#465: Added specs for AdvisoryPolicy, ArchPolicy, BuildListPolicy

This commit is contained in:
Vokhmin Alexey V 2015-04-09 02:06:55 +03:00
parent e736586129
commit be6ad05e49
7 changed files with 325 additions and 6 deletions

View File

@ -1,8 +1,8 @@
class Api::V1::AdvisoriesController < Api::V1::BaseController class Api::V1::AdvisoriesController < Api::V1::BaseController
before_action :authenticate_user! before_action :authenticate_user!
skip_before_action :authenticate_user!, only: [:index, :show] if APP_CONFIG['anonymous_access'] skip_before_action :authenticate_user!, only: %i(index show) if APP_CONFIG['anonymous_access']
before_action :load_advisory before_action :load_advisory, only: %i(show update)
before_action :load_build_list, only: [:create, :update] before_action :load_build_list, only: %i(create update)
def index def index
authorize :advisory authorize :advisory
@ -14,6 +14,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
end end
def create def create
authorize :advisory
if @build_list.can_attach_to_advisory? && if @build_list.can_attach_to_advisory? &&
@build_list.associate_and_create_advisory(params[:advisory]) && @build_list.associate_and_create_advisory(params[:advisory]) &&
@build_list.save @build_list.save

View File

@ -6,8 +6,9 @@ class AdvisoryPolicy < ApplicationPolicy
alias_method :search?, :index? alias_method :search?, :index?
alias_method :show?, :index? alias_method :show?, :index?
def update? def create?
true !user.guest?
end end
alias_method :update?, :create?
end end

View File

@ -21,12 +21,13 @@ class ProjectPolicy < ApplicationPolicy
alias_method :refs_list?, :show? alias_method :refs_list?, :show?
def create? def create?
return true if is_admin?
return false if user.guest? return false if user.guest?
return true if is_admin?
owner_policy.write? owner_policy.write?
end end
def update? def update?
return false if user.guest?
is_admin? || owner? || local_admin? is_admin? || owner? || local_admin?
end end
alias_method :alias?, :update? alias_method :alias?, :update?
@ -41,10 +42,12 @@ class ProjectPolicy < ApplicationPolicy
alias_method :schedule?, :update? alias_method :schedule?, :update?
def destroy? def destroy?
return false if user.guest?
is_admin? || owner? || record.owner.is_a?(Group) && record.owner.actors.exists?(actor_type: 'User', actor_id: user.id, role: 'admin') is_admin? || owner? || record.owner.is_a?(Group) && record.owner.actors.exists?(actor_type: 'User', actor_id: user.id, role: 'admin')
end end
def mass_import? def mass_import?
return false if user.guest?
is_admin? || user.platforms.main.find{ |p| local_admin?(p) }.present? is_admin? || user.platforms.main.find{ |p| local_admin?(p) }.present?
end end
@ -57,6 +60,7 @@ class ProjectPolicy < ApplicationPolicy
# for grack # for grack
def write? def write?
return false if user.guest?
is_admin? || owner? || local_writer? is_admin? || owner? || local_writer?
end end

View File

@ -0,0 +1,31 @@
require 'spec_helper'
RSpec.describe AdvisoryPolicy, type: :policy do
let(:advisory) { FactoryGirl.build(:advisory) }
subject { described_class }
%i(index? search? show?).each do |perm|
permissions perm do
it "grants access to anonymous user" do
expect(subject).to permit(User.new, advisory)
end
it "grants access to user" do
expect(subject).to permit(FactoryGirl.create(:user), advisory)
end
end
end
%i(create? update?).each do |perm|
permissions perm do
it "denies access to anonymous user" do
expect(subject).not_to permit(User.new, advisory)
end
it "grants access to user" do
expect(subject).to permit(FactoryGirl.create(:user), advisory)
end
end
end
end

View File

@ -0,0 +1,17 @@
require 'spec_helper'
RSpec.describe ArchPolicy, type: :policy do
let(:arch) { FactoryGirl.build(:arch) }
subject { described_class }
permissions :index? do
it "grants access to anonymous user" do
expect(subject).to permit(User.new, arch)
end
it "grants access to user" do
expect(subject).to permit(FactoryGirl.create(:user), arch)
end
end
end

