Maintenance: Improved updating of user records in the front end.

This commit is contained in:
Martin Gruner 2021-09-08 14:31:42 +02:00 committed by Thorsten Eckel
parent 573c975bad
commit b1e8b3afae
2 changed files with 73 additions and 1 deletions

View file

@ -344,9 +344,12 @@ class App.User extends App.Model
@sameOrganization?(requester) @sameOrganization?(requester)
isChangeableBy: (requester) -> isChangeableBy: (requester) ->
# full access for admins
return true if requester.permission('admin.user') return true if requester.permission('admin.user')
# allow agents to change customers # forbid non-agents to change users
return false if !requester.permission('ticket.agent') return false if !requester.permission('ticket.agent')
# allow agents to change customers only
return false if @permission(['admin.user', 'ticket.agent'])
@permission('ticket.customer') @permission('ticket.customer')
isDeleteableBy: (requester) -> isDeleteableBy: (requester) ->

View file

@ -110,4 +110,73 @@ RSpec.describe 'Manage > Users', type: :system do
end end
end end
end end
describe 'check user edit permissions', authenticated_as: -> { user } do
shared_examples 'user permission' do |allow|
it(allow ? 'allows editing' : 'forbids editing') do
visit "#user/profile/#{record.id}"
find('.js-action .icon-arrow-down').click
selector = '.js-action [data-type="edit"]'
expect(page).to(allow ? have_css(selector) : have_no_css(selector))
end
end
context 'when admin tries to change admin' do
let(:user) { create(:admin) }
let(:record) { create(:admin) }
include_examples 'user permission', true
end
context 'when admin tries to change agent' do
let(:user) { create(:admin) }
let(:record) { create(:agent) }
include_examples 'user permission', true
end
context 'when admin tries to change customer' do
let(:user) { create(:admin) }
let(:record) { create(:customer) }
include_examples 'user permission', true
end
context 'when agent tries to change admin' do
let(:user) { create(:agent) }
let(:record) { create(:admin) }
include_examples 'user permission', false
end
context 'when agent tries to change agent' do
let(:user) { create(:agent) }
let(:record) { create(:agent) }
include_examples 'user permission', false
end
context 'when agent tries to change customer' do
let(:user) { create(:agent) }
let(:record) { create(:customer) }
include_examples 'user permission', true
end
context 'when agent tries to change customer who is also admin' do
let(:user) { create(:agent) }
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
include_examples 'user permission', false
end
context 'when agent tries to change customer who is also agent' do
let(:user) { create(:agent) }
let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
include_examples 'user permission', false
end
end
end end