12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394 |
- # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
- require 'rails_helper'
- describe Controllers::AttachmentsControllerPolicy do
- subject { described_class.new(user, record) }
- include_context 'basic Knowledge Base'
- let(:record_class) { AttachmentsController }
- let(:object) { create(:knowledge_base_answer, visibility, :with_attachment, category: category) }
- let(:params) { { id: object.attachments.first.id } }
- let(:session) { {} }
- let(:record) do
- rec = record_class.new
- # rec.action_name = action_name
- rec.params = params
- rec
- end
- before do
- allow(record).to receive(:session).and_return(session)
- end
- context 'with no user' do
- let(:user) { nil }
- context 'with published object' do
- let(:visibility) { :published }
- it { is_expected.to permit_actions :show }
- it { is_expected.to forbid_actions :destroy }
- end
- context 'with private object' do
- let(:visibility) { :internal }
- it { is_expected.to forbid_actions :show, :destroy }
- end
- end
- context 'with a user' do
- context 'with full access' do
- let(:user) { create(:admin) }
- let(:visibility) { :published }
- it { is_expected.to permit_actions :show, :destroy }
- end
- context 'with limited access' do
- let(:user) { create(:agent) }
- let(:visibility) { :internal }
- it { is_expected.to permit_actions :show }
- it { is_expected.to forbid_actions :destroy }
- end
- context 'with no access' do
- let(:user) { create(:agent) }
- let(:visibility) { :draft }
- it { is_expected.to forbid_actions :show, :destroy }
- end
- context 'with object that does not have a policy' do
- let(:file) { create(:store, object: 'NonExistingObject') }
- let(:params) { { id: file.id } }
- let(:user) { create(:admin) }
- it { is_expected.to forbid_actions :show, :destroy }
- end
- end
- context 'with a preview token' do
- let(:user) { false }
- let(:visibility) { :draft }
- let(:session) { { kb_preview_token: token } }
- context 'when token is valid' do
- let(:token) { Token.renew_token! 'KnowledgeBasePreview', create(:admin).id }
- it { is_expected.to permit_actions :show }
- it { is_expected.to forbid_actions :destroy }
- end
- context 'when token user does not have access' do
- let(:token) { Token.renew_token! 'KnowledgeBasePreview', create(:customer).id }
- it { is_expected.to forbid_actions :show, :destroy }
- end
- end
- end
|