user_policy_spec.rb 4.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171
  1. require 'rails_helper'
  2. describe UserPolicy do
  3. subject { described_class.new(user, record) }
  4. context 'when user is an admin' do
  5. let(:user) { create(:user, roles: [partial_admin_role]) }
  6. context 'with "admin.user" privileges' do
  7. let(:partial_admin_role) do
  8. create(:role).tap { |role| role.permission_grant('admin.user') }
  9. end
  10. context 'wants to read, change, or delete any user' do
  11. context 'when record is an admin user' do
  12. let(:record) { create(:admin) }
  13. it { is_expected.to permit_actions(%i[show update destroy]) }
  14. end
  15. context 'when record is an agent user' do
  16. let(:record) { create(:agent) }
  17. it { is_expected.to permit_actions(%i[show update destroy]) }
  18. end
  19. context 'when record is a customer user' do
  20. let(:record) { create(:customer) }
  21. it { is_expected.to permit_actions(%i[show update destroy]) }
  22. end
  23. context 'when record is any user' do
  24. let(:record) { create(:user) }
  25. it { is_expected.to permit_actions(%i[show update destroy]) }
  26. end
  27. context 'when record is the same user' do
  28. let(:record) { user }
  29. it { is_expected.to permit_actions(%i[show update destroy]) }
  30. end
  31. end
  32. end
  33. context 'without "admin.user" privileges' do
  34. let(:partial_admin_role) do
  35. create(:role).tap { |role| role.permission_grant('admin.tag') }
  36. end
  37. context 'when record is an admin user' do
  38. let(:record) { create(:admin) }
  39. it { is_expected.to permit_action(:show) }
  40. it { is_expected.not_to permit_actions(%i[update destroy]) }
  41. end
  42. context 'when record is an agent user' do
  43. let(:record) { create(:agent) }
  44. it { is_expected.to permit_action(:show) }
  45. it { is_expected.not_to permit_actions(%i[update destroy]) }
  46. end
  47. context 'when record is a customer user' do
  48. let(:record) { create(:customer) }
  49. it { is_expected.to permit_action(:show) }
  50. it { is_expected.not_to permit_actions(%i[update destroy]) }
  51. end
  52. context 'when record is any user' do
  53. let(:record) { create(:user) }
  54. it { is_expected.to permit_action(:show) }
  55. it { is_expected.not_to permit_actions(%i[update destroy]) }
  56. end
  57. context 'when record is the same user' do
  58. let(:record) { user }
  59. it { is_expected.to permit_action(:show) }
  60. it { is_expected.not_to permit_actions(%i[update destroy]) }
  61. end
  62. end
  63. end
  64. context 'when user is an agent' do
  65. let(:user) { create(:agent) }
  66. context 'when record is an admin user' do
  67. let(:record) { create(:admin) }
  68. it { is_expected.to permit_action(:show) }
  69. it { is_expected.not_to permit_actions(%i[update destroy]) }
  70. end
  71. context 'when record is an agent user' do
  72. let(:record) { create(:agent) }
  73. it { is_expected.to permit_action(:show) }
  74. it { is_expected.not_to permit_actions(%i[update destroy]) }
  75. end
  76. context 'when record is a customer user' do
  77. let(:record) { create(:customer) }
  78. it { is_expected.to permit_actions(%i[show update]) }
  79. it { is_expected.not_to permit_action(:destroy) }
  80. end
  81. context 'when record is any user' do
  82. let(:record) { create(:user) }
  83. it { is_expected.to permit_action(:show) }
  84. it { is_expected.not_to permit_actions(%i[update destroy]) }
  85. end
  86. context 'when record is the same user' do
  87. let(:record) { user }
  88. it { is_expected.to permit_action(:show) }
  89. it { is_expected.not_to permit_actions(%i[update destroy]) }
  90. end
  91. end
  92. context 'when user is a customer' do
  93. let(:user) { create(:customer) }
  94. context 'when record is an admin user' do
  95. let(:record) { create(:admin) }
  96. it { is_expected.not_to permit_actions(%i[show update destroy]) }
  97. end
  98. context 'when record is an agent user' do
  99. let(:record) { create(:agent) }
  100. it { is_expected.not_to permit_actions(%i[show update destroy]) }
  101. end
  102. context 'when record is a customer user' do
  103. let(:record) { create(:customer) }
  104. it { is_expected.not_to permit_actions(%i[show update destroy]) }
  105. end
  106. context 'when record is any user' do
  107. let(:record) { create(:user) }
  108. it { is_expected.not_to permit_actions(%i[show update destroy]) }
  109. end
  110. context 'when record is a colleague' do
  111. let(:user) { create(:customer, :with_org) }
  112. let(:record) { create(:customer, organization: user.organization) }
  113. it { is_expected.to permit_action(:show) }
  114. it { is_expected.not_to permit_actions(%i[update destroy]) }
  115. end
  116. context 'when record is the same user' do
  117. let(:record) { user }
  118. it { is_expected.to permit_action(:show) }
  119. it { is_expected.not_to permit_actions(%i[update destroy]) }
  120. end
  121. end
  122. end