View File

@ -0,0 +1,263 @@
require 'spec_helper'
RSpec.describe BuildListPolicy, type: :policy do
let(:build_list) { FactoryGirl.build(:build_list) }
subject { described_class }
permissions :index? do
it "grants access to anonymous user" do
expect(subject).to permit(User.new, build_list)
end
it "grants access to user" do
expect(subject).to permit(FactoryGirl.create(:user), build_list)
end
end
%i(show? read? log? everything? owned? everything? list?).each do |perm|
permissions perm do
it "grants access for creator" do
expect(subject).to permit(build_list.user, build_list)
end
it "grants access if user can read project" do
allow_any_instance_of(ProjectPolicy).to receive(:show?).and_return(true)
expect(subject).to permit(User.new, build_list)
end
it "denies access if user can not read project" do
allow_any_instance_of(ProjectPolicy).to receive(:show?).and_return(false)
expect(subject).to_not permit(User.new, build_list)
end
end
end
%i(create? rerun_tests?).each do |perm|
permissions perm do
before do
allow_any_instance_of(ProjectPolicy).to receive(:write?).and_return(true)
allow_any_instance_of(PlatformPolicy).to receive(:show?).and_return(true)
end
it "grants access to user" do
expect(subject).to permit(FactoryGirl.build(:user), build_list)
end
it "denies access if project is not a package" do
build_list.project.is_package = false
expect(subject).to_not permit(User.new, build_list)
end
it "denies access if user can not write to project" do
allow_any_instance_of(ProjectPolicy).to receive(:write?).and_return(false)
expect(subject).to_not permit(User.new, build_list)
end
it "denies access if user can not read platform" do
allow_any_instance_of(PlatformPolicy).to receive(:show?).and_return(false)
expect(subject).to_not permit(User.new, build_list)
end
end
end
permissions :dependent_projects? do
before do
allow_any_instance_of(BuildListPolicy).to receive(:create?).and_return(true)
end
it "grants access to user" do
expect(subject).to permit(User.new, build_list)
end
it "denies access if user can not to create build list" do
allow_any_instance_of(BuildListPolicy).to receive(:create?).and_return(false)
expect(subject).to_not permit(User.new, build_list)
end
it "denies access if save_to_platform is not main" do
allow(build_list.save_to_platform).to receive(:main?).and_return(false)
expect(subject).to_not permit(User.new, build_list)
end
end
permissions :publish_into_testing? do
before do
allow_any_instance_of(BuildListPolicy).to receive(:create?).and_return(true)
allow_any_instance_of(BuildListPolicy).to receive(:publish?).and_return(true)
allow(build_list).to receive(:can_publish_into_testing?).and_return(true)
end
it "grants access to user" do
expect(subject).to permit(User.new, build_list)
end
it "grants access if user can not to create but can publish build list" do
allow_any_instance_of(BuildListPolicy).to receive(:create?).and_return(false)
expect(subject).to permit(User.new, build_list)
end
it "denies access if build is from old core" do
build_list.new_core = false
expect(subject).to_not permit(User.new, build_list)
end
it "denies access if build can not be published" do
allow(build_list).to receive(:can_publish_into_testing?).and_return(false)
expect(subject).to_not permit(User.new, build_list)
end
it "denies access if user can not to create and publish build list" do
allow_any_instance_of(BuildListPolicy).to receive(:create?).and_return(false)
allow_any_instance_of(BuildListPolicy).to receive(:publish?).and_return(false)
expect(subject).to_not permit(User.new, build_list)
end
context 'for personal platform' do
before do
allow(build_list.save_to_platform).to receive(:main?).and_return(false)
end
it "grants access to user" do
expect(subject).to permit(User.new, build_list)
end
it "denies access if user can not to create but can publish build list" do
allow_any_instance_of(BuildListPolicy).to receive(:create?).and_return(false)
expect(subject).to_not permit(User.new, build_list)
end
end
end
permissions :publish? do
before do
allow(build_list).to receive(:can_publish?).and_return(true)
end
context 'build published' do
before do
allow(build_list).to receive(:build_published?).and_return(true)
end
it "denies access to user" do
