From 015b7f88b010c5a38847c8db59c84a966542a43b Mon Sep 17 00:00:00 2001
From: Rohan Mitchell <rohan@rohanmitchell.com>
Date: Thu, 11 Oct 2012 13:17:05 +1100
Subject: [PATCH] Add tests for CMS admin security

---
 spec/requests/admin/cms_spec.rb                 | 13 +++++++++++++
 spec/support/request/authentication_workflow.rb |  3 +++
 2 files changed, 16 insertions(+)

diff --git a/spec/requests/admin/cms_spec.rb b/spec/requests/admin/cms_spec.rb
index f34a92434d..8ea741a6ea 100644
--- a/spec/requests/admin/cms_spec.rb
+++ b/spec/requests/admin/cms_spec.rb
@@ -18,4 +18,17 @@ feature %q{
     page.should have_selector 'h1', :text => 'Administration'
   end
 
+  scenario "anonymous user can't access CMS admin" do
+    visit cms_admin_path
+    page.should_not have_content "ComfortableMexicanSofa"
+    page.should have_content "Login"
+  end
+
+  scenario "non-admin user can't access CMS admin" do
+    login_to_consumer_section
+    visit cms_admin_path
+    page.should_not have_content "ComfortableMexicanSofa"
+    page.should have_content "Open Food Web"
+  end
+
 end
diff --git a/spec/support/request/authentication_workflow.rb b/spec/support/request/authentication_workflow.rb
index 79aa9ff55a..df9ab27558 100644
--- a/spec/support/request/authentication_workflow.rb
+++ b/spec/support/request/authentication_workflow.rb
@@ -17,6 +17,9 @@ module AuthenticationWorkflow
   end
 
   def login_to_consumer_section
+    # The first user is given the admin role by Spree, so create a dummy user if this is the first
+    create(:user) if Spree::User.admin.empty?
+
     user_role = Spree::Role.create(:name => 'user')
     user = Spree::User.create({
       :email => 'someone@ofw.org',