1 files changed, 51 insertions, 0 deletions

diff --git a/spec/controllers/ldap/omniauth_callbacks_controller_spec.rb b/spec/controllers/ldap/omniauth_callbacks_controller_spec.rb
index ceab9754617..0242a91ac60 100644
--- a/spec/controllers/ldap/omniauth_callbacks_controller_spec.rb
+++ b/spec/controllers/ldap/omniauth_callbacks_controller_spec.rb
@@ -65,4 +65,55 @@ describe Ldap::OmniauthCallbacksController do
       expect(request.env['warden']).to be_authenticated
     end
   end
+
+  describe 'enable admin mode' do
+    include_context 'custom session'
+
+    before do
+      sign_in user
+    end
+
+    context 'with a regular user' do
+      it 'cannot be enabled' do
+        reauthenticate_and_check_admin_mode(expected_admin_mode: false)
+
+        expect(response).to redirect_to(root_path)
+      end
+    end
+
+    context 'with an admin user' do
+      let(:user) { create(:omniauth_user, :admin, extern_uid: uid, provider: provider) }
+
+      context 'when requested first' do
+        before do
+          subject.current_user_mode.request_admin_mode!
+        end
+
+        it 'can be enabled' do
+          reauthenticate_and_check_admin_mode(expected_admin_mode: true)
+
+          expect(response).to redirect_to(admin_root_path)
+        end
+      end
+
+      context 'when not requested first' do
+        it 'cannot be enabled' do
+          reauthenticate_and_check_admin_mode(expected_admin_mode: false)
+
+          expect(response).to redirect_to(root_path)
+        end
+      end
+    end
+  end
+
+  def reauthenticate_and_check_admin_mode(expected_admin_mode:)
+    # Initially admin mode disabled
+    expect(subject.current_user_mode.admin_mode?).to be(false)
+
+    # Trigger OmniAuth admin mode flow and expect admin mode status
+    post provider
+
+    expect(request.env['warden']).to be_authenticated
+    expect(subject.current_user_mode.admin_mode?).to be(expected_admin_mode)
+  end
 end