expect(subject).to_not permit(User.new, build_list)
end
it "grants access to admin of platform" do
allow_any_instance_of(BuildListPolicy).to receive(:local_admin?).
with(build_list.save_to_platform).and_return(true)
expect(subject).to permit(User.new, build_list)
end
it "grants access to member of repository" do
allow(build_list.save_to_repository).to receive_message_chain(:members, :exists?).and_return(true)
expect(subject).to permit(User.new, build_list)
end
end
context 'build not published' do
it "denies access to user" do
expect(subject).to_not permit(User.new, build_list)
end
it "grants access to admin of platform if publish_without_qa is disabled" do
build_list.save_to_repository.publish_without_qa = false
allow_any_instance_of(BuildListPolicy).to receive(:local_admin?).
with(build_list.save_to_platform).and_return(true)
expect(subject).to permit(User.new, build_list)
end
it "grants access if user can write to project" do
allow_any_instance_of(ProjectPolicy).to receive(:write?).and_return(true)
expect(subject).to permit(User.new, build_list)
end
end
end
permissions :create_container? do
it "denies access to user" do
expect(subject).to_not permit(User.new, build_list)
end
context 'user can write to project' do
before do
allow_any_instance_of(ProjectPolicy).to receive(:write?).and_return(true)
end
it "grants access to user" do
expect(subject).to permit(User.new, build_list)
end
it "denies access if build is from old core" do
build_list.new_core = false
expect(subject).to_not permit(User.new, build_list)
end
end
context 'user admin of platform' do
before do
allow_any_instance_of(BuildListPolicy).to receive(:local_admin?).
with(build_list.save_to_platform).and_return(true)
end
it "grants access to user" do
expect(subject).to permit(User.new, build_list)
end
it "denies access if build is from old core" do
build_list.new_core = false
expect(subject).to_not permit(User.new, build_list)
end
end
end
permissions :reject_publish? do
it "denies access to user" do
expect(subject).to_not permit(User.new, build_list)
end
it "grants access if user can write to project" do
allow_any_instance_of(ProjectPolicy).to receive(:write?).and_return(true)
expect(subject).to permit(User.new, build_list)
end
it "denies access to admin of platform" do
allow_any_instance_of(BuildListPolicy).to receive(:local_admin?).
with(build_list.save_to_platform).and_return(true)
expect(subject).to_not permit(User.new, build_list)
end
context 'publish_without_qa is disabled' do
before do
build_list.save_to_repository.publish_without_qa = false
end
it "denies access to user" do
expect(subject).to_not permit(User.new, build_list)
end
it "denies access if user can write to project" do
allow_any_instance_of(ProjectPolicy).to receive(:write?).and_return(true)
expect(subject).to_not permit(User.new, build_list)
end
it "grants access to admin of platform" do
allow_any_instance_of(BuildListPolicy).to receive(:local_admin?).
with(build_list.save_to_platform).and_return(true)
expect(subject).to permit(User.new, build_list)
end
end
end
permissions :cancel? do
it "denies access to user" do
expect(subject).to_not permit(User.new, build_list)
end
it "grants access if user can write to project" do
allow_any_instance_of(ProjectPolicy).to receive(:write?).and_return(true)
expect(subject).to permit(User.new, build_list)
end
end
end

View File

@ -3,6 +3,7 @@ ENV["RAILS_ENV"] ||= 'test'
require File.expand_path("../../config/environment", __FILE__) require File.expand_path("../../config/environment", __FILE__)
require 'rspec/rails' require 'rspec/rails'
require 'webmock/rspec' require 'webmock/rspec'
require 'pundit/rspec'
# Requires supporting ruby files with custom matchers and macros, etc, # Requires supporting ruby files with custom matchers and macros, etc,
# in spec/support/ and its subdirectories. # in spec/support/ and its subdirectories.
@ -40,6 +41,7 @@ RSpec.configure do |config|
config.before(:all) { init_test_root } config.before(:all) { init_test_root }
config.after(:all) { clear_test_root } config.after(:all) { clear_test_root }
config.before { stub_redis } config.before { stub_redis }
config.before(type: :policy) { stub_symlink_methods }
end end
def set_session_for(user=nil) def set_session_for(user=nil)