diff --git a/.gitignore b/.gitignore
index 48fb168f..5a111e4e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,5 @@
 
 # Ignore Byebug command history file.
 .byebug_history
+
+.env
diff --git a/Gemfile b/Gemfile
index 42f4bb2c..239ff8c1 100644
--- a/Gemfile
+++ b/Gemfile
@@ -34,6 +34,10 @@ gem 'jbuilder', '~> 2.5'
 # Use Capistrano for deployment
 # gem 'capistrano-rails', group: :development
 
+gem "omniauth"
+gem "omniauth-github"
+
+
 gem 'bootstrap', '~> 4.1.3'
 
 group :development, :test do
@@ -62,6 +66,7 @@ group :development do
   # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
   gem 'spring'
   gem 'spring-watcher-listen', '~> 2.0.0'
+  gem 'dotenv-rails'
 end
 
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
diff --git a/Gemfile.lock b/Gemfile.lock
index 5b407e7e..f66ae74f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -70,11 +70,18 @@ GEM
     concurrent-ruby (1.0.5)
     crass (1.0.4)
     debug_inspector (0.0.3)
+    dotenv (2.5.0)
+    dotenv-rails (2.5.0)
+      dotenv (= 2.5.0)
+      railties (>= 3.2, < 6.0)
     erubi (1.7.1)
     execjs (2.7.0)
+    faraday (0.15.3)
+      multipart-post (>= 1.2, < 3)
     ffi (1.9.25)
     globalid (0.4.1)
       activesupport (>= 4.2.0)
+    hashie (3.5.7)
     i18n (1.1.0)
       concurrent-ruby (~> 1.0)
     jbuilder (2.7.0)
@@ -84,6 +91,7 @@ GEM
       rails-dom-testing (>= 1, < 3)
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
+    jwt (2.1.0)
     listen (3.0.8)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
@@ -113,9 +121,26 @@ GEM
       minitest (~> 5.0)
       rails (>= 4.1)
     multi_json (1.13.1)
+    multi_xml (0.6.0)
+    multipart-post (2.0.0)
     nio4r (2.3.1)
     nokogiri (1.8.4)
       mini_portile2 (~> 2.3.0)
+    oauth2 (1.4.1)
+      faraday (>= 0.8, < 0.16.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    omniauth (1.8.1)
+      hashie (>= 3.4.6, < 3.6.0)
+      rack (>= 1.6.2, < 3)
+    omniauth-github (1.3.0)
+      omniauth (~> 1.5)
+      omniauth-oauth2 (>= 1.4.0, < 2.0)
+    omniauth-oauth2 (1.5.0)
+      oauth2 (~> 1.1)
+      omniauth (~> 1.2)
     pg (0.21.0)
     popper_js (1.14.3)
     pry (0.11.3)
@@ -207,6 +232,7 @@ DEPENDENCIES
   bootstrap (~> 4.1.3)
   byebug
   coffee-rails (~> 4.2)
+  dotenv-rails
   jbuilder (~> 2.5)
   jquery-rails
   listen (~> 3.0.5)
@@ -214,6 +240,8 @@ DEPENDENCIES
   minitest-reporters
   minitest-skip
   minitest-spec-rails
+  omniauth
+  omniauth-github
   pg (~> 0.18)
   pry-rails
   puma (~> 3.0)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index c12c7c17..1785fe52 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -3,15 +3,24 @@ class ApplicationController < ActionController::Base
 
   before_action :find_user
 
+
   def render_404
     # DPR: this will actually render a 404 page in production
     raise ActionController::RoutingError.new('Not Found')
   end
 
-private
+  private
+
   def find_user
     if session[:user_id]
-      @login_user = User.find_by(id: session[:user_id])
+      @user = User.find_by(id: session[:user_id])
+    end
+  end
+
+  def require_login
+    if find_user.nil?
+      flash[:result_text] = "You must be logged in to view this section"
+      redirect_to root_path
     end
   end
 end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 5bce99e6..d9894c91 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -2,33 +2,47 @@ class SessionsController < ApplicationController
   def login_form
   end
 
