Add tests to check if users can access a restricted page.

services/web/test/acceptance/coffee/SessionTests.coffee

@@ -7,7 +7,7 @@ redis = require "./helpers/redis"
 
 describe "Sessions", ->
 	before (done) ->
-		@timeout(10000)
+		@timeout(20000)
 		@user1 = new User()
 		@site_admin = new User({email: "admin@example.com"})
 		async.series [
@@ -34,6 +34,13 @@ describe "Sessions", ->
 							expect(sessions[0].slice(0, 5)).to.equal 'sess:'
 							next()
 
+					# should be able to access settings page
+					, (next) =>
+						@user1.getUserSettingsPage (err, statusCode) =>
+							expect(err).to.equal null
+							expect(statusCode).to.equal 200
+							next()
+
 					# logout, should remove session from set
 					, (next) =>
 						@user1.logout (err) ->
@@ -87,6 +94,19 @@ describe "Sessions", ->
 							expect(sessions[1].slice(0, 5)).to.equal 'sess:'
 							next()
 
+					# both should be able to access settings page
+					, (next) =>
+						@user1.getUserSettingsPage (err, statusCode) =>
+							expect(err).to.equal null
+							expect(statusCode).to.equal 200
+							next()
+
+					, (next) =>
+						@user2.getUserSettingsPage (err, statusCode) =>
+							expect(err).to.equal null
+							expect(statusCode).to.equal 200
+							next()
+
 					# logout first session, should remove session from set
 					, (next) =>
 						@user1.logout (err) ->
@@ -97,6 +117,20 @@ describe "Sessions", ->
 							expect(sessions.length).to.equal 1
 							next()
 
+					# first session should not have access to settings page
+					, (next) =>
+						@user1.getUserSettingsPage (err, statusCode) =>
+							expect(err).to.equal null
+							expect(statusCode).to.equal 302
+							next()
+
+					# second session should still have access to settings
+					, (next) =>
+						@user2.getUserSettingsPage (err, statusCode) =>
+							expect(err).to.equal null
+							expect(statusCode).to.equal 200
+							next()
+
 					# logout second session, should remove last session from set
 					, (next) =>
 						@user2.logout (err) ->
@@ -107,6 +141,13 @@ describe "Sessions", ->
 							expect(sessions.length).to.equal 0
 							next()
 
+					# second session should not have access to settings page
+					, (next) =>
+						@user2.getUserSettingsPage (err, statusCode) =>
+							expect(err).to.equal null
+							expect(statusCode).to.equal 302
+							next()
+
 				], (err, result) =>
 					if err
 						throw err
@@ -175,6 +216,26 @@ describe "Sessions", ->
 							expect(sessions.length).to.equal 1
 							next()
 
+					# users one and three should not be able to access settings page
+					, (next) =>
+						@user1.getUserSettingsPage (err, statusCode) =>
+							expect(err).to.equal null
+							expect(statusCode).to.equal 302
+							next()
+
+					, (next) =>
+						@user3.getUserSettingsPage (err, statusCode) =>
+							expect(err).to.equal null
+							expect(statusCode).to.equal 302
+							next()
+
+					# user two should still be logged in, and able to access settings page
+					, (next) =>
+						@user2.getUserSettingsPage (err, statusCode) =>
+							expect(err).to.equal null
+							expect(statusCode).to.equal 200
+							next()
+
 					# logout second session, should remove last session from set
 					, (next) =>
 						@user2.logout (err) ->

services/web/test/acceptance/coffee/helpers/User.coffee

@@ -106,4 +106,15 @@ class User
 					return callback(error) if error?
 					callback()
 
+	getUserSettingsPage: (callback = (error, statusCode) ->) ->
+		@getCsrfToken (error) =>
+			return callback(error) if error?
+			@request.get {
+				url: "/user/settings"
+			}, (error, response, body) =>
+				return callback(error) if error?
+				callback(null, response.statusCode)
+
+
+
 module.exports = User