# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

require 'rails_helper'

describe UserPolicy do
  subject { described_class.new(user, record) }

  context 'when user is an admin' do
    let(:user) { create(:user, roles: [partial_admin_role]) }

    context 'with "admin.user" privileges' do
      let(:partial_admin_role) do
        create(:role).tap { |role| role.permission_grant('admin.user') }
      end

      context 'wants to read, change, or delete any user' do

        context 'when record is an admin user' do
          let(:record) { create(:admin) }

          it { is_expected.to permit_actions(%i[show update destroy]) }
        end

        context 'when record is an agent user' do
          let(:record) { create(:agent) }

          it { is_expected.to permit_actions(%i[show update destroy]) }
        end

        context 'when record is a customer user' do
          let(:record) { create(:customer) }

          it { is_expected.to permit_actions(%i[show update destroy]) }
        end

        context 'when record is any user' do
          let(:record) { create(:user) }

          it { is_expected.to permit_actions(%i[show update destroy]) }
        end

        context 'when record is the same user' do
          let(:record) { user }

          it { is_expected.to permit_actions(%i[show update destroy]) }
        end
      end
    end

    context 'without "admin.user" privileges' do
      let(:partial_admin_role) do
        create(:role).tap { |role| role.permission_grant('admin.tag') }
      end

      context 'when record is an admin user' do
        let(:record) { create(:admin) }

        it { is_expected.to permit_action(:show) }
        it { is_expected.to forbid_actions(%i[update destroy]) }
      end

      context 'when record is an agent user' do
        let(:record) { create(:agent) }

        it { is_expected.to permit_action(:show) }
        it { is_expected.to forbid_actions(%i[update destroy]) }
      end

      context 'when record is a customer user' do
        let(:record) { create(:customer) }

        it { is_expected.to permit_action(:show) }
        it { is_expected.to forbid_actions(%i[update destroy]) }
      end

      context 'when record is any user' do
        let(:record) { create(:user) }

        it { is_expected.to permit_action(:show) }
        it { is_expected.to forbid_actions(%i[update destroy]) }
      end

      context 'when record is the same user' do
        let(:record) { user }

        it { is_expected.to permit_action(:show) }
        it { is_expected.to forbid_actions(%i[update destroy]) }
      end
    end
  end

  context 'when user is an agent' do
    let(:user) { create(:agent) }

    context 'when record is an admin user' do
      let(:record) { create(:admin) }

      it { is_expected.to permit_action(:show) }
      it { is_expected.to forbid_actions(%i[update destroy]) }
    end

    context 'when record is an agent user' do
      let(:record) { create(:agent) }

      it { is_expected.to permit_action(:show) }
      it { is_expected.to forbid_actions(%i[update destroy]) }
    end

    context 'when record is a customer user' do
      let(:record) { create(:customer) }

      it { is_expected.to permit_actions(%i[show update]) }
      it { is_expected.to forbid_action(:destroy) }
    end

    context 'when record is any user' do
      let(:record) { create(:user) }

      it { is_expected.to permit_actions(%i[show update]) }
      it { is_expected.to forbid_action(:destroy) }
    end

    context 'when record is the same user' do
      let(:record) { user }

      it { is_expected.to permit_action(:show) }
      it { is_expected.to forbid_actions(%i[update destroy]) }
    end

    context 'when record is both admin and customer' do
      let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }

      it { is_expected.to permit_action(:show) }
      it { is_expected.to forbid_actions(%i[update destroy]) }
    end

    context 'when record is both agent and customer' do
      let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }

      it { is_expected.to permit_action(:show) }
      it { is_expected.to forbid_actions(%i[update destroy]) }
    end

  end

  context 'when user is a customer' do
    let(:user) { create(:customer) }

    context 'when record is an admin user' do
      let(:record) { create(:admin) }

      it { is_expected.to forbid_actions(%i[show update destroy]) }
    end

    context 'when record is an agent user' do
      let(:record) { create(:agent) }

      it { is_expected.to forbid_actions(%i[show update destroy]) }
    end

    context 'when record is a customer user' do
      let(:record) { create(:customer) }

      it { is_expected.to forbid_actions(%i[show update destroy]) }
    end

    context 'when record is any user' do
      let(:record) { create(:user) }

      it { is_expected.to forbid_actions(%i[show update destroy]) }
    end

    context 'when record is a colleague' do
      let(:user) { create(:customer, :with_org) }
      let(:record) { create(:customer, organization: user.organization) }

      it { is_expected.to permit_action(:show) }
      it { is_expected.to forbid_actions(%i[update destroy]) }
    end

    context 'when record is the same user' do
      let(:record) { user }

      it { is_expected.to permit_action(:show) }
      it { is_expected.to forbid_actions(%i[update destroy]) }
    end

    context 'when record is both admin and customer' do
      let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }

      it { is_expected.to forbid_actions(%i[show update destroy]) }
    end

    context 'when record is both agent and customer' do
      let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }

      it { is_expected.to forbid_actions(%i[show update destroy]) }
    end

  end
end