Maintenance: Improved updating of user records in the front end.

2021-09-08 14:31:42 +02:00 · 2021-09-08 14:31:42 +02:00 · b1e8b3afae
parent 573c975bad
commit b1e8b3afae
2 changed files with 73 additions and 1 deletions
--- a/app/assets/javascripts/app/models/user.coffee
+++ b/app/assets/javascripts/app/models/user.coffee
@ -344,9 +344,12 @@ class App.User extends App.Model
    @sameOrganization?(requester)

  isChangeableBy: (requester) ->
+    # full access for admins
    return true if requester.permission('admin.user')
-    # allow agents to change customers
+    # forbid non-agents to change users
    return false if !requester.permission('ticket.agent')
+    # allow agents to change customers only
+    return false if @permission(['admin.user', 'ticket.agent'])
    @permission('ticket.customer')

  isDeleteableBy: (requester) ->
--- a/spec/system/manage/users_spec.rb
+++ b/spec/system/manage/users_spec.rb
@ -110,4 +110,73 @@ RSpec.describe 'Manage > Users', type: :system do
      end
    end
  end
+
+  describe 'check user edit permissions', authenticated_as: -> { user } do
+
+    shared_examples 'user permission' do |allow|
+      it(allow ? 'allows editing' : 'forbids editing') do
+        visit "#user/profile/#{record.id}"
+        find('.js-action .icon-arrow-down').click
+        selector = '.js-action [data-type="edit"]'
+        expect(page).to(allow ? have_css(selector) : have_no_css(selector))
+      end
+    end
+
+    context 'when admin tries to change admin' do
+      let(:user) { create(:admin) }
+      let(:record) { create(:admin) }
+
+      include_examples 'user permission', true
+    end
+
+    context 'when admin tries to change agent' do
+      let(:user) { create(:admin) }
+      let(:record) { create(:agent) }
+
+      include_examples 'user permission', true
+    end
+
+    context 'when admin tries to change customer' do
+      let(:user) { create(:admin) }
+      let(:record) { create(:customer) }
+
+      include_examples 'user permission', true
+    end
+
+    context 'when agent tries to change admin' do
+      let(:user) { create(:agent) }
+      let(:record) { create(:admin) }
+
+      include_examples 'user permission', false
+    end
+
+    context 'when agent tries to change agent' do
+      let(:user) { create(:agent) }
+      let(:record) { create(:agent) }
+
+      include_examples 'user permission', false
+    end
+
+    context 'when agent tries to change customer' do
+      let(:user) { create(:agent) }
+      let(:record) { create(:customer) }
+
+      include_examples 'user permission', true
+    end
+
+    context 'when agent tries to change customer who is also admin' do
+      let(:user) { create(:agent) }
+      let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
+
+      include_examples 'user permission', false
+    end
+
+    context 'when agent tries to change customer who is also agent' do
+      let(:user) { create(:agent) }
+      let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
+
+      include_examples 'user permission', false
+    end
+
+  end
 end