#465: Added specs for ProductPolicy

app/controllers/platforms/products_controller.rb

@@ -4,17 +4,17 @@ class Platforms::ProductsController < Platforms::BaseController
   before_action :authenticate_user!
   skip_before_action :authenticate_user!, only: [:index, :show] if APP_CONFIG['anonymous_access']
 
-  before_action :load_product, except: [:create, :autocomplete_project]
+  before_action :load_product, except: %i(index new create autocomplete_project)
 
   def index
+    authorize @platform.products.new
     @products = @platform.products.paginate(page: params[:page])
   end
 
   def new
-    @product = @platform.products.new
+    authorize @product = @platform.products.new
   end
 
-
   def edit
   end
 

app/policies/product_policy.rb

@@ -11,7 +11,7 @@ class ProductPolicy < ApplicationPolicy
 
   def create?
     return false unless record.platform
-    is_admin? || record.platform.main? && local_admin?(record.platform)
+    is_admin? || record.platform.main? && ( owner?(record.platform) || local_admin?(record.platform) )
   end
   alias_method :clone?,   :create?
   alias_method :destroy?, :create?

spec/policies/product_policy_spec.rb

@@ -0,0 +1,85 @@
+require 'spec_helper'
+
+RSpec.describe ProductPolicy, type: :policy do
+  let(:product) { FactoryGirl.build(:product) }
+  subject { described_class }
+
+  permissions :index? do
+    it "grants access to user" do
+      expect(subject).to permit(User.new, product)
+    end
+
+    context 'personal platform' do
+      let(:platform) { FactoryGirl.build(:personal_platform) }
+      before do
+        product.platform = platform
+      end
+
+      it "denies access to user" do
+        expect(subject).to_not permit(User.new, product)
+      end
+    end
+  end
+
+  %i(show? read?).each do |perm|
+    permissions perm do
+      it "denies access to user if user can not show a platform" do
+        allow_any_instance_of(PlatformPolicy).to receive(:show?).and_return(false)
+        expect(subject).not_to permit(User.new, product)
+      end
+
+      it "grants access if user can show a platform" do
+        allow_any_instance_of(PlatformPolicy).to receive(:show?).and_return(true)
+        expect(subject).to permit(User.new, product)
+      end
+
+      it "grants access for to global admin" do
+        expect(subject).to permit(FactoryGirl.build(:admin), product)
+      end
+    end
+  end
+
+  %i(create? clone? destroy? update?).each do |perm|
+    permissions perm do
+      it "denies access to user" do
+        expect(subject).not_to permit(User.new, product)
+      end
+
+      it "grants access for admin of platform" do
+        allow_any_instance_of(ProductPolicy).to receive(:local_admin?).
+          with(product.platform).and_return(true)
+        expect(subject).to permit(User.new, product)
+      end
+
+      it "grants access for owner of platform" do
+        allow_any_instance_of(ProductPolicy).to receive(:owner?).
+          with(product.platform).and_return(true)
+        expect(subject).to permit(User.new, product)
+      end
+
+      it "grants access for to global admin" do
+        expect(subject).to permit(FactoryGirl.build(:admin), product)
+      end
+
+      context 'personal platform' do
+        let(:platform) { FactoryGirl.build(:personal_platform) }
+        before do
+          product.platform = platform
+        end
+
+        it "denies access for admin of platform" do
+          allow_any_instance_of(ProductPolicy).to receive(:local_admin?).
+            with(product.platform).and_return(true)
+          expect(subject).not_to permit(User.new, product)
+        end
+
+        it "denies access for owner of platform" do
+          allow_any_instance_of(ProductPolicy).to receive(:owner?).
+            with(product.platform).and_return(true)
+          expect(subject).not_to permit(User.new, product)
+        end
+      end
+    end
+  end
+
+end