permissions_spec.rb 7.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe User::Permissions, type: :model do
  4. describe '#permissions' do
  5. let(:user) { create(:agent).tap { |u| u.roles = [u.roles.first] } }
  6. let(:role) { user.roles.first }
  7. let(:permissions) { role.permissions }
  8. it 'is a simple association getter' do
  9. expect(user.permissions).to match_array(permissions)
  10. end
  11. context 'when inactive permissions' do
  12. before { permissions.first.update(active: false) }
  13. it 'omits them from the returned hash' do
  14. expect(user.permissions).not_to include(permissions.first)
  15. end
  16. end
  17. context 'when permissions on inactive roles' do
  18. before { role.update(active: false) }
  19. it 'omits them from the returned hash' do
  20. expect(user.permissions).not_to include(*role.permissions)
  21. end
  22. end
  23. end
  24. describe '#permissions?' do
  25. let(:user) { create(:agent) }
  26. it 'returns value from Auth::Permissions' do
  27. allow(Auth::Permissions).to receive(:authorized?).and_return(true)
  28. user.permissions?('ticket.agent')
  29. expect(Auth::Permissions).to have_received(:authorized?).with(user, 'ticket.agent')
  30. end
  31. it 'returns false if user does not have permission' do
  32. expect(user).not_to be_permissions('foo')
  33. end
  34. it 'returns true if user has permission' do
  35. expect(user).to be_permissions('ticket.agent')
  36. end
  37. end
  38. describe '#permissions!' do
  39. let(:user) { create(:agent) }
  40. it 'raises error if user does not have permission' do
  41. expect { user.permissions!('foo') }.to raise_error('User authorization failed.')
  42. end
  43. it 'returns true if user has permission' do
  44. expect(user).to be_permissions('ticket.agent')
  45. end
  46. end
  47. describe '#permissions_with_child_ids' do
  48. context 'with privileges for a root permission (e.g., "foo", not "foo.bar")' do
  49. subject(:user) { create(:user, roles: [role]) }
  50. let(:role) { create(:role, permissions: [permission]) }
  51. let!(:permission) { create(:permission, name: 'foo') }
  52. let!(:child_permission) { create(:permission, name: 'foo.bar') }
  53. let!(:inactive_child_permission) { create(:permission, name: 'foo.baz', active: false) }
  54. it 'includes the IDs of user’s explicit permissions' do
  55. expect(user.permissions_with_child_ids)
  56. .to include(permission.id)
  57. end
  58. it 'includes the IDs of user’s active sub-permissions' do
  59. expect(user.permissions_with_child_ids)
  60. .to include(child_permission.id)
  61. .and not_include(inactive_child_permission.id)
  62. end
  63. end
  64. end
  65. describe '#permissions_with_child_names' do
  66. context 'with privileges for a root permission (e.g., "foo", not "foo.bar")' do
  67. subject(:user) { create(:user, roles: [role]) }
  68. let(:role) { create(:role, permissions: [permission]) }
  69. let!(:permission) { create(:permission, name: 'foo') }
  70. let!(:child_permission) { create(:permission, name: 'foo.bar') }
  71. let!(:inactive_child_permission) { create(:permission, name: 'foo.baz', active: false) }
  72. it 'includes the names of user’s explicit permissions' do
  73. expect(user.permissions_with_child_names)
  74. .to include(permission.name)
  75. end
  76. it 'includes the names of user’s active sub-permissions' do
  77. expect(user.permissions_with_child_names)
  78. .to include(child_permission.name)
  79. .and not_include(inactive_child_permission.name)
  80. end
  81. end
  82. end
  83. describe '#permissions_with_child_and_parent_elements' do
  84. let(:user) { create(:user, roles: [role]) }
  85. let(:role) { create(:role, permission_names: role_permission_names) }
  86. context 'when user has parent permission' do
  87. let(:role_permission_names) { %w[admin] }
  88. it 'returns parent and all children permissions' do
  89. expect(user.permissions_with_child_and_parent_elements)
  90. .to include(
  91. have_attributes(name: 'admin'),
  92. have_attributes(name: 'admin.user'),
  93. have_attributes(name: 'admin.group'),
  94. )
  95. end
  96. it 'does not include other permissions' do
  97. expect(user.permissions_with_child_and_parent_elements)
  98. .to all(have_attributes(name: start_with('admin')))
  99. end
  100. end
  101. context 'when user has child permission' do
  102. let(:role_permission_names) { %w[admin.user] }
  103. it 'returns only child permission and disabled parent permission' do
  104. expect(user.permissions_with_child_and_parent_elements)
  105. .to contain_exactly(
  106. have_attributes(name: 'admin.user'),
  107. have_attributes(name: 'admin', preferences: include(disabled: true)),
  108. )
  109. end
  110. end
  111. context 'when user has top-level deadend permission' do
  112. let(:role_permission_names) { %w[report] }
  113. it 'returns that permission only' do
  114. expect(user.permissions_with_child_and_parent_elements)
  115. .to contain_exactly(
  116. have_attributes(name: 'report')
  117. )
  118. end
  119. end
  120. end
  121. describe '.with_permissions' do
  122. let(:permission) { create(:permission, name: 'foo') }
  123. let(:role) { create(:role, permissions: [permission]) }
  124. let(:user) { create(:user, roles: [role]) }
  125. before { user }
  126. context 'when user has permission' do
  127. it 'is included in the list' do
  128. expect(User.with_permissions('foo')).to include(user)
  129. end
  130. it 'is included in the list with sub-permission if user has parent permission' do
  131. expect(User.with_permissions('foo.bar')).to include(user)
  132. end
  133. it 'is included in the list if extra non-existant permissions given' do
  134. expect(User.with_permissions('bar', 'foo')).to include(user)
  135. end
  136. it 'is included in the list if user has only one of the given permissions' do
  137. expect(User.with_permissions('ticket.agent', 'foo')).to include(user)
  138. end
  139. it 'is included in the list if arguments are given as an array' do
  140. expect(User.with_permissions(['ticket.agent', 'foo'])).to include(user)
  141. end
  142. context 'when user is not active' do
  143. before { user.update! active: false }
  144. it 'not included in the list' do
  145. expect(User.with_permissions('foo')).not_to include(user)
  146. end
  147. end
  148. context 'when permission is not active' do
  149. before { permission.update! active: false }
  150. it 'not included in the list' do
  151. expect(User.with_permissions('foo')).not_to include(user)
  152. end
  153. end
  154. context 'when role is not active' do
  155. before { role.update! active: false }
  156. it 'not included in the list' do
  157. expect(User.with_permissions('foo')).not_to include(user)
  158. end
  159. end
  160. end
  161. context 'when user does not have permission' do
  162. it 'not included in the list' do
  163. expect(User.with_permissions('bar')).not_to include(user)
  164. end
  165. end
  166. end
  167. end