From 9d2ee92db1675570f5235d82a8ca21c8cfa245b4 Mon Sep 17 00:00:00 2001
From: JP Engstrom <jp@scientist.com>
Date: Tue, 22 Oct 2024 13:36:07 -0700
Subject: [PATCH] Staged Download auth (#1069)

Co-authored-by: JP Engstrom <jpengstrom@macbook-pro.lan>
---
 app/controllers/download_original_controller.rb |  2 +-
 spec/requests/download_original_spec.rb         | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/app/controllers/download_original_controller.rb b/app/controllers/download_original_controller.rb
index ebb88ebe..9f0b0475 100644
--- a/app/controllers/download_original_controller.rb
+++ b/app/controllers/download_original_controller.rb
@@ -6,7 +6,7 @@ class DownloadOriginalController < ApplicationController
   include Blacklight::Catalog
   include CheckAuthorization
 
-  before_action :check_authorization, except: [:staged]
+  before_action :check_authorization
 
   def tiff
     if S3Service.exists_in_s3(tiff_pairtree_path)
diff --git a/spec/requests/download_original_spec.rb b/spec/requests/download_original_spec.rb
index b6eccf9d..05608acf 100644
--- a/spec/requests/download_original_spec.rb
+++ b/spec/requests/download_original_spec.rb
@@ -168,14 +168,26 @@
       get "/download/tiff/#{yale_work[:child_oids_ssim].first}"
       expect(response).to have_http_status(:unauthorized) # 401
     end
+    it 'does not stage the download if set to YCO' do
+      get "/download/tiff/#{yale_work[:child_oids_ssim].first}/staged"
+      expect(response).to have_http_status(:unauthorized) # 401
+    end
     it 'does not display if set to OWP' do
       get "/download/tiff/#{owp_work_without_permission[:child_oids_ssim].first}"
       expect(response).to have_http_status(:unauthorized) # 401
     end
+    it 'does not stage the download if set to OWP' do
+      get "/download/tiff/#{owp_work_without_permission[:child_oids_ssim].first}/staged"
+      expect(response).to have_http_status(:unauthorized) # 401
+    end
     it 'does not display if set to private' do
       get "/download/tiff/#{private_work[:child_oids_ssim].first}"
       expect(response).to have_http_status(:not_found) # 404
     end
+    it 'does not stage the download if set to private' do
+      get "/download/tiff/#{private_work[:child_oids_ssim].first}/staged"
+      expect(response).to have_http_status(:not_found) # 404
+    end
   end
 
   context 'as an authenticated yale user' do