role_spec.rb 9.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299
  1. # Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. require 'models/application_model_examples'
  4. require 'models/concerns/can_be_imported_examples'
  5. require 'models/concerns/has_groups_examples'
  6. require 'models/concerns/has_collection_update_examples'
  7. require 'models/concerns/has_xss_sanitized_note_examples'
  8. RSpec.describe Role do
  9. subject(:role) { create(:role) }
  10. it_behaves_like 'ApplicationModel'
  11. it_behaves_like 'CanBeImported'
  12. it_behaves_like 'HasGroups', group_access_factory: :role
  13. it_behaves_like 'HasCollectionUpdate', collection_factory: :role
  14. it_behaves_like 'HasXssSanitizedNote', model_factory: :role
  15. it_behaves_like 'Association clears cache', association: :permissions
  16. it_behaves_like 'Association clears cache', association: :users
  17. describe 'Default state' do
  18. describe 'of whole table:' do
  19. it 'has three records ("Admin", "Agent", and "Customer")' do
  20. expect(described_class.pluck(:name)).to match_array(%w[Admin Agent Customer])
  21. end
  22. end
  23. describe 'of "Admin" role:' do
  24. it 'has default admin permissions' do
  25. expect(described_class.find_by(name: 'Admin').permissions.pluck(:name))
  26. .to match_array(%w[admin user_preferences report knowledge_base.editor])
  27. end
  28. end
  29. describe 'of "Agent" role:' do
  30. it 'has default agent permissions' do
  31. expect(described_class.find_by(name: 'Agent').permissions.pluck(:name))
  32. .to match_array(%w[ticket.agent chat.agent cti.agent user_preferences knowledge_base.reader])
  33. end
  34. end
  35. describe 'of "Customer" role:' do
  36. it 'has default customer permissions' do
  37. expect(described_class.find_by(name: 'Customer').permissions.pluck(:name))
  38. .to match_array(
  39. %w[
  40. user_preferences.password
  41. user_preferences.language
  42. user_preferences.linked_accounts
  43. user_preferences.avatar
  44. user_preferences.appearance
  45. ticket.customer
  46. ]
  47. )
  48. end
  49. end
  50. end
  51. describe 'Callbacks -' do
  52. describe 'Permission validation:' do
  53. context 'with normal permission' do
  54. let(:permission) { create(:permission) }
  55. it 'can be created' do
  56. expect { create(:role, permissions: [permission]) }
  57. .to change(described_class, :count).by(1)
  58. end
  59. it 'can be added' do
  60. expect { role.permissions << permission }
  61. .to change { role.permissions.count }.by(1)
  62. end
  63. end
  64. context 'with disabled permission' do
  65. let(:permission) { create(:permission, preferences: { disabled: true }) }
  66. it 'cannot be created' do
  67. expect { create(:role, permissions: [permission]) }
  68. .to raise_error(%r{is disabled})
  69. .and not_change(described_class, :count)
  70. end
  71. it 'cannot be added' do
  72. expect { role.permissions << permission }
  73. .to raise_error(%r{is disabled})
  74. .and not_change { role.permissions.count }
  75. end
  76. end
  77. context 'with multiple, explicitly incompatible permissions' do
  78. let(:permission) { create(:permission, preferences: { not: [Permission.first.name] }) }
  79. it 'cannot be created' do
  80. expect { create(:role, permissions: [Permission.first, permission]) }
  81. .to raise_error(%r{conflicts with})
  82. .and not_change(described_class, :count)
  83. end
  84. it 'cannot be added' do
  85. role.permissions << Permission.first
  86. expect { role.permissions << permission }
  87. .to raise_error(%r{conflicts with})
  88. .and not_change { role.permissions.count }
  89. end
  90. end
  91. context 'with multiple, compatible permissions' do
  92. let(:permission) { create(:permission, preferences: { not: [Permission.pluck(:name).max.next] }) }
  93. it 'can be created' do
  94. expect { create(:role, permissions: [Permission.first, permission]) }
  95. .to change(described_class, :count).by(1)
  96. end
  97. it 'can be added' do
  98. role.permissions << Permission.first
  99. expect { role.permissions << permission }
  100. .to change { role.permissions.count }.by(1)
  101. end
  102. end
  103. end
  104. describe 'System-wide agent limit checks:' do
  105. let(:agents) { User.with_permissions('ticket.agent') }
  106. describe '#validate_agent_limit_by_attributes' do
  107. context 'when reactivating a role adds new agents' do
  108. subject(:role) { create(:role, :agent, active: false) }
  109. before { create(:user, roles: [role]) }
  110. context 'exceeding the system limit' do
  111. before { Setting.set('system_agent_limit', agents.count) }
  112. it 'fails and raises an error' do
  113. expect { role.update!(active: true) }
  114. .to raise_error(Exceptions::UnprocessableEntity)
  115. .and not_change(agents, :count)
  116. end
  117. end
  118. end
  119. end
  120. end
  121. describe 'Restrictions on #default_at_signup:' do
  122. context 'for roles with "admin" permissions' do
