user_policy_spec.rb 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238
  1. # Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. describe UserPolicy do
  4. subject(:user_policy) { described_class.new(user, record) }
  5. context 'when user is an admin' do
  6. let(:user) { create(:user, roles: [partial_admin_role]) }
  7. context 'with "admin.user" privileges' do
  8. let(:partial_admin_role) do
  9. create(:role).tap { |role| role.permission_grant('admin.user') }
  10. end
  11. context 'wants to read, change, or delete any user' do
  12. context 'when record is an admin user' do
  13. let(:record) { create(:admin) }
  14. it { is_expected.to permit_actions(%i[show nested_show update destroy]) }
  15. end
  16. context 'when record is an agent user' do
  17. let(:record) { create(:agent) }
  18. it { is_expected.to permit_actions(%i[show nested_show update destroy]) }
  19. end
  20. context 'when record is a customer user' do
  21. let(:record) { create(:customer) }
  22. it { is_expected.to permit_actions(%i[show nested_show update destroy]) }
  23. end
  24. context 'when record is any user' do
  25. let(:record) { create(:user) }
  26. it { is_expected.to permit_actions(%i[show nested_show update destroy]) }
  27. end
  28. context 'when record is the same user' do
  29. let(:record) { user }
  30. it { is_expected.to permit_actions(%i[show nested_show update destroy]) }
  31. end
  32. end
  33. end
  34. context 'without "admin.user" privileges' do
  35. let(:partial_admin_role) do
  36. create(:role).tap { |role| role.permission_grant('admin.tag') }
  37. end
  38. context 'when record is an admin user' do
  39. let(:record) { create(:admin) }
  40. it { is_expected.to permit_actions(%i[show nested_show]) }
  41. it { is_expected.to forbid_actions(%i[update destroy]) }
  42. end
  43. context 'when record is an agent user' do
  44. let(:record) { create(:agent) }
  45. it { is_expected.to permit_actions(%i[show nested_show]) }
  46. it { is_expected.to forbid_actions(%i[update destroy]) }
  47. end
  48. context 'when record is a customer user' do
  49. let(:record) { create(:customer) }
  50. it { is_expected.to permit_actions(%i[show nested_show]) }
  51. it { is_expected.to forbid_actions(%i[update destroy]) }
  52. end
  53. context 'when record is any user' do
  54. let(:record) { create(:user) }
  55. it { is_expected.to permit_actions(%i[show nested_show]) }
  56. it { is_expected.to forbid_actions(%i[update destroy]) }
  57. end
  58. context 'when record is the same user' do
  59. let(:record) { user }
  60. it { is_expected.to permit_actions(%i[show nested_show]) }
  61. it { is_expected.to forbid_actions(%i[update destroy]) }
  62. end
  63. end
  64. end
  65. context 'when user is an agent' do
  66. let(:user) { create(:agent) }
  67. context 'when record is an admin user' do
  68. let(:record) { create(:admin) }
  69. it { is_expected.to permit_actions(%i[show nested_show]) }
  70. it { is_expected.to forbid_actions(%i[update destroy]) }
  71. end
  72. context 'when record is an agent user' do
  73. let(:record) { create(:agent) }
  74. it { is_expected.to permit_actions(%i[show nested_show]) }
  75. it { is_expected.to forbid_actions(%i[update destroy]) }
  76. end
  77. context 'when record is a customer user' do
  78. let(:record) { create(:customer) }
  79. it { is_expected.to permit_actions(%i[show update]) }
  80. it { is_expected.to forbid_action(:destroy) }
  81. end
  82. context 'when record is any user' do
  83. let(:record) { create(:user) }
  84. it { is_expected.to permit_actions(%i[show nested_show update]) }
  85. it { is_expected.to forbid_action(:destroy) }
  86. end
  87. context 'when record is the same user' do
  88. let(:record) { user }
  89. it { is_expected.to permit_actions(%i[show nested_show]) }
  90. it { is_expected.to forbid_actions(%i[update destroy]) }
  91. end
  92. context 'when record is both admin and customer' do
  93. let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
  94. it { is_expected.to permit_actions(%i[show nested_show]) }
  95. it { is_expected.to forbid_actions(%i[update destroy]) }
  96. end
  97. context 'when record is both agent and customer' do
  98. let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
  99. it { is_expected.to permit_actions(%i[show nested_show]) }
  100. it { is_expected.to forbid_actions(%i[update destroy]) }
  101. end
  102. end
  103. context 'when user is a customer' do
  104. let(:user) { create(:customer) }
  105. shared_examples 'restricts fields' do |method|
  106. it "restricts fields for #{method}", :aggregate_failures do
  107. expect(user_policy.public_send(method)).to permit_fields(%i[id firstname lastname image image_source active])
  108. expect(user_policy.public_send(method)).to forbid_fields(%i[email phone mobile note])
  109. end
  110. end
  111. shared_examples 'does not restrict fields' do |method|
  112. it "does not restrict fields for #{method}" do
  113. expect(user_policy.public_send(method)).to be(true)
  114. end
  115. end
  116. context 'when record is an admin user' do
  117. let(:record) { create(:admin) }
  118. it { is_expected.to permit_actions(%i[nested_show]) }
  119. it { is_expected.to forbid_actions(%i[show update destroy]) }
  120. include_examples 'restricts fields', :nested_show?
  121. end
  122. context 'when record is an agent user' do
  123. let(:record) { create(:agent) }
  124. it { is_expected.to permit_actions(%i[nested_show]) }
  125. it { is_expected.to forbid_actions(%i[show update destroy]) }
  126. include_examples 'restricts fields', :nested_show?
  127. end
  128. context 'when record is a customer user' do
  129. let(:record) { create(:customer) }
  130. it { is_expected.to permit_actions(%i[nested_show]) }
  131. it { is_expected.to forbid_actions(%i[show update destroy]) }
  132. include_examples 'restricts fields', :nested_show?
  133. end
  134. context 'when record is any user' do
  135. let(:record) { create(:user) }
  136. it { is_expected.to permit_actions(%i[nested_show]) }
  137. it { is_expected.to forbid_actions(%i[show update destroy]) }
  138. include_examples 'restricts fields', :nested_show?
  139. end
  140. context 'when record is a colleague' do
  141. let(:user) { create(:customer, :with_org) }
  142. let(:record) { create(:customer, organization: user.organization) }
  143. it { is_expected.to permit_actions(%i[show nested_show]) }
  144. it { is_expected.to forbid_actions(%i[update destroy]) }
  145. include_examples 'restricts fields', :nested_show?
  146. include_examples 'restricts fields', :show?
  147. end
  148. context 'when record is the same user' do
  149. let(:record) { user }
  150. it { is_expected.to permit_actions(%i[show nested_show]) }
  151. it { is_expected.to forbid_actions(%i[update destroy]) }
  152. include_examples 'does not restrict fields', :nested_show?
  153. include_examples 'does not restrict fields', :show?
  154. end
  155. context 'when record is both admin and customer' do
  156. let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
  157. it { is_expected.to permit_action(:nested_show) }
  158. it { is_expected.to forbid_actions(%i[show update destroy]) }
  159. include_examples 'restricts fields', :nested_show?
  160. end
  161. context 'when record is both agent and customer' do
  162. let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
  163. it { is_expected.to permit_action(:nested_show) }
  164. it { is_expected.to forbid_actions(%i[show update destroy]) }
  165. include_examples 'restricts fields', :nested_show?
  166. end
  167. end
  168. end