attachments_controller_policy_spec.rb 2.5 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. describe Controllers::AttachmentsControllerPolicy do
  4. subject { described_class.new(user, record) }
  5. include_context 'basic Knowledge Base'
  6. let(:record_class) { AttachmentsController }
  7. let(:object) { create(:knowledge_base_answer, visibility, :with_attachment, category: category) }
  8. let(:params) { { id: object.attachments.first.id } }
  9. let(:session) { {} }
  10. let(:record) do
  11. rec = record_class.new
  12. # rec.action_name = action_name
  13. rec.params = params
  14. rec
  15. end
  16. before do
  17. allow(record).to receive(:session).and_return(session)
  18. end
  19. context 'with no user' do
  20. let(:user) { nil }
  21. context 'with published object' do
  22. let(:visibility) { :published }
  23. it { is_expected.to permit_actions :show }
  24. it { is_expected.to forbid_actions :destroy }
  25. end
  26. context 'with private object' do
  27. let(:visibility) { :internal }
  28. it { is_expected.to forbid_actions :show, :destroy }
  29. end
  30. end
  31. context 'with a user' do
  32. context 'with full access' do
  33. let(:user) { create(:admin) }
  34. let(:visibility) { :published }
  35. it { is_expected.to permit_actions :show, :destroy }
  36. end
  37. context 'with limited access' do
  38. let(:user) { create(:agent) }
  39. let(:visibility) { :internal }
  40. it { is_expected.to permit_actions :show }
  41. it { is_expected.to forbid_actions :destroy }
  42. end
  43. context 'with no access' do
  44. let(:user) { create(:agent) }
  45. let(:visibility) { :draft }
  46. it { is_expected.to forbid_actions :show, :destroy }
  47. end
  48. context 'with object that does not have a policy' do
  49. let(:file) { create(:store, object: 'NonExistingObject') }
  50. let(:params) { { id: file.id } }
  51. let(:user) { create(:admin) }
  52. it { is_expected.to forbid_actions :show, :destroy }
  53. end
  54. end
  55. context 'with a preview token' do
  56. let(:user) { false }
  57. let(:visibility) { :draft }
  58. let(:session) { { kb_preview_token: token } }
  59. context 'when token is valid' do
  60. let(:token) { Token.renew_token! 'KnowledgeBasePreview', create(:admin).id }
  61. it { is_expected.to permit_actions :show }
  62. it { is_expected.to forbid_actions :destroy }
  63. end
  64. context 'when token user does not have access' do
  65. let(:token) { Token.renew_token! 'KnowledgeBasePreview', create(:customer).id }
  66. it { is_expected.to forbid_actions :show, :destroy }
  67. end
  68. end
  69. end