mirror of
https://github.com/opf/openproject.git
synced 2026-06-14 03:30:14 +00:00
Jan Sandbrink
0b87e7543f
Rolling out frozen string literals further by freezing all string literals in core specs.
285 lines
9.5 KiB
Ruby
285 lines
9.5 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
#-- copyright
|
|
# OpenProject is an open source project management software.
|
|
# Copyright (C) the OpenProject GmbH
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License version 3.
|
|
#
|
|
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
|
|
# Copyright (C) 2006-2013 Jean-Philippe Lang
|
|
# Copyright (C) 2010-2013 the ChiliProject Team
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License
|
|
# as published by the Free Software Foundation; either version 2
|
|
# of the License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
#
|
|
# See COPYRIGHT and LICENSE files for more details.
|
|
#++
|
|
|
|
require "spec_helper"
|
|
|
|
RSpec.describe Authorization do
|
|
let(:user) { build_stubbed(:user) }
|
|
let(:action) { :view_work_packages }
|
|
|
|
describe ".users" do
|
|
it "calls Authorization::UserAllowedQuery" do
|
|
expect(Authorization::UserAllowedQuery).to receive(:query).with(action, user)
|
|
described_class.users(action, user)
|
|
end
|
|
end
|
|
|
|
describe ".projects" do
|
|
it "uses the .allowed_to scope on Project" do
|
|
expect(Project).to receive(:allowed_to).with(user, action)
|
|
described_class.projects(action, user)
|
|
end
|
|
end
|
|
|
|
describe ".work_packages" do
|
|
it "uses the .allowed_to scope on WorkPackage" do
|
|
expect(WorkPackage).to receive(:allowed_to).with(user, action)
|
|
described_class.work_packages(action, user)
|
|
end
|
|
end
|
|
|
|
describe ".roles" do
|
|
context "with a project" do
|
|
let(:context) { build_stubbed(:project) }
|
|
|
|
it "calls Authorization::UserProjectRolesQuery" do
|
|
expect(Authorization::UserProjectRolesQuery).to receive(:query).with(user, context)
|
|
described_class.roles(user, context)
|
|
end
|
|
end
|
|
|
|
context "with a WorkPackage" do
|
|
let(:context) { build_stubbed(:work_package) }
|
|
|
|
it "calls Authorization::UserEntityRolesQuery" do
|
|
expect(Authorization::UserEntityRolesQuery).to receive(:query).with(user, context)
|
|
described_class.roles(user, context)
|
|
end
|
|
end
|
|
|
|
context "without a context" do
|
|
let(:context) { nil }
|
|
|
|
it "calls Authorization::UserGlobalRolesQuery" do
|
|
expect(Authorization::UserGlobalRolesQuery).to receive(:query).with(user)
|
|
described_class.roles(user, context)
|
|
end
|
|
end
|
|
end
|
|
|
|
describe ".permissions_for" do
|
|
let(:raise_on_unknown) { false }
|
|
|
|
subject { described_class.permissions_for(action, raise_on_unknown:) }
|
|
|
|
context "when called with a Permission object" do
|
|
let(:action) { OpenProject::AccessControl.permission(:view_work_packages) }
|
|
|
|
it "returns the Permission object wrapped in an array" do
|
|
expect(subject).to eq([action])
|
|
end
|
|
end
|
|
|
|
context "when called with an array of Permission objects" do
|
|
let(:action) do
|
|
[
|
|
OpenProject::AccessControl.permission(:view_work_packages),
|
|
OpenProject::AccessControl.permission(:edit_work_packages)
|
|
]
|
|
end
|
|
|
|
it "returns the Permission array" do
|
|
expect(subject).to eq(action)
|
|
end
|
|
end
|
|
|
|
context "when action is a Hash where controller starts with a slash" do
|
|
let(:action) do
|
|
{ controller: "/work_packages", action: "show" }
|
|
end
|
|
|
|
it "returns all permissions that grant the permission to this URL" do
|
|
# there might be more permissions granting access to this URL, we check for a known one
|
|
expect(subject).to include(OpenProject::AccessControl.permission(:view_work_packages))
|
|
end
|
|
end
|
|
|
|
context "when action is a Hash where controller does not start with a slash" do
|
|
let(:action) do
|
|
{ controller: "work_packages", action: "show" }
|
|
end
|
|
|
|
it "returns all permissions that grant the permission to this URL" do
|
|
# there might be more permissions granting access to this URL, we check for a known one
|
|
expect(subject).to include(OpenProject::AccessControl.permission(:view_work_packages))
|
|
end
|
|
end
|
|
|
|
context "when action is a permission name" do
|
|
let(:action) { :view_work_packages }
|
|
|
|
it "returns the Permission object wrapped in an array" do
|
|
expect(subject).to eq([OpenProject::AccessControl.permission(:view_work_packages)])
|
|
end
|
|
end
|
|
|
|
context "when action is an array of permission names" do
|
|
let(:action) { %i[view_work_packages edit_work_packages] }
|
|
|
|
it "returns the Permission object wrapped in an array" do
|
|
expect(subject).to eq([
|
|
OpenProject::AccessControl.permission(:view_work_packages),
|
|
OpenProject::AccessControl.permission(:edit_work_packages)
|
|
])
|
|
end
|
|
end
|
|
|
|
context "when there is a permission but it is disabled" do
|
|
let(:permission_object) { OpenProject::AccessControl.permission(:manage_user) }
|
|
let(:action) { permission_object.name }
|
|
|
|
around do |example|
|
|
permission_object.disable!
|
|
OpenProject::AccessControl.clear_caches
|
|
example.run
|
|
ensure
|
|
permission_object.enable!
|
|
OpenProject::AccessControl.clear_caches
|
|
end
|
|
|
|
it "returns an empty array and does not warn or raise" do
|
|
expect(Rails.logger).not_to receive(:debug)
|
|
expect do
|
|
expect(subject).to be_empty
|
|
end.not_to raise_error
|
|
end
|
|
end
|
|
|
|
context "when there is no permission" do
|
|
let(:action) { :this_permission_does_not_exist }
|
|
|
|
context "and raise_on_unknown is false" do
|
|
let(:raise_on_unknown) { false }
|
|
|
|
it "warns and returns an empty array" do
|
|
allow(Rails.logger).to receive(:debug)
|
|
|
|
expect(subject).to be_empty
|
|
|
|
expect(Rails.logger).to have_received(:debug) do |_, &block|
|
|
expect(block.call).to include("Used permission \"#{action}\" that is not defined.")
|
|
end
|
|
end
|
|
end
|
|
|
|
context "and raise_on_unknown is true" do
|
|
let(:raise_on_unknown) { true }
|
|
|
|
it "warns and raises" do
|
|
allow(Rails.logger).to receive(:debug)
|
|
|
|
expect { subject }.to raise_error(Authorization::UnknownPermissionError)
|
|
|
|
expect(Rails.logger).to have_received(:debug) do |_, &block|
|
|
expect(block.call).to include("Used permission \"#{action}\" that is not defined.")
|
|
end
|
|
end
|
|
end
|
|
end
|
|
|
|
describe ".contextual_permissions" do
|
|
subject { described_class.contextual_permissions(action, context, raise_on_unknown:) }
|
|
|
|
let(:raise_on_unknown) { false }
|
|
let(:context) { nil }
|
|
|
|
let(:global_permission) { OpenProject::AccessControl.permission(:manage_user) }
|
|
let(:project_permission) { OpenProject::AccessControl.permission(:manage_members) }
|
|
let(:project_and_work_package_permission) { OpenProject::AccessControl.permission(:view_work_packages) }
|
|
|
|
let(:returned_permissions) do
|
|
[
|
|
global_permission,
|
|
project_permission,
|
|
project_and_work_package_permission
|
|
]
|
|
end
|
|
|
|
before do
|
|
allow(described_class).to receive(:permissions_for).and_return(returned_permissions)
|
|
end
|
|
|
|
context "with global context" do
|
|
let(:context) { :global }
|
|
|
|
context "when a global permission is part of the returned permissions" do
|
|
it "returns only the global permission" do
|
|
expect(subject).to eq([global_permission])
|
|
end
|
|
end
|
|
|
|
context "when no global permission is part of the returned permissions" do
|
|
let(:returned_permissions) { [project_permission, project_and_work_package_permission] }
|
|
|
|
it "raises an IllegalPermissionContextError" do
|
|
expect { subject }.to raise_error(Authorization::IllegalPermissionContextError)
|
|
end
|
|
end
|
|
end
|
|
|
|
context "with project context" do
|
|
let(:context) { :project }
|
|
|
|
context "when a project permission is part of the returned permissions" do
|
|
it "returns only the project permissions" do
|
|
expect(subject).to eq([project_permission, project_and_work_package_permission])
|
|
end
|
|
end
|
|
|
|
context "when no project permission is part of the returned permissions" do
|
|
let(:returned_permissions) { [global_permission] }
|
|
|
|
it "raises an IllegalPermissionContextError" do
|
|
expect { subject }.to raise_error(Authorization::IllegalPermissionContextError)
|
|
end
|
|
end
|
|
end
|
|
|
|
context "with work package context" do
|
|
let(:context) { :work_package }
|
|
|
|
context "when a work package permission is part of the returned permissions" do
|
|
it "returns only the work package permission" do
|
|
expect(subject).to eq([project_and_work_package_permission])
|
|
end
|
|
end
|
|
|
|
context "when no work package permission is part of the returned permissions" do
|
|
let(:returned_permissions) { [global_permission, project_permission] }
|
|
|
|
it "raises an IllegalPermissionContextError" do
|
|
expect { subject }.to raise_error(Authorization::IllegalPermissionContextError)
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|
|
end
|