group_policy_spec.rb 2.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. describe GroupPolicy do
  4. subject { described_class.new(user, record) }
  5. let(:record) { create(:group) }
  6. context 'when user is admin' do
  7. let(:user) { create(:admin) }
  8. it { is_expected.to permit_actions(:show) }
  9. end
  10. context 'when user is agent' do
  11. let(:user) { create(:agent) }
  12. context 'when user has access to group' do
  13. before do
  14. user.groups << record
  15. user.group_names_access_map = { record.name => permissions }
  16. end
  17. context 'with full access' do
  18. let(:permissions) { ['full'] }
  19. it { is_expected.to permit_actions(:show) }
  20. end
  21. context 'with read access' do
  22. let(:permissions) { ['read'] }
  23. it { is_expected.to permit_actions(:show) }
  24. end
  25. context 'with create access' do
  26. let(:permissions) { ['create'] }
  27. it { is_expected.to permit_actions(:show) }
  28. end
  29. context 'with change access' do
  30. let(:permissions) { ['change'] }
  31. it { is_expected.to permit_actions(:show) }
  32. end
  33. context 'with overview access' do
  34. let(:permissions) { ['overview'] }
  35. it { is_expected.to forbid_actions(:show) }
  36. end
  37. end
  38. context 'when user does not have access to group' do
  39. it { is_expected.to forbid_actions(:show) }
  40. end
  41. end
  42. context 'when user is customer' do
  43. let(:user) { create(:customer) }
  44. shared_examples 'restricts fields' do |method|
  45. it "restricts fields for #{method}", :aggregate_failures do
  46. expect(subject.public_send(method)).to permit_fields(%i[id name follow_up_possible reopen_time_in_days active])
  47. expect(subject.public_send(method)).to forbid_fields(%i[email_address signature note])
  48. end
  49. end
  50. context 'when has ticket in group' do
  51. before { create(:ticket, group: record, customer: user) }
  52. it { is_expected.to permit_actions(:show) }
  53. include_examples 'restricts fields', :show?
  54. end
  55. context 'when group is in customer_ticket_create_group_ids' do
  56. before do
  57. Setting.set('customer_ticket_create_group_ids', [record.id])
  58. end
  59. it { is_expected.to permit_actions(:show) }
  60. include_examples 'restricts fields', :show?
  61. end
  62. context 'when customer_ticket_create_group_ids is empty and thus all groups are permitted' do
  63. before do
  64. Setting.set('customer_ticket_create_group_ids', [])
  65. end
  66. it { is_expected.to permit_actions(:show) }
  67. include_examples 'restricts fields', :show?
  68. end
  69. context 'when group is not in customer_ticket_create_group_ids' do
  70. before do
  71. Setting.set('customer_ticket_create_group_ids', [record.id + 1])
  72. end
  73. context 'when has no ticket in a group' do
  74. it { is_expected.to forbid_actions(:show) }
  75. end
  76. end
  77. end
  78. end