HomeController.groovy

@@ -91,12 +91,13 @@ class HomeController {
         def facetsList = new ArrayList(SettingService.getHubConfig().availableFacets ?:[])
         def mapFacets = new ArrayList(SettingService.getHubConfig().availableMapFacets ?: [])
 
-        boolean canViewAdminFacetsAndDownloads = userService.userIsAlaOrFcAdmin() || userService.userHasReadOnlyAccess()
-        if (!canViewAdminFacetsAndDownloads) {
+        boolean canViewAdminFacets = userService.userIsAlaOrFcAdmin() || userService.userHasReadOnlyAccess()
+        if (!canViewAdminFacets) {
             List adminFacetList = SettingService.getHubConfig().adminFacets ?: []
             facetsList?.removeAll(adminFacetList)
             mapFacets?.removeAll(adminFacetList)
         }
+        boolean canViewDownloads = canViewAdminFacets || userService.userIsSiteAdmin()
         boolean canViewOfficerFacets = userService.userIsSiteAdmin() || userService.userHasReadOnlyAccess()
         if (!canViewOfficerFacets) {
             List officerFacetList = SettingService.getHubConfig().officerFacets ?: []
@@ -117,10 +118,10 @@ class HomeController {
            description: settingService.getSettingText(SettingPageType.DESCRIPTION),
            results: resp,
            projectCount: resp?.hits?.total ?: 0,
-           includeDownloads: canViewAdminFacetsAndDownloads
+           includeDownloads: canViewDownloads
         ]
 
-        if (canViewAdminFacetsAndDownloads) {
+        if (canViewAdminFacets) {
             List activityTypes = metadataService.activityTypesList()
             Map activityTypesFacet = resp?.facets?.get(ACTIVITY_TYPE_FACET_NAME)
             model.activityTypes = filterActivityTypesToProjectSelection(activityTypes, activityTypesFacet)

grails-app/controllers/au/org/ala/merit/SearchController.groovy

@@ -7,6 +7,7 @@ import org.apache.http.HttpStatus
 class SearchController {
     def searchService, webService, speciesService, commonService, documentService, reportService
     GrailsApplication grailsApplication
+    UserService userService
 
     /**
      * Main search page that takes its input from the search bar in the header
@@ -33,8 +34,11 @@ class SearchController {
         render speciesService.searchSpeciesList(sort, max, offset) as JSON
     }
 
-    @PreAuthorise(accessLevel = 'siteReadOnly', redirectController ='home', redirectAction = 'index')
     def downloadAllData() {
+        if (!userService.userIsSiteAdmin() && !userService.userHasReadOnlyAccess()) {
+            redirect(controller:'home')
+            return
+        }
         params.putAll(downloadParams())
         params.max = 10000 // The default is 5000, and some downloads require more than that.
         def response = searchService.downloadAllData(params)

src/test/groovy/au/org/ala/merit/HomeControllerSpec.groovy

@@ -217,7 +217,7 @@ class HomeControllerSpec extends Specification implements ControllerUnitTest<Hom
         false | true
     }
 
-    def "Users without MERIT admin or read only but with the hub officer role cannot view admin facets but can view officer facets"() {
+    def "Users without MERIT admin or read only but with the hub officer role cannot view admin facets but can view officer facets and downloads"() {
         setup:
         Map resp = [:]
 
@@ -228,7 +228,7 @@ class HomeControllerSpec extends Specification implements ControllerUnitTest<Hom
         then:
         1 * userService.userIsAlaOrFcAdmin() >> false
         1 * userService.userHasReadOnlyAccess() >> false
-        1 * userService.userIsSiteAdmin() >> true
+        2 * userService.userIsSiteAdmin() >> true
 
         1 * searchService.HomePageFacets(params) >> resp
         1 * settingService.getSettingText(_) >> "Project explorer description"
@@ -241,7 +241,7 @@ class HomeControllerSpec extends Specification implements ControllerUnitTest<Hom
         model.description == "Project explorer description"
         model.results == resp
         model.projectCount == 0
-        model.includeDownloads == false
+        model.includeDownloads == true
         model.activityTypes == null
 
     }
@@ -257,7 +257,7 @@ class HomeControllerSpec extends Specification implements ControllerUnitTest<Hom
         then:
         1 * userService.userIsAlaOrFcAdmin() >> false
         2 * userService.userHasReadOnlyAccess() >> false
-        1 * userService.userIsSiteAdmin() >> false
+        2 * userService.userIsSiteAdmin() >> false
         1 * searchService.HomePageFacets(params) >> resp
         1 * settingService.getSettingText(_) >> "Project explorer description"
         0 * metadataService.activityTypesList()