FIX: Make Discobot certificate route require login.

plugins/discourse-narrative-bot/plugin.rb

@@ -75,14 +75,19 @@ after_initialize do
     class CertificatesController < ::ApplicationController
       layout :false
       skip_before_action :check_xhr
+      requires_login
 
       def generate
-        raise Discourse::InvalidParameters.new('user_id must be present') unless params[:user_id]&.present?
+        unless params[:user_id]&.present?
+          raise Discourse::InvalidParameters.new('user_id must be present')
+        end
 
         user = User.find_by(id: params[:user_id])
         raise Discourse::NotFound if user.blank?
 
-        raise Discourse::InvalidParameters.new('date must be present') unless params[:date]&.present?
+        unless params[:date]&.present?
+          raise Discourse::InvalidParameters.new('date must be present')
+        end
 
         generator = CertificateGenerator.new(user, params[:date])
 

plugins/discourse-narrative-bot/spec/integration/discobot_certificate_spec.rb

@@ -1,37 +0,0 @@
-require 'rails_helper'
-
-describe "Discobot Certificate" do
-  let(:user) { Fabricate(:user, name: 'Jeff Atwood') }
-
-  describe 'when viewing the certificate' do
-    it 'should return the right text' do
-      params = {
-        date: Time.zone.now.strftime("%b %d %Y"),
-        user_id: user.id
-      }
-
-      stub_request(:get, /letter_avatar_proxy/).to_return(status: 200)
-
-      stub_request(:get, "http://test.localhost//images/d-logo-sketch-small.png")
-        .to_return(status: 200)
-
-      get '/discobot/certificate.svg', params: params
-
-      expect(response.status).to eq(200)
-    end
-
-    describe 'when params are missing' do
-      it "should raise the right errors" do
-        params = {
-          date: Time.zone.now.strftime("%b %d %Y"),
-          user_id: user.id
-        }
-
-        params.each do |key, _|
-          get '/discobot/certificate.svg', params: params.except(key)
-          expect(response.status).to eq(400)
-        end
-      end
-    end
-  end
-end

plugins/discourse-narrative-bot/spec/requests/discobot_certificate_spec.rb

@@ -0,0 +1,48 @@
+require 'rails_helper'
+
+describe "Discobot Certificate" do
+  let(:user) { Fabricate(:user, name: 'Jeff Atwood') }
+
+  let(:params) {
+    {
+      date: Time.zone.now.strftime("%b %d %Y"),
+      user_id: user.id
+    }
+  }
+
+  describe 'when viewing the certificate' do
+    describe 'when no logged in' do
+      it 'should return the right response' do
+        get '/discobot/certificate.svg', params: params
+
+        expect(response.status).to eq(404)
+      end
+    end
+
+    describe 'when logged in' do
+      before do
+        sign_in(user)
+      end
+
+      it 'should return the right text' do
+        stub_request(:get, /letter_avatar_proxy/).to_return(status: 200)
+
+        stub_request(:get, "http://test.localhost//images/d-logo-sketch-small.png")
+          .to_return(status: 200)
+
+        get '/discobot/certificate.svg', params: params
+
+        expect(response.status).to eq(200)
+      end
+
+      describe 'when params are missing' do
+        it "should raise the right errors" do
+          params.each do |key, _|
+            get '/discobot/certificate.svg', params: params.except(key)
+            expect(response.status).to eq(400)
+          end
+        end
+      end
+    end
+  end
+end