Maintenance: Improved updating of user records in the front end.
This commit is contained in:
parent
573c975bad
commit
b1e8b3afae
2 changed files with 73 additions and 1 deletions
|
@ -344,9 +344,12 @@ class App.User extends App.Model
|
|||
@sameOrganization?(requester)
|
||||
|
||||
isChangeableBy: (requester) ->
|
||||
# full access for admins
|
||||
return true if requester.permission('admin.user')
|
||||
# allow agents to change customers
|
||||
# forbid non-agents to change users
|
||||
return false if !requester.permission('ticket.agent')
|
||||
# allow agents to change customers only
|
||||
return false if @permission(['admin.user', 'ticket.agent'])
|
||||
@permission('ticket.customer')
|
||||
|
||||
isDeleteableBy: (requester) ->
|
||||
|
|
|
@ -110,4 +110,73 @@ RSpec.describe 'Manage > Users', type: :system do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'check user edit permissions', authenticated_as: -> { user } do
|
||||
|
||||
shared_examples 'user permission' do |allow|
|
||||
it(allow ? 'allows editing' : 'forbids editing') do
|
||||
visit "#user/profile/#{record.id}"
|
||||
find('.js-action .icon-arrow-down').click
|
||||
selector = '.js-action [data-type="edit"]'
|
||||
expect(page).to(allow ? have_css(selector) : have_no_css(selector))
|
||||
end
|
||||
end
|
||||
|
||||
context 'when admin tries to change admin' do
|
||||
let(:user) { create(:admin) }
|
||||
let(:record) { create(:admin) }
|
||||
|
||||
include_examples 'user permission', true
|
||||
end
|
||||
|
||||
context 'when admin tries to change agent' do
|
||||
let(:user) { create(:admin) }
|
||||
let(:record) { create(:agent) }
|
||||
|
||||
include_examples 'user permission', true
|
||||
end
|
||||
|
||||
context 'when admin tries to change customer' do
|
||||
let(:user) { create(:admin) }
|
||||
let(:record) { create(:customer) }
|
||||
|
||||
include_examples 'user permission', true
|
||||
end
|
||||
|
||||
context 'when agent tries to change admin' do
|
||||
let(:user) { create(:agent) }
|
||||
let(:record) { create(:admin) }
|
||||
|
||||
include_examples 'user permission', false
|
||||
end
|
||||
|
||||
context 'when agent tries to change agent' do
|
||||
let(:user) { create(:agent) }
|
||||
let(:record) { create(:agent) }
|
||||
|
||||
include_examples 'user permission', false
|
||||
end
|
||||
|
||||
context 'when agent tries to change customer' do
|
||||
let(:user) { create(:agent) }
|
||||
let(:record) { create(:customer) }
|
||||
|
||||
include_examples 'user permission', true
|
||||
end
|
||||
|
||||
context 'when agent tries to change customer who is also admin' do
|
||||
let(:user) { create(:agent) }
|
||||
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
|
||||
|
||||
include_examples 'user permission', false
|
||||
end
|
||||
|
||||
context 'when agent tries to change customer who is also agent' do
|
||||
let(:user) { create(:agent) }
|
||||
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
|
||||
|
||||
include_examples 'user permission', false
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue