# Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/

require 'rails_helper'

# Later migration changes structure of Permission model
# This adds a field that is now missing to check if old migration still works for upgrades from older systems
Permission.attr_accessor :note

RSpec.describe Add2faPermission, type: :db_migration do
  let(:role) { create(:role, permission_names:) }

  before do
    Permission.find(fa_permission_id).destroy!
    role
  end

  context 'when role has no user preferences permissions' do
    let(:permission_names) { %w[report] }

    it 'does not add two_factor_authentication permission' do
      expect { migrate }
        .not_to change { role.reload.permission_ids.include? fa_permission_id }
    end
  end

  context 'when role has whole user_preferences permission' do
    let(:permission_names) { %w[user_preferences] }

    it 'does not add two_factor_authentication permission' do
      expect { migrate }
        .not_to change { role.reload.permission_ids.include? fa_permission_id }
    end
  end

  context 'when role has specifically user_preferences.password' do
    let(:permission_names) { %w[user_preferences.password] }

    it 'adds two_factor_authentication permission' do
      expect { migrate }
        .to change { role.reload.permission_ids.include? fa_permission_id }
        .to be_truthy
    end
  end

  context 'when role has other user_preferences.something permission' do
    let(:permission_names) { %w[user_preferences.calendar] }

    it 'does not add two_factor_authentication permission' do
      expect { migrate }
        .not_to change { role.reload.permission_ids.include? fa_permission_id }
    end
  end

  # This cannot be a let block since permission does not exist before migration
  # Later migration changes structure of Permission model so it's safer to use ID only
  def fa_permission_id
    Permission
      .where(name: 'user_preferences.two_factor_authentication')
      .pick(:id)
  end
end