-  def login
-    username = params[:username]
-    if username and user = User.find_by(username: username)
-      session[:user_id] = user.id
-      flash[:status] = :success
-      flash[:result_text] = "Successfully logged in as existing user #{user.username}"
+
+  def create
+    auth_hash = request.env['omniauth.auth']
+
+    user = User.find_by(uid: auth_hash[:uid], provider: 'github')
+    if user
+      # User was found in the database
+      flash[:result_text] = "Logged in as returning user #{user.username}"
+
     else
-      user = User.new(username: username)
+      # User doesn't match anything in the DB
+      # Attempt to create a new user
+      user = User.build_from_github(auth_hash)
+
       if user.save
-        session[:user_id] = user.id
-        flash[:status] = :success
-        flash[:result_text] = "Successfully created new user #{user.username} with ID #{user.id}"
+        flash[:result_text] = "Logged in as new user #{user.username}"
+
       else
-        flash.now[:status] = :failure
-        flash.now[:result_text] = "Could not log in"
-        flash.now[:messages] = user.errors.messages
-        render "login_form", status: :bad_request
+        # Couldn't save the user for some reason. If we
+        # hit this it probably means there's a bug with the
+        # way we've configured GitHub. Our strategy will
+        # be to display error messages to make future
+        # debugging easier.
+
+        flash[:result_text] = "Could not create new user account: #{user.errors.messages}"
+        redirect_to root_path
         return
       end
     end
+
+    # If we get here, we have a valid user instance
+    session[:user_id] = user.id
     redirect_to root_path
   end
 
-  def logout
-    session[:user_id] = nil
-    flash[:status] = :success
-    flash[:result_text] = "Successfully logged out"
+  def destroy
+    if @user
+      session[:user_id] = nil
+      flash[:result_text] = "Successfully logged out!"
+    end
     redirect_to root_path
   end
+
 end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 73b42652..58882c35 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,10 +1,17 @@
 class UsersController < ApplicationController
+  before_action :require_login
+
   def index
-    @users = User.all
+
+      @users = User.all
+
   end
 
   def show
-    @user = User.find_by(id: params[:id])
-    render_404 unless @user
+    unless  @user.id == params[:id].to_i
+      flash[:result_text] = "Not allowed."
+      redirect_to root_path
+    end
   end
+
 end
diff --git a/app/controllers/works_controller.rb b/app/controllers/works_controller.rb
index 2020bee4..081a8b5f 100644
--- a/app/controllers/works_controller.rb
+++ b/app/controllers/works_controller.rb
@@ -2,6 +2,8 @@ class WorksController < ApplicationController
   # We should always be able to tell what category
   # of work we're dealing with
   before_action :category_from_work, except: [:root, :index, :new, :create]
+  # before_action :find_user, except: [:root]
+  before_action :require_login, except: [:root]
 
   def root
     @albums = Work.best_albums
@@ -11,11 +13,12 @@ def root
   end
 
   def index
-    @works_by_category = Work.to_category_hash
+
+      @works_by_category = Work.to_category_hash
   end
 
   def new
-    @work = Work.new
+      @work = Work.new
   end
 
   def create
@@ -34,23 +37,25 @@ def create
   end
 
   def show
-    @votes = @work.votes.order(created_at: :desc)
+      @votes = @work.votes.order(created_at: :desc)
   end
 
   def edit
   end
 
   def update
+
     @work.update_attributes(media_params)
     if @work.save
       flash[:status] = :success
       flash[:result_text] = "Successfully updated #{@media_category.singularize} #{@work.id}"
       redirect_to work_path(@work)
-    else
+
+    elsif @work && !@work.valid?
       flash.now[:status] = :failure
       flash.now[:result_text] = "Could not update #{@media_category.singularize}"
       flash.now[:messages] = @work.errors.messages
-      render :edit, status: :not_found
+      render :edit, status: :bad_request
     end
   end
 
@@ -63,8 +68,8 @@ def destroy
 
   def upvote
     flash[:status] = :failure
-    if @login_user
-      vote = Vote.new(user: @login_user, work: @work)
+
+      vote = Vote.new(user: @user, work: @work)
       if vote.save
         flash[:status] = :success
         flash[:result_text] = "Successfully upvoted!"
@@ -72,9 +77,6 @@ def upvote
         flash[:result_text] = "Could not upvote"
         flash[:messages] = vote.errors.messages
       end
-    else
-      flash[:result_text] = "You must log in to do that"
-    end
 
     # Refresh the page to show either the updated vote count
     # or the error message
diff --git a/app/models/user.rb b/app/models/user.rb
index 4cac8fe0..c33a80f8 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -3,4 +3,18 @@ class User < ApplicationRecord
   has_many :ranked_works, through: :votes, source: :work
 
   validates :username, uniqueness: true, presence: true
+  # validates :uid, presence: true
+  # validates :provider, presence: true
+
+  def self.build_from_github(auth_hash)
+    user = User.new
+    user.uid = auth_hash[:uid]
+    user.provider = 'github'
+    user.username = auth_hash[:info][:name]
+    user.email = auth_hash[:info][:email]
+
+  # Note that the user has not been saved
+    return user
+   end
+
 end
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index e7b07ce4..bc7cabcc 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -33,19 +33,20 @@
         </li>
       </ul>
       <ul class="nav app-header__user-nav-container">
-        <% if @login_user %>
+
+        <% if @user %>
 
         <li class="nav-item app-header__nav_item">
-          <%= link_to "Logged in as #{@login_user.username}", user_path(@login_user), class: "btn btn-primary" %>
+          <%= link_to "Logged in as #{@user.username}", user_path(@user), class: "btn btn-primary" %>
         </li>
         <li class="nav-item app-header__nav_item">
-          <%= link_to "Log Out", logout_path, method: :post, class: "btn btn-primary" %>
+          <%= link_to "Log Out", logout_path, method: :delete, class: "btn btn-primary" %>
         </li>
 
         <% else %>
 
         <li class="nav-item app-header__nav_item">
-          <%= link_to "Log In", login_path, class: "btn btn-primary" %>
+          <%= link_to "Login with Github", "/auth/github", class: "btn btn-primary" %>
         </li>
         <% end %>
 
diff --git a/app/views/works/index.html.erb b/app/views/works/index.html.erb
index aa1531eb..9ccd55d0 100644
--- a/app/views/works/index.html.erb
+++ b/app/views/works/index.html.erb
@@ -1,3 +1,5 @@
+<% if @user %>
+
 <h2>List of Works</h2>
 
 <% @works_by_category.each do |category, works| %>
@@ -30,3 +32,5 @@
 
 <%= link_to "View top media", root_path, class: "btn btn-secondary" %>
 <%= link_to "Add a new work", new_work_path, class: "btn btn-primary" %>
+
+<%end%>
diff --git a/app/views/works/new.html.erb b/app/views/works/new.html.erb
index 02c89da0..5feb0b79 100644
--- a/app/views/works/new.html.erb
+++ b/app/views/works/new.html.erb
@@ -1,2 +1,4 @@
+<% if @user %>
 <h2>Add a new work</h2>
 <%= render partial: "form" %>
+<%end%>
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 30587ef6..b069af26 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -39,4 +39,5 @@
 
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
+
 end
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
new file mode 100644
index 00000000..ef8c60c3
--- /dev/null
+++ b/config/initializers/omniauth.rb
@@ -0,0 +1,4 @@
+# config/initializers/omniauth.rb
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :github, ENV["GITHUB_CLIENT_ID"], ENV["GITHUB_CLIENT_SECRET"], scope: "user:email"
+end
diff --git a/config/routes.rb b/config/routes.rb
index a7e8af1d..55e3bf64 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,12 +1,16 @@
 Rails.application.routes.draw do
   # For details on the DSL available within this file, see http://guides.rubyonrails.org/routing.html
   root 'works#root'
-  get '/login', to: 'sessions#login_form', as: 'login'
-  post '/login', to: 'sessions#login'
-  post '/logout', to: 'sessions#logout', as: 'logout'
+  # get '/login', to: 'sessions#login_form', as: 'login'
+  # post '/login', to: 'sessions#login'
+  # post '/logout', to: 'sessions#logout', as: 'logout'
 
   resources :works
   post '/works/:id/upvote', to: 'works#upvote', as: 'upvote'
 
   resources :users, only: [:index, :show]
+
+  get "/auth/:provider/callback", to: "sessions#create", as: "auth_callback"
+  delete "/logout", to: "sessions#destroy", as: "logout"
+
 end
diff --git a/db/migrate/20181016220353_add_user_column.rb b/db/migrate/20181016220353_add_user_column.rb
new file mode 100644
index 00000000..be143a6b
--- /dev/null
+++ b/db/migrate/20181016220353_add_user_column.rb
@@ -0,0 +1,7 @@
+class AddUserColumn < ActiveRecord::Migration[5.2]
+  def change
+    add_column(:users, :email, :string)
+    add_column(:users, :uid, :integer)
+    add_column(:users, :provider, :string)
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 6bc8ba5c..b01eaee7 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,35 +10,38 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20170407164321) do
+ActiveRecord::Schema.define(version: 2018_10_16_220353) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
-  create_table "users", force: :cascade do |t|
-    t.string   "username"
+  create_table "users", id: :serial, force: :cascade do |t|
+    t.string "username"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
+    t.string "email"
+    t.integer "uid"
+    t.string "provider"
   end
 
-  create_table "votes", force: :cascade do |t|
-    t.integer  "user_id"
-    t.integer  "work_id"
+  create_table "votes", id: :serial, force: :cascade do |t|
+    t.integer "user_id"
+    t.integer "work_id"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
-    t.index ["user_id"], name: "index_votes_on_user_id", using: :btree
-    t.index ["work_id"], name: "index_votes_on_work_id", using: :btree
+    t.index ["user_id"], name: "index_votes_on_user_id"
+    t.index ["work_id"], name: "index_votes_on_work_id"
   end
 
-  create_table "works", force: :cascade do |t|
-    t.string   "title"
-    t.string   "creator"
-    t.string   "description"
-    t.string   "category"
-    t.datetime "created_at",                   null: false
-    t.datetime "updated_at",                   null: false
-    t.integer  "vote_count",       default: 0
-    t.integer  "publication_year"
+  create_table "works", id: :serial, force: :cascade do |t|
+    t.string "title"
+    t.string "creator"
+    t.string "description"
+    t.string "category"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.integer "vote_count", default: 0
+    t.integer "publication_year"
   end
 
   add_foreign_key "votes", "users"
diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb
index f641d15c..c1b4d5d6 100644
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -1,5 +1,76 @@
 require "test_helper"
 
 describe SessionsController do
+  describe "create" do
+
+    it "Can log in an existing user" do
+      # Arrange
+      user = users(:dan)
+      #Act/Assert
+
+      expect {perform_login(user)}.wont_change('User.count')
+      must_redirect_to root_path
+      expect(session[:user_id]).must_equal user.id
+    end
+
+    it "Can log in a new user with good data" do
+      # Arrange
+
+      user = users(:jess)
+      user.destroy
+
+      #Act/Assert
+      expect {perform_login(user)}.must_change('User.count', +1)
+      must_redirect_to root_path
+      expect(session[:user_id]).wont_be_nil
+
+    end
+
+    it "Rejects a user with invalid data" do
+      user = User.new(username: nil)
+
+      #Act/Assert
+      expect {perform_login(user)}.wont_change('User.count')
+      must_redirect_to root_path
+      expect(session[:user_id]).must_be_nil
+
+    end
+  end
+
+  describe "destroy" do
+
+    it "Can log out an existing user who is currently logged in" do
+      # Arrange
+      user = users(:dan)
+      perform_login(user)
+      #Act/Assert
+      expect(session[:user_id]).must_equal user.id
+      expect {delete logout_path(user)}.wont_change('User.count')
+      must_redirect_to root_path
+      expect(session[:user_id]).must_be_nil
+      expect(flash[:result_text]).must_equal "Successfully logged out!"
+    end
+
+    it "Cannot log out a current user who is not currently logged in" do
+      # Arrange
+
+      user = users(:dan)
+
+      #Act/Assert
+      expect {delete logout_path(user)}.wont_change('User.count')
+      must_redirect_to root_path
+      expect(flash[:result_text]).must_be_nil
+
+    end
+
+    it "Cannot log out a user with invalid user id" do
+      user = User.find_by(id: -1)
+
+      #Act/Assert
+      expect {delete logout_path(user)}.wont_change('User.count')
+      must_redirect_to root_path
+      expect(flash[:result_text]).must_be_nil
+    end
+  end
 
 end
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb
index d2c5cfbb..40b3ce37 100644
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -1,5 +1,82 @@
 require 'test_helper'
-
+require 'pry'
 describe UsersController do
+  let(:dan) {users(:dan)}
+  let(:kari) {users(:kari)}
+  let(:one) {votes(:one)}
+  let(:two) {votes(:two)}
+  let(:three) {votes(:three)}
+  let(:jess) {users(:jess)}
+
+  describe "index" do
+    it "succeeds when the user is logged in" do
+
+      perform_login(dan)
+      get users_path
+
+      session[:user_id].must_equal dan.id
+      must_respond_with :success
+
+    end
+
+    it "cannot succeed when there is no user " do
+      one.destroy
+      two.destroy
+      three.destroy
+
+      dan.destroy
+      kari.destroy
+      jess.destroy
+
+      expect{get users_path}.wont_change('User.count')
+
+      must_respond_with :redirect
+      must_redirect_to root_path
+
+    end
+
+    it "cannot succeed when the user is not logged in" do
+      perform_login(dan)
+      delete logout_path(dan)
+
+      expect{get users_path}.wont_change('User.count')
+
+      expect(flash[:result_text]).must_equal "You must be logged in to view this section"
+      must_redirect_to root_path
+
+    end
+
+  end
+
+  describe "show" do
+    it " succeed for logged in users " do
+      perform_login(dan)
+
+      expect{get user_path(dan)}.wont_change('User.count')
+
+      must_respond_with :success
+
+    end
+
+    it "redirect to root_path for a user who is not logged in" do
+      perform_login(dan)
+      delete logout_path(dan)
+
+      expect(session[:user_id]).must_be_nil
+      expect{get user_path(dan)}.wont_change('User.count')
+      expect(flash[:result_text]).must_equal "You must be logged in to view this section"
+      must_redirect_to root_path
+
+    end
+
+    it "redirect to root_path for a user who try to view other user's profile" do
+     perform_login(dan)
+
+     get user_path(jess)
+     expect(flash[:result_text]).must_equal "Not allowed."
+     must_redirect_to root_path
+
+    end
+  end
 
 end
diff --git a/test/controllers/works_controller_test.rb b/test/controllers/works_controller_test.rb
index 0945ca47..305f8c5c 100644
--- a/test/controllers/works_controller_test.rb
+++ b/test/controllers/works_controller_test.rb
@@ -1,115 +1,358 @@
 require 'test_helper'
 
 describe WorksController do
+  let(:poodr) {works(:poodr)}
+  let(:movie) {works(:movie)}
+  let(:album) {works(:album)}
+  let(:another_album) {works(:another_album)}
+  let(:dan) {users(:dan)}
+
   describe "root" do
     it "succeeds with all media types" do
       # Precondition: there is at least one media of each category
+      get root_path
+      must_respond_with :success
 
     end
 
     it "succeeds with one media type absent" do
       # Precondition: there is at least one media in two of the categories
+      id = poodr.id
+      poodr.destroy
+      expect(Work.find_by(category: "book")).must_equal nil
+
+      get root_path
+      must_respond_with :success
 
     end
 
     it "succeeds with no media" do
+      poodr.destroy
+      movie.destroy
+      album.destroy
+      another_album.destroy
+      expect(Work.all).must_equal []
+
+      get root_path
+      must_respond_with :success
 
     end
   end
 
-  CATEGORIES = %w(albums books movies)
-  INVALID_CATEGORIES = ["nope", "42", "", "  ", "albumstrailingtext"]
 
-  describe "index" do
-    it "succeeds when there are works" do
+  describe "Logged in users" do
+   before do
+     perform_login(dan)
+   end
 
-    end
+   describe "index" do
+     it "succeeds when there are works" do
 
-    it "succeeds when there are no works" do
+       get works_path
+       must_respond_with :success
 
-    end
-  end
+     end
 
-  describe "new" do
-    it "succeeds" do
+   end
 
-    end
-  end
+   describe "new" do
+     it "succeeds" do
+       get new_work_path
 
-  describe "create" do
-    it "creates a work with valid data for a real category" do
+       must_respond_with :success
+     end
+   end
 
-    end
+   describe "create" do
+     let(:dan) {users(:dan)}
 
-    it "renders bad_request and does not update the DB for bogus data" do
+     it "creates a work with valid data for a real category" do
 
-    end
+       work_hash = {
+         work: {
+         title: 'White Teeth',
+         creator: 'dan',
+         description: 'Good book',
+         publication_year: 2012,
+         category: 'book'
+         }
+        }
 
-    it "renders 400 bad_request for bogus categories" do
+        expect{post works_path, params: work_hash}.must_change('Work.count',+1)
 
-    end
+      must_respond_with  :redirect
+      must_redirect_to work_path(Work.last.id)
 
