Maintenance: Improved updating of user records.
This commit is contained in:
parent
d98445d1fe
commit
25155eb6a3
2 changed files with 32 additions and 1 deletions
|
@ -13,11 +13,14 @@ class UserPolicy < ApplicationPolicy
|
|||
end
|
||||
|
||||
def update?
|
||||
# full access for admins
|
||||
return true if user.permissions?('admin.user')
|
||||
# forbid non-agents to change users
|
||||
return false if !user.permissions?('ticket.agent')
|
||||
|
||||
# allow agents to change customers
|
||||
# allow agents to change customers only
|
||||
return false if record.permissions?(['admin.user', 'ticket.agent'])
|
||||
|
||||
record.permissions?('ticket.customer')
|
||||
end
|
||||
|
||||
|
|
|
@ -126,6 +126,21 @@ describe UserPolicy do
|
|||
it { is_expected.to permit_action(:show) }
|
||||
it { is_expected.to forbid_actions(%i[update destroy]) }
|
||||
end
|
||||
|
||||
context 'when record is both admin and customer' do
|
||||
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
|
||||
|
||||
it { is_expected.to permit_action(:show) }
|
||||
it { is_expected.to forbid_actions(%i[update destroy]) }
|
||||
end
|
||||
|
||||
context 'when record is both agent and customer' do
|
||||
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
|
||||
|
||||
it { is_expected.to permit_action(:show) }
|
||||
it { is_expected.to forbid_actions(%i[update destroy]) }
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
context 'when user is a customer' do
|
||||
|
@ -169,5 +184,18 @@ describe UserPolicy do
|
|||
it { is_expected.to permit_action(:show) }
|
||||
it { is_expected.to forbid_actions(%i[update destroy]) }
|
||||
end
|
||||
|
||||
context 'when record is both admin and customer' do
|
||||
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
|
||||
|
||||
it { is_expected.to forbid_actions(%i[show update destroy]) }
|
||||
end
|
||||
|
||||
context 'when record is both agent and customer' do
|
||||
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
|
||||
|
||||
it { is_expected.to forbid_actions(%i[show update destroy]) }
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue