Sutty/trabajo-afectivo
5
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Maintenance: Improved updating of user records.

Browse source
This commit is contained in:
Martin Gruner 2021-08-16 10:14:23 +02:00 committed by Thorsten Eckel
parent 4c72d5b9d9
commit 5ddec48643
2 changed files with 32 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
app/policies/user_policy.rb
View file

@ -13,11 +13,14 @@ class UserPolicy < ApplicationPolicy
end end
def update? def update?
# full access for admins
return true if user.permissions?('admin.user') return true if user.permissions?('admin.user')
# forbid non-agents to change users # forbid non-agents to change users
return false if !user.permissions?('ticket.agent') return false if !user.permissions?('ticket.agent')
# allow agents to change customers # allow agents to change customers only
return false if record.permissions?(['admin.user', 'ticket.agent'])
record.permissions?('ticket.customer') record.permissions?('ticket.customer')
end end

28
spec/policies/user_policy_spec.rb
View file

@ -126,6 +126,21 @@ describe UserPolicy do
it { is_expected.to permit_action(:show) } it { is_expected.to permit_action(:show) }
it { is_expected.to forbid_actions(%i[update destroy]) } it { is_expected.to forbid_actions(%i[update destroy]) }
end end
context 'when record is both admin and customer' do
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
it { is_expected.to permit_action(:show) }
it { is_expected.to forbid_actions(%i[update destroy]) }
end
context 'when record is both agent and customer' do
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
it { is_expected.to permit_action(:show) }
it { is_expected.to forbid_actions(%i[update destroy]) }
end
end end
context 'when user is a customer' do context 'when user is a customer' do
@ -169,5 +184,18 @@ describe UserPolicy do
it { is_expected.to permit_action(:show) } it { is_expected.to permit_action(:show) }
it { is_expected.to forbid_actions(%i[update destroy]) } it { is_expected.to forbid_actions(%i[update destroy]) }
end end
context 'when record is both admin and customer' do
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
it { is_expected.to forbid_actions(%i[show update destroy]) }
end
context 'when record is both agent and customer' do
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
it { is_expected.to forbid_actions(%i[show update destroy]) }
end
end end
end end