-  end
+      id = Work.last.id
+      expect(flash.now[:result_text]).must_equal "Successfully created book #{id}"
 
-  describe "show" do
-    it "succeeds for an extant work ID" do
+      expect(Work.last.title).must_equal work_hash[:work][:title]
+      expect(Work.last.creator).must_equal work_hash[:work][:creator]
+      expect(Work.last.description).must_equal work_hash[:work][:description]
+      expect(Work.last.publication_year).must_equal work_hash[:work][:publication_year]
+      expect(Work.last.category).must_equal work_hash[:work][:category]
 
-    end
+     end
 
-    it "renders 404 not_found for a bogus work ID" do
+     it "renders bad_request and does not update the DB for bogus data" do
+       work_hash = {
+         work: {
 
-    end
-  end
+         creator: 'dan',
+         description: 'Good book',
+         publication_year: 2012,
+         category: 'book'
+         }
+        }
 
-  describe "edit" do
-    it "succeeds for an extant work ID" do
+        expect {
+        post works_path, params: work_hash
+        }.wont_change 'Work.count'
 
-    end
+        must_respond_with :bad_request
+        expect(flash.now[:result_text]).must_equal "Could not create book"
 
-    it "renders 404 not_found for a bogus work ID" do
+     end
 
-    end
-  end
+     it "renders 400 bad_request for bogus categories" do
+       work_hash = {
+         work: {
+         title: 'White Teeth',
+         creator: 'dan',
+         description: 'Good book',
+         publication_year: 2012,
+         category: 'xxx'
+         }
+        }
+
+        expect {
+        post works_path, params: work_hash
+        }.wont_change 'Work.count'
 
-  describe "update" do
-    it "succeeds for valid data and an extant work ID" do
+        must_respond_with :bad_request
+        expect(flash.now[:result_text]).must_equal "Could not create xxx"
 
+     end
+
+   end
+
+   describe "show" do
+     it "succeeds for an extant work ID" do
+
+       get work_path(album.id)
+       must_respond_with :success
+
+     end
+
+     it "renders 404 not_found for a bogus work ID" do
+      id = -1
+      get work_path(id)
+
+      must_respond_with :not_found
+
+     end
+   end
+
+   describe "edit" do
+     it "succeeds for an exist work ID" do
+
+       expect{get edit_work_path(album.id)}.wont_change('Work.count')
+       must_respond_with :success
+
+     end
+
+     it "renders 404 not_found for a bogus work ID" do
+       id = -1
+       get edit_work_path(id)
+
+       must_respond_with :not_found
+
+     end
+   end
+
+   describe "update" do
+     let (:work_hash) do
+     {
+       work: {
+       title: 'White Teeth',
+       creator: 'dan',
+       description: 'Good book',
+       publication_year: 2012,
+       category: 'book'
+       }
+     }
     end
 
-    it "renders bad_request for bogus data" do
+     it "succeeds for valid data and work ID" do
+       id = poodr.id
+       expect {
+        patch work_path(id), params: work_hash
+      }.wont_change 'Work.count'
+
+       must_respond_with  :redirect
+       must_redirect_to work_path(id:id)
+
+       poodr = Work.find_by(id:id)
+
+       expect(poodr.title).must_equal work_hash[:work][:title]
+       expect(poodr.creator).must_equal work_hash[:work][:creator]
+       expect(poodr.description).must_equal work_hash[:work][:description]
+       expect(poodr.publication_year).must_equal work_hash[:work][:publication_year]
+       expect(poodr.category).must_equal work_hash[:work][:category]
+     end
+
+     it "renders bad_request for bogus data" do
+
+       work_hash[:work][:title] = nil
 
