From 771c1c3209aa9b7997586cc413d9dd39e3a1d58e Mon Sep 17 00:00:00 2001
From: Alex Basson <abasson@vmware.com>
Date: Thu, 9 Sep 2021 11:13:10 -0400
Subject: [PATCH] School dashboard is protected by district-level
 authentication

[Finishes #179513281]
---
 app/controllers/dashboard_controller.rb        | 11 ++++++++++-
 spec/features/school_dashboard_feature_spec.rb | 15 ++++++++++++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
index cb197508..40881803 100644
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@@ -1,13 +1,22 @@
 class DashboardController < ApplicationController
+  before_action :set_school
 
   def index
-    @school = School.find_by_slug school_slug
+    authenticate(district.name.downcase, "#{district.name.downcase}!")
   end
 
   private
 
+  def set_school
+    @school = School.find_by_slug school_slug
+  end
+
   def school_slug
     params[:school_id]
   end
 
+  def district
+    @school.district
+  end
+
 end
\ No newline at end of file
diff --git a/spec/features/school_dashboard_feature_spec.rb b/spec/features/school_dashboard_feature_spec.rb
index a9e07677..cf37a633 100644
--- a/spec/features/school_dashboard_feature_spec.rb
+++ b/spec/features/school_dashboard_feature_spec.rb
@@ -1,14 +1,27 @@
 require "rails_helper"
 
-RSpec.feature "School dashboard", type: feature do
+feature "School dashboard", type: feature do
   let(:district) { District.create name: 'Winchester' }
   let(:school) {
     School.create name: 'Winchester High School', slug: 'winchester-high-school', district: district
   }
 
+  scenario "User authentication fails" do
+    page.driver.browser.basic_authorize('wrong username', 'wrong password')
+
+    visit "/districts/winchester/schools/#{school.slug}/dashboard?year=2020-21"
+
+    expect(page).not_to have_text(school.name)
+  end
+
   scenario "User views a school dashboard" do
+    page.driver.browser.basic_authorize(username, password)
+
     visit "/districts/winchester/schools/#{school.slug}/dashboard?year=2020-21"
 
     expect(page).to have_text(school.name)
   end
+
+  let(:username) { 'winchester' }
+  let(:password) { 'winchester!' }
 end