From 4257d69c17375c54587d1394221476dfaf328caf Mon Sep 17 00:00:00 2001
From: rsmokeUM <rsmoke@umich.edu>
Date: Mon, 23 Feb 2026 11:50:49 -0500
Subject: [PATCH 1/2] Refactor entry policy to streamline access for container
 administrators

- Updated the EntryPolicy to simplify the logic for determining access to entries based on user roles, specifically for Collection Administrators and Managers.
- Removed redundant queries and consolidated the logic for fetching container IDs, enhancing code clarity and maintainability.
- Added a new test case in EntriesControllerSpec to verify that Container Administrators can successfully access entry details, ensuring proper authorization handling.

These changes improve the authorization logic and enhance test coverage for entry access based on user roles.
---
 app/policies/entry_policy.rb                | 11 ++++-------
 spec/controllers/entries_controller_spec.rb | 20 ++++++++++++++++++++
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/app/policies/entry_policy.rb b/app/policies/entry_policy.rb
index ddc70a05..1e19f27d 100644
--- a/app/policies/entry_policy.rb
+++ b/app/policies/entry_policy.rb
@@ -36,19 +36,16 @@ def show?
   class Scope < Scope
     def resolve
       base_scope = scope.where(deleted: false) # Only show non-deleted entries by default
+      admin_role_ids = Role.where(kind: ['Collection Administrator', 'Collection Manager']).pluck(:id)
+      admin_container_ids = user.present? ? user.assignments.where(role_id: admin_role_ids).pluck(:container_id).uniq : []
 
       if user.nil?
         scope.none
       elsif user.axis_mundi?
         # Axis mundi can see all entries
         base_scope
-      elsif user.administrator? || user.manager?
-        # Collection administrators and managers can see entries from their containers
-        admin_role_ids = Role.where(kind: ['Collection Administrator', 'Collection Manager']).pluck(:id)
-        admin_container_ids = user.assignments
-                                  .where(role_id: admin_role_ids)
-                                  .pluck(:container_id)
-
+      elsif admin_container_ids.any?
+        # Collection administrators and managers (by container assignment) can see entries from their containers
         base_scope.joins(contest_instance: { contest_description: :container })
                  .where(containers: { id: admin_container_ids })
       elsif user.judge?
diff --git a/spec/controllers/entries_controller_spec.rb b/spec/controllers/entries_controller_spec.rb
index c61b0201..cde255b9 100644
--- a/spec/controllers/entries_controller_spec.rb
+++ b/spec/controllers/entries_controller_spec.rb
@@ -21,6 +21,26 @@
       end
     end
 
+    context "when user is a Container Administrator for the entry's container" do
+      let(:container) { contest_instance.contest_description.container }
+      let(:admin_user) { create(:user) }
+      let(:admin_role) { create(:role, kind: 'Collection Administrator') }
+
+      before do
+        create(:assignment, user: admin_user, container: container, role: admin_role)
+        sign_in admin_user
+        get :modal_details, params: { id: entry.id }
+      end
+
+      it "returns a successful response" do
+        expect(response).to be_successful
+      end
+
+      it "renders the details partial" do
+        expect(response).to render_template('entries/modal_details')
+      end
+    end
+
     context "when user is not authorized" do
       let(:other_user) { create(:user) }
 

From d869a30960ed857845637bad1bd09eea7ccbdc3b Mon Sep 17 00:00:00 2001
From: rsmokeUM <rsmoke@umich.edu>
Date: Mon, 23 Feb 2026 13:52:53 -0500
Subject: [PATCH 2/2] Add test for unauthorized access by Collection
 Administrators

- Introduced a new test case in EntriesControllerSpec to verify that Collection Administrators attempting to access entry details for a different container are redirected with an unauthorized message.
- This change enhances test coverage for authorization handling, ensuring that users are properly restricted based on their assigned roles and containers.

These modifications improve the robustness of the authorization logic in the EntriesController.
---
 spec/controllers/entries_controller_spec.rb | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/spec/controllers/entries_controller_spec.rb b/spec/controllers/entries_controller_spec.rb
index cde255b9..b1aff194 100644
--- a/spec/controllers/entries_controller_spec.rb
+++ b/spec/controllers/entries_controller_spec.rb
@@ -41,6 +41,23 @@
       end
     end
 
+    context "when user is a Collection Administrator for a different container" do
+      let(:other_container) { create(:container) }
+      let(:other_admin_user) { create(:user) }
+      let(:admin_role) { create(:role, kind: 'Collection Administrator') }
+
+      before do
+        create(:assignment, user: other_admin_user, container: other_container, role: admin_role)
+        sign_in other_admin_user
+        get :modal_details, params: { id: entry.id }
+      end
+
+      it "redirects with unauthorized message" do
+        expect(response).to redirect_to(root_path)
+        expect(flash[:alert]).to eq("!!! Not authorized !!!")
+      end
+    end
+
     context "when user is not authorized" do
       let(:other_user) { create(:user) }