2021-06-01 12:20:20 +00:00
|
|
|
# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
|
|
|
|
|
2020-03-19 09:39:51 +00:00
|
|
|
require 'rails_helper'
|
|
|
|
|
|
|
|
describe UserPolicy do
|
|
|
|
subject { described_class.new(user, record) }
|
|
|
|
|
|
|
|
context 'when user is an admin' do
|
|
|
|
let(:user) { create(:user, roles: [partial_admin_role]) }
|
|
|
|
|
|
|
|
context 'with "admin.user" privileges' do
|
|
|
|
let(:partial_admin_role) do
|
|
|
|
create(:role).tap { |role| role.permission_grant('admin.user') }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'wants to read, change, or delete any user' do
|
|
|
|
|
|
|
|
context 'when record is an admin user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:admin) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
it { is_expected.to permit_actions(%i[show update destroy]) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is an agent user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:agent) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
it { is_expected.to permit_actions(%i[show update destroy]) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is a customer user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:customer) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
it { is_expected.to permit_actions(%i[show update destroy]) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is any user' do
|
|
|
|
let(:record) { create(:user) }
|
|
|
|
|
|
|
|
it { is_expected.to permit_actions(%i[show update destroy]) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is the same user' do
|
|
|
|
let(:record) { user }
|
|
|
|
|
|
|
|
it { is_expected.to permit_actions(%i[show update destroy]) }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'without "admin.user" privileges' do
|
|
|
|
let(:partial_admin_role) do
|
|
|
|
create(:role).tap { |role| role.permission_grant('admin.tag') }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is an admin user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:admin) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is an agent user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:agent) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is a customer user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:customer) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is any user' do
|
|
|
|
let(:record) { create(:user) }
|
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is the same user' do
|
|
|
|
let(:record) { user }
|
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when user is an agent' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:user) { create(:agent) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
context 'when record is an admin user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:admin) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is an agent user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:agent) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is a customer user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:customer) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
it { is_expected.to permit_actions(%i[show update]) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_action(:destroy) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is any user' do
|
|
|
|
let(:record) { create(:user) }
|
|
|
|
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to permit_actions(%i[show update]) }
|
|
|
|
it { is_expected.to forbid_action(:destroy) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is the same user' do
|
|
|
|
let(:record) { user }
|
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
2021-08-16 08:14:23 +00:00
|
|
|
|
|
|
|
context 'when record is both admin and customer' do
|
|
|
|
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
|
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is both agent and customer' do
|
|
|
|
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
|
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
|
|
|
end
|
|
|
|
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when user is a customer' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:user) { create(:customer) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
context 'when record is an admin user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:admin) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[show update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is an agent user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:agent) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[show update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is a customer user' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:record) { create(:customer) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[show update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is any user' do
|
|
|
|
let(:record) { create(:user) }
|
|
|
|
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[show update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is a colleague' do
|
2020-06-19 09:17:18 +00:00
|
|
|
let(:user) { create(:customer, :with_org) }
|
|
|
|
let(:record) { create(:customer, organization: user.organization) }
|
2020-03-19 09:39:51 +00:00
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is the same user' do
|
|
|
|
let(:record) { user }
|
|
|
|
|
|
|
|
it { is_expected.to permit_action(:show) }
|
2021-07-23 13:07:16 +00:00
|
|
|
it { is_expected.to forbid_actions(%i[update destroy]) }
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
2021-08-16 08:14:23 +00:00
|
|
|
|
|
|
|
context 'when record is both admin and customer' do
|
|
|
|
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
|
|
|
|
|
|
|
|
it { is_expected.to forbid_actions(%i[show update destroy]) }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when record is both agent and customer' do
|
|
|
|
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
|
|
|
|
|
|
|
|
it { is_expected.to forbid_actions(%i[show update destroy]) }
|
|
|
|
end
|
|
|
|
|
2020-03-19 09:39:51 +00:00
|
|
|
end
|
|
|
|
end
|