SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
							# Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/

require 'rails_helper'

RSpec.describe User::Permissions, type: :model do
  describe '#permissions' do
    let(:user)        { create(:agent).tap { |u| u.roles = [u.roles.first] } }
    let(:role)        { user.roles.first }
    let(:permissions) { role.permissions }

    it 'is a simple association getter' do
      expect(user.permissions).to match_array(permissions)
    end

    context 'when inactive permissions' do
      before { permissions.first.update(active: false) }

      it 'omits them from the returned hash' do
        expect(user.permissions).not_to include(permissions.first)
      end
    end

    context 'when permissions on inactive roles' do
      before { role.update(active: false) }

      it 'omits them from the returned hash' do
        expect(user.permissions).not_to include(*role.permissions)
      end
    end
  end

  describe '#permissions?' do
    let(:user) { create(:agent) }

    it 'returns value from Auth::Permissions' do
      allow(Auth::Permissions).to receive(:authorized?).and_return(true)
      user.permissions?('ticket.agent')
      expect(Auth::Permissions).to have_received(:authorized?).with(user, 'ticket.agent')
    end

    it 'returns false if user does not have permission' do
      expect(user).not_to be_permissions('foo')
    end

    it 'returns true if user has permission' do
      expect(user).to be_permissions('ticket.agent')
    end
  end

  describe '#permissions!' do
    let(:user) { create(:agent) }

    it 'raises error if user does not have permission' do
      expect { user.permissions!('foo') }.to raise_error('User authorization failed.')
    end

    it 'returns true if user has permission' do
      expect(user).to be_permissions('ticket.agent')
    end
  end

  describe '#permissions_with_child_ids' do
    context 'with privileges for a root permission (e.g., "foo", not "foo.bar")' do
      subject(:user) { create(:user, roles: [role]) }

      let(:role)                       { create(:role, permissions: [permission]) }
      let!(:permission)                { create(:permission, name: 'foo') }
      let!(:child_permission)          { create(:permission, name: 'foo.bar') }
      let!(:inactive_child_permission) { create(:permission, name: 'foo.baz', active: false) }

      it 'includes the IDs of user’s explicit permissions' do
        expect(user.permissions_with_child_ids)
          .to include(permission.id)
      end

      it 'includes the IDs of user’s active sub-permissions' do
        expect(user.permissions_with_child_ids)
          .to include(child_permission.id)
          .and not_include(inactive_child_permission.id)
      end
    end
  end

  describe '#permissions_with_child_names' do
    context 'with privileges for a root permission (e.g., "foo", not "foo.bar")' do
      subject(:user) { create(:user, roles: [role]) }

      let(:role) { create(:role, permissions: [permission]) }
      let!(:permission)                { create(:permission, name: 'foo') }
      let!(:child_permission)          { create(:permission, name: 'foo.bar') }
      let!(:inactive_child_permission) { create(:permission, name: 'foo.baz', active: false) }

      it 'includes the names of user’s explicit permissions' do
        expect(user.permissions_with_child_names)
          .to include(permission.name)
      end

      it 'includes the names of user’s active sub-permissions' do
        expect(user.permissions_with_child_names)
          .to include(child_permission.name)
          .and not_include(inactive_child_permission.name)
      end
    end
  end

  describe '#permissions_with_child_and_parent_elements' do
    let(:user) { create(:user, roles: [role]) }
    let(:role) { create(:role, permission_names: role_permission_names) }

    context 'when user has parent permission' do
      let(:role_permission_names) { %w[admin] }

      it 'returns parent and all children permissions' do
        expect(user.permissions_with_child_and_parent_elements)
          .to include(
            have_attributes(name: 'admin'),
            have_attributes(name: 'admin.user'),
            have_attributes(name: 'admin.group'),
          )
      end

      it 'does not include other permissions' do
        expect(user.permissions_with_child_and_parent_elements)
          .to all(have_attributes(name: start_with('admin')))
      end
    end

    context 'when user has child permission' do
      let(:role_permission_names) { %w[admin.user] }

      it 'returns only child permission and disabled parent permission' do
        expect(user.permissions_with_child_and_parent_elements)
          .to contain_exactly(
            have_attributes(name: 'admin.user'),
            have_attributes(name: 'admin', preferences: include(disabled: true)),
          )
      end
    end

    context 'when user has top-level deadend permission' do
      let(:role_permission_names) { %w[report] }

      it 'returns that permission only' do
        expect(user.permissions_with_child_and_parent_elements)
          .to contain_exactly(
            have_attributes(name: 'report')
          )
      end
    end
  end

  describe '.with_permissions' do
    let(:permission) { create(:permission, name: 'foo') }
    let(:role)       { create(:role, permissions: [permission]) }
    let(:user)       { create(:user, roles: [role]) }

    before { user }

    context 'when user has permission' do
      it 'is included in the list' do
        expect(User.with_permissions('foo')).to include(user)
      end

      it 'is included in the list with sub-permission if user has parent permission' do
        expect(User.with_permissions('foo.bar')).to include(user)
      end

      it 'is included in the list if extra non-existant permissions given' do
        expect(User.with_permissions('bar', 'foo')).to include(user)
      end

      it 'is included in the list if user has only one of the given permissions' do
        expect(User.with_permissions('ticket.agent', 'foo')).to include(user)
      end

      it 'is included in the list if arguments are given as an array' do
        expect(User.with_permissions(['ticket.agent', 'foo'])).to include(user)
      end

      context 'when user is not active' do
        before { user.update! active: false }

        it 'not included in the list' do
          expect(User.with_permissions('foo')).not_to include(user)
        end
      end

      context 'when permission is not active' do
        before { permission.update! active: false }

        it 'not included in the list' do
          expect(User.with_permissions('foo')).not_to include(user)
        end
      end

      context 'when role is not active' do
        before { role.update! active: false }

        it 'not included in the list' do
          expect(User.with_permissions('foo')).not_to include(user)
        end
      end
    end

    context 'when user does not have permission' do
      it 'not included in the list' do
        expect(User.with_permissions('bar')).not_to include(user)
      end
    end
  end
end