  123. subject(:role) { build(:role, permissions: Permission.where(name: 'admin')) }
  124. it 'cannot be set to true on creation' do
  125. role.default_at_signup = true
  126. expect { role.save }
  127. .to raise_error(Exceptions::UnprocessableEntity, %r{Cannot set default at signup})
  128. end
  129. it 'cannot be changed to true' do
  130. role.save
  131. expect { role.update(default_at_signup: true) }
  132. .to raise_error(Exceptions::UnprocessableEntity, %r{Cannot set default at signup})
  133. end
  134. end
  135. context 'for roles with permissions that are children of "admin"' do
  136. subject(:role) { build(:role, permissions: [permission]) }
  137. let(:permission) { create(:permission, name: 'admin.foo') }
  138. it 'cannot be set to true on creation' do
  139. role.default_at_signup = true
  140. expect { role.save }
  141. .to raise_error(Exceptions::UnprocessableEntity, %r{Cannot set default at signup})
  142. end
  143. it 'cannot be changed to true' do
  144. role.save
  145. expect { role.update(default_at_signup: true) }
  146. .to raise_error(Exceptions::UnprocessableEntity, %r{Cannot set default at signup})
  147. end
  148. end
  149. context 'for roles with "ticket.agent" permissions' do
  150. subject(:role) { build(:role, permissions: Permission.where(name: 'ticket.agent')) }
  151. it 'cannot be set to true on creation' do
  152. role.default_at_signup = true
  153. expect { role.save }
  154. .to raise_error(Exceptions::UnprocessableEntity, %r{Cannot set default at signup})
  155. end
  156. it 'cannot be changed to true' do
  157. role.save
  158. expect { role.update(default_at_signup: true) }
  159. .to raise_error(Exceptions::UnprocessableEntity, %r{Cannot set default at signup})
  160. end
  161. end
  162. end
  163. describe 'Cleaning up groups when ticket.agent permission is lost' do
  164. let(:group) { Group.first }
  165. it 'creates a ticket.agent role with groups' do
  166. role = build(:role, :agent)
  167. role.role_groups.build group: group, access: 'full'
  168. role.save!
  169. expect(role.groups).to contain_exactly(group)
  170. end
  171. it 'saves non-ticket.agent role without groups' do
  172. role = build(:role, :admin)
  173. role.role_groups.build group: group, access: 'full'
  174. role.save!
  175. expect(role.groups).to be_blank
  176. end
  177. end
  178. end
  179. describe '.with_permissions' do
  180. context 'when given a name not matching any permissions' do
  181. let(:permission) { 'foo' }
  182. let(:result) { [] }
  183. it 'returns an empty array' do
  184. expect(described_class.with_permissions(permission)).to match_array(result)
  185. end
  186. end
  187. context 'when given the name of a top-level permission' do
  188. let(:permission) { 'user_preferences' }
  189. let(:result) { described_class.where(name: %w[Admin Agent]) }
  190. it 'returns an array of roles with that permission' do
  191. expect(described_class.with_permissions(permission)).to match_array(result)
  192. end
  193. end
  194. context 'when given the name of a child permission' do
  195. let(:permission) { 'user_preferences.language' }
  196. let(:result) { described_class.all }
  197. it 'returns an array of roles with either that permission or an ancestor' do
  198. expect(described_class.with_permissions(permission)).to match_array(result)
  199. end
  200. end
  201. context 'when given the names of multiple permissions' do
  202. let(:permissions) { %w[ticket.agent ticket.customer] }
  203. let(:result) { described_class.where(name: %w[Agent Customer]) }
  204. it 'returns an array of roles matching ANY given permission' do
  205. expect(described_class.with_permissions(permissions)).to match_array(result)
  206. end
  207. end
  208. end
  209. describe '#with_permission?' do
  210. subject(:role) { described_class.find_by(name: 'Admin') }
  211. context 'when given the name of a permission it has' do
  212. it 'returns true' do
  213. expect(role.with_permission?('admin')).to be(true)
  214. end
  215. end
  216. context 'when given the name of a permission it does NOT have' do
  217. it 'returns false' do
  218. expect(role.with_permission?('ticket.customer')).to be(false)
  219. end
  220. end
  221. context 'when given the name of multiple permissions' do
  222. it 'returns true as long as ANY match' do
  223. expect(role.with_permission?(['admin', 'ticket.customer'])).to be(true)
  224. end
  225. end
  226. end
  227. # https://github.com/zammad/zammad/issues/5123
  228. describe 'Removing KB editor permission with existing KB' do
  229. it 'allows to remove editor but keep reader permission' do
  230. role = create(:role, permission_names: %w[knowledge_base.reader knowledge_base.editor])
  231. kb_permission = create(:knowledge_base_permission, role: role)
  232. role.permission_revoke('knowledge_base.editor')
  233. expect(kb_permission.reload).to have_attributes(access: 'reader')
  234. end
  235. end
  236. end