+       id = poodr.id
+       old_poodr = works(:poodr)
+
+       expect {
+        patch work_path(id), params: work_hash
+      }.wont_change 'Work.count'
+
+      must_respond_with :bad_request
+
+      new_poodr = Work.find_by(id:id)
+
+      expect(flash.now[:result_text]).must_equal "Could not update book"
+      expect(old_poodr.title).must_equal new_poodr.title
+      expect(old_poodr.creator).must_equal new_poodr.creator
+      expect(old_poodr.description).must_equal new_poodr.description
+      expect(old_poodr.publication_year).must_equal new_poodr.publication_year
+      expect(old_poodr.category).must_equal new_poodr.category
+
+     end
+
+     it "renders 404 not_found for a bogus work ID" do
+       id = -1
+
+     expect {
+      patch work_path(id), params: work_hash
+    }.wont_change 'Work.count'
+
+     must_respond_with :not_found
+
+     end
+   end
+
+   describe "destroy" do
+     it "succeeds for an extant work ID" do
+       id = poodr.id
+
+       expect {
+         delete work_path(id)
+       }.must_change('Work.count', -1)
+
+
+       must_respond_with :redirect
+       must_redirect_to root_path
+       expect(flash[:result_text]).must_equal "Successfully destroyed book #{id}"
+       expect(Work.find_by(id: id)).must_equal nil
+     end
+
+     it "renders 404 not_found and does not update the DB for a bogus work ID" do
+       id = -1
+      delete work_path(id)
+
+      expect {
+       delete work_path(id)
+     }.wont_change 'Work.count'
+
+      must_respond_with :not_found
+
+     end
+   end
+
+   describe "upvote" do
+
+     it "succeeds for a valid user and a fresh user-vote pair" do
+
+       get work_path(movie.id)
+       expect{post upvote_path}.must_change("Vote.count", +1)
+
+       must_redirect_to work_path(movie.id)
+
+       expect(flash[:result_text]).must_equal "Successfully upvoted!"
+     end
+
+     it "not succeed if the user has already voted for that work" do
+
+       get work_path(album.id)
+       expect{post upvote_path}.wont_change("Vote.count")
+
+       expect(flash[:result_text]).must_equal "Could not upvote"
+
+     end
+   end
+
+ end
+
+ describe "Guest users" do
+
+    it "cannot view the product index page" do
+
+      get works_path
+      must_respond_with :redirect
     end
 
-    it "renders 404 not_found for a bogus work ID" do
 
+    it "cannot view the product show page" do
+       works_path(album.id)
+
+       must_respond_with :redirect
+       must redirect_to root_path
     end
-  end
 
-  describe "destroy" do
-    it "succeeds for an extant work ID" do
+    it "cannot access the form for new product" do
+        id = -1
+        get new_work_path
 
+        must_respond_with :redirect
     end
 
-    it "renders 404 not_found and does not update the DB for a bogus work ID" do
+    it "cannot create new product" do
+
+        get works_path
+        must_respond_with :redirect
 
     end
-  end
 
-  describe "upvote" do
 
-    it "redirects to the work page if no user is logged in" do
+    it "cannot edit existing product" do
+         id = -1
+         get work_path(id)
+
+         must_respond_with :not_found
 
     end
 
-    it "redirects to the work page after the user has logged out" do
+    it "cannot update existing product" do
+      id = movie.id
+      expect {
+       patch works_path(id), params: work_hash
+     }.wont_change 'Work.count'
 
+      must_respond_with  :bad_request
     end
 
-    it "succeeds for a logged-in user and a fresh user-vote pair" do
+    it "cannot delete a product" do
+      id = poodr.id
+
+      expect {
+        delete work_path(id)
+      }.wont_change('Work.count')
+
+      must_respond_with :redirect
+      must_redirect_to root_path
 
     end
 
-    it "redirects to the work page if the user has already voted for that work" do
+    it "cannot upvote a product" do
+      get work_path(movie.id)
+      expect{post upvote_path}.wont_change("Vote.count")
+      must_respond_with :redirect
 
     end
   end
diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml
index e2968d78..d3f16ef0 100644
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@@ -2,6 +2,17 @@
 
 dan:
   username: dan
+  provider: github
+  uid: 12345
+  email: dan@adadevelopersacademy.org
+
 
 kari:
   username: kari
+
+
+jess:
+  username: jess
+  provider: github
+  uid: 12346
+  email: jess@adadevelopersacademy.org
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 5b4fb667..17a098df 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -23,4 +23,26 @@ class ActiveSupport::TestCase
   # Setup all fixtures in test/fixtures/*.yml for all tests in alphabetical order.
   fixtures :all
   # Add more helper methods to be used by all tests here...
+
+  def setup
+    OmniAuth.config.test_mode = true
+  end
+
+
+  def mock_auth_hash(user)
+   return {
+     provider: user.provider,
+     uid: user.uid,
+     info: {
+       email: user.email,
+       name: user.username
+     }
+   }
+ end
+
+ def perform_login(user)
+  OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(mock_auth_hash(user))
+  get auth_callback_path('github')
+ end
+
 end