user_policy_spec.rb 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201
  1. # Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. describe UserPolicy do
  4. subject { described_class.new(user, record) }
  5. context 'when user is an admin' do
  6. let(:user) { create(:user, roles: [partial_admin_role]) }
  7. context 'with "admin.user" privileges' do
  8. let(:partial_admin_role) do
  9. create(:role).tap { |role| role.permission_grant('admin.user') }
  10. end
  11. context 'wants to read, change, or delete any user' do
  12. context 'when record is an admin user' do
  13. let(:record) { create(:admin) }
  14. it { is_expected.to permit_actions(%i[show update destroy]) }
  15. end
  16. context 'when record is an agent user' do
  17. let(:record) { create(:agent) }
  18. it { is_expected.to permit_actions(%i[show update destroy]) }
  19. end
  20. context 'when record is a customer user' do
  21. let(:record) { create(:customer) }
  22. it { is_expected.to permit_actions(%i[show update destroy]) }
  23. end
  24. context 'when record is any user' do
  25. let(:record) { create(:user) }
  26. it { is_expected.to permit_actions(%i[show update destroy]) }
  27. end
  28. context 'when record is the same user' do
  29. let(:record) { user }
  30. it { is_expected.to permit_actions(%i[show update destroy]) }
  31. end
  32. end
  33. end
  34. context 'without "admin.user" privileges' do
  35. let(:partial_admin_role) do
  36. create(:role).tap { |role| role.permission_grant('admin.tag') }
  37. end
  38. context 'when record is an admin user' do
  39. let(:record) { create(:admin) }
  40. it { is_expected.to permit_action(:show) }
  41. it { is_expected.to forbid_actions(%i[update destroy]) }
  42. end
  43. context 'when record is an agent user' do
  44. let(:record) { create(:agent) }
  45. it { is_expected.to permit_action(:show) }
  46. it { is_expected.to forbid_actions(%i[update destroy]) }
  47. end
  48. context 'when record is a customer user' do
  49. let(:record) { create(:customer) }
  50. it { is_expected.to permit_action(:show) }
  51. it { is_expected.to forbid_actions(%i[update destroy]) }
  52. end
  53. context 'when record is any user' do
  54. let(:record) { create(:user) }
  55. it { is_expected.to permit_action(:show) }
  56. it { is_expected.to forbid_actions(%i[update destroy]) }
  57. end
  58. context 'when record is the same user' do
  59. let(:record) { user }
  60. it { is_expected.to permit_action(:show) }
  61. it { is_expected.to forbid_actions(%i[update destroy]) }
  62. end
  63. end
  64. end
  65. context 'when user is an agent' do
  66. let(:user) { create(:agent) }
  67. context 'when record is an admin user' do
  68. let(:record) { create(:admin) }
  69. it { is_expected.to permit_action(:show) }
  70. it { is_expected.to forbid_actions(%i[update destroy]) }
  71. end
  72. context 'when record is an agent user' do
  73. let(:record) { create(:agent) }
  74. it { is_expected.to permit_action(:show) }
  75. it { is_expected.to forbid_actions(%i[update destroy]) }
  76. end
  77. context 'when record is a customer user' do
  78. let(:record) { create(:customer) }
  79. it { is_expected.to permit_actions(%i[show update]) }
  80. it { is_expected.to forbid_action(:destroy) }
  81. end
  82. context 'when record is any user' do
  83. let(:record) { create(:user) }
  84. it { is_expected.to permit_actions(%i[show update]) }
  85. it { is_expected.to forbid_action(:destroy) }
  86. end
  87. context 'when record is the same user' do
  88. let(:record) { user }
  89. it { is_expected.to permit_action(:show) }
  90. it { is_expected.to forbid_actions(%i[update destroy]) }
  91. end
  92. context 'when record is both admin and customer' do
  93. let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
  94. it { is_expected.to permit_action(:show) }
  95. it { is_expected.to forbid_actions(%i[update destroy]) }
  96. end
  97. context 'when record is both agent and customer' do
  98. let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
  99. it { is_expected.to permit_action(:show) }
  100. it { is_expected.to forbid_actions(%i[update destroy]) }
  101. end
  102. end
  103. context 'when user is a customer' do
  104. let(:user) { create(:customer) }
  105. context 'when record is an admin user' do
  106. let(:record) { create(:admin) }
  107. it { is_expected.to forbid_actions(%i[show update destroy]) }
  108. end
  109. context 'when record is an agent user' do
  110. let(:record) { create(:agent) }
  111. it { is_expected.to forbid_actions(%i[show update destroy]) }
  112. end
  113. context 'when record is a customer user' do
  114. let(:record) { create(:customer) }
  115. it { is_expected.to forbid_actions(%i[show update destroy]) }
  116. end
  117. context 'when record is any user' do
  118. let(:record) { create(:user) }
  119. it { is_expected.to forbid_actions(%i[show update destroy]) }
  120. end
  121. context 'when record is a colleague' do
  122. let(:user) { create(:customer, :with_org) }
  123. let(:record) { create(:customer, organization: user.organization) }
  124. it { is_expected.to permit_action(:show) }
  125. it { is_expected.to forbid_actions(%i[update destroy]) }
  126. end
  127. context 'when record is the same user' do
  128. let(:record) { user }
  129. it { is_expected.to permit_action(:show) }
  130. it { is_expected.to forbid_actions(%i[update destroy]) }
  131. end
  132. context 'when record is both admin and customer' do
  133. let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Admin').id)) }
  134. it { is_expected.to forbid_actions(%i[show update destroy]) }
  135. end
  136. context 'when record is both agent and customer' do
  137. let(:record) { create(:customer, role_ids: Role.signup_role_ids.push(Role.find_by(name: 'Agent').id)) }
  138. it { is_expected.to forbid_actions(%i[show update destroy]) }
  139. end
  140. end
  141. end