diff --git a/app/controllers/platforms/products_controller.rb b/app/controllers/platforms/products_controller.rb index a915d3a1b..67714d999 100644 --- a/app/controllers/platforms/products_controller.rb +++ b/app/controllers/platforms/products_controller.rb @@ -4,17 +4,17 @@ class Platforms::ProductsController < Platforms::BaseController before_action :authenticate_user! skip_before_action :authenticate_user!, only: [:index, :show] if APP_CONFIG['anonymous_access'] - before_action :load_product, except: [:create, :autocomplete_project] + before_action :load_product, except: %i(index new create autocomplete_project) def index + authorize @platform.products.new @products = @platform.products.paginate(page: params[:page]) end def new - @product = @platform.products.new + authorize @product = @platform.products.new end - def edit end diff --git a/app/policies/product_policy.rb b/app/policies/product_policy.rb index 620c04f17..86120b9ee 100644 --- a/app/policies/product_policy.rb +++ b/app/policies/product_policy.rb @@ -11,7 +11,7 @@ class ProductPolicy < ApplicationPolicy def create? return false unless record.platform - is_admin? || record.platform.main? && local_admin?(record.platform) + is_admin? || record.platform.main? && ( owner?(record.platform) || local_admin?(record.platform) ) end alias_method :clone?, :create? alias_method :destroy?, :create? diff --git a/spec/policies/product_policy_spec.rb b/spec/policies/product_policy_spec.rb new file mode 100644 index 000000000..f81857fdc --- /dev/null +++ b/spec/policies/product_policy_spec.rb @@ -0,0 +1,85 @@ +require 'spec_helper' + +RSpec.describe ProductPolicy, type: :policy do + let(:product) { FactoryGirl.build(:product) } + subject { described_class } + + permissions :index? do + it "grants access to user" do + expect(subject).to permit(User.new, product) + end + + context 'personal platform' do + let(:platform) { FactoryGirl.build(:personal_platform) } + before do + product.platform = platform + end + + it "denies access to user" do + expect(subject).to_not permit(User.new, product) + end + end + end + + %i(show? read?).each do |perm| + permissions perm do + it "denies access to user if user can not show a platform" do + allow_any_instance_of(PlatformPolicy).to receive(:show?).and_return(false) + expect(subject).not_to permit(User.new, product) + end + + it "grants access if user can show a platform" do + allow_any_instance_of(PlatformPolicy).to receive(:show?).and_return(true) + expect(subject).to permit(User.new, product) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), product) + end + end + end + + %i(create? clone? destroy? update?).each do |perm| + permissions perm do + it "denies access to user" do + expect(subject).not_to permit(User.new, product) + end + + it "grants access for admin of platform" do + allow_any_instance_of(ProductPolicy).to receive(:local_admin?). + with(product.platform).and_return(true) + expect(subject).to permit(User.new, product) + end + + it "grants access for owner of platform" do + allow_any_instance_of(ProductPolicy).to receive(:owner?). + with(product.platform).and_return(true) + expect(subject).to permit(User.new, product) + end + + it "grants access for to global admin" do + expect(subject).to permit(FactoryGirl.build(:admin), product) + end + + context 'personal platform' do + let(:platform) { FactoryGirl.build(:personal_platform) } + before do + product.platform = platform + end + + it "denies access for admin of platform" do + allow_any_instance_of(ProductPolicy).to receive(:local_admin?). + with(product.platform).and_return(true) + expect(subject).not_to permit(User.new, product) + end + + it "denies access for owner of platform" do + allow_any_instance_of(ProductPolicy).to receive(:owner?). + with(product.platform).and_return(true) + expect(subject).not_to permit(User.new, product) + end + end + end + end + +end