about summary refs log tree commit diff
diff options
context:
space:
mode:
authorMatt Jankowski <matt@jankowski.online>2023-03-04 10:57:22 -0500
committerGitHub <noreply@github.com>2023-03-04 16:57:22 +0100
commit00eb2269b691b90f361dd03454cf823934389282 (patch)
tree9570ca0e075a4b7ed3b8db80746a5a19b5db37b2
parent6a57c423169d76301078948821c1da916dcdf75b (diff)
Policies specs (#23924)
-rw-r--r--spec/policies/account_policy_spec.rb40
-rw-r--r--spec/policies/account_warning_preset_policy_spec.rb24
-rw-r--r--spec/policies/admin/status_policy_spec.rb51
-rw-r--r--spec/policies/announcement_policy_spec.rb24
-rw-r--r--spec/policies/appeal_policy_spec.rb51
-rw-r--r--spec/policies/canonical_email_block_policy_spec.rb24
-rw-r--r--spec/policies/delivery_policy_spec.rb24
-rw-r--r--spec/policies/email_domain_block_policy_spec.rb2
-rw-r--r--spec/policies/follow_recommendation_policy_spec.rb24
-rw-r--r--spec/policies/ip_block_policy_spec.rb24
-rw-r--r--spec/policies/preview_card_policy_spec.rb24
-rw-r--r--spec/policies/preview_card_provider_policy_spec.rb24
-rw-r--r--spec/policies/rule_policy_spec.rb24
-rw-r--r--spec/policies/settings_policy_spec.rb2
-rw-r--r--spec/policies/status_policy_spec.rb8
-rw-r--r--spec/policies/tag_policy_spec.rb2
-rw-r--r--spec/policies/webhook_policy_spec.rb24
17 files changed, 393 insertions, 3 deletions
diff --git a/spec/policies/account_policy_spec.rb b/spec/policies/account_policy_spec.rb
index 0f23fd97e..d96153233 100644
--- a/spec/policies/account_policy_spec.rb
+++ b/spec/policies/account_policy_spec.rb
@@ -116,4 +116,44 @@ RSpec.describe AccountPolicy do
       end
     end
   end
+
+  permissions :review? do
+    context 'admin' do
+      it 'permits' do
+        expect(subject).to permit(admin)
+      end
+    end
+
+    context 'not admin' do
+      it 'denies' do
+        expect(subject).to_not permit(john)
+      end
+    end
+  end
+
+  permissions :destroy? do
+    context 'admin' do
+      context 'with a temporarily suspended account' do
+        before { allow(alice).to receive(:suspended_temporarily?).and_return(true) }
+
+        it 'permits' do
+          expect(subject).to permit(admin, alice)
+        end
+      end
+
+      context 'with a not temporarily suspended account' do
+        before { allow(alice).to receive(:suspended_temporarily?).and_return(false) }
+
+        it 'denies' do
+          expect(subject).to_not permit(admin, alice)
+        end
+      end
+    end
+
+    context 'not admin' do
+      it 'denies' do
+        expect(subject).to_not permit(john, alice)
+      end
+    end
+  end
 end
diff --git a/spec/policies/account_warning_preset_policy_spec.rb b/spec/policies/account_warning_preset_policy_spec.rb
new file mode 100644
index 000000000..63bf33de2
--- /dev/null
+++ b/spec/policies/account_warning_preset_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe AccountWarningPresetPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :index?, :create?, :update?, :destroy? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+end
diff --git a/spec/policies/admin/status_policy_spec.rb b/spec/policies/admin/status_policy_spec.rb
new file mode 100644
index 000000000..9e81a4f5f
--- /dev/null
+++ b/spec/policies/admin/status_policy_spec.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe Admin::StatusPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+  let(:status) { Fabricate(:status) }
+
+  permissions :index?, :update?, :review?, :destroy? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+
+  permissions :show? do
+    context 'with an admin' do
+      context 'with a public visible status' do
+        before { allow(status).to receive(:public_visibility?).and_return(true) }
+
+        it 'permits' do
+          expect(policy).to permit(admin, status)
+        end
+      end
+
+      context 'with a not public visible status' do
+        before { allow(status).to receive(:public_visibility?).and_return(false) }
+
+        it 'denies' do
+          expect(policy).to_not permit(admin, status)
+        end
+      end
+    end
+
+    context 'with a non admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, status)
+      end
+    end
+  end
+end
diff --git a/spec/policies/announcement_policy_spec.rb b/spec/policies/announcement_policy_spec.rb
new file mode 100644
index 000000000..3d230b3cb
--- /dev/null
+++ b/spec/policies/announcement_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe AnnouncementPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :index?, :create?, :update?, :destroy? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+end
diff --git a/spec/policies/appeal_policy_spec.rb b/spec/policies/appeal_policy_spec.rb
new file mode 100644
index 000000000..d7498eb9f
--- /dev/null
+++ b/spec/policies/appeal_policy_spec.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe AppealPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+  let(:appeal) { Fabricate(:appeal) }
+
+  permissions :index? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+
+  permissions :reject? do
+    context 'with an admin' do
+      context 'with a pending appeal' do
+        before { allow(appeal).to receive(:pending?).and_return(true) }
+
+        it 'permits' do
+          expect(policy).to permit(admin, appeal)
+        end
+      end
+
+      context 'with a not pending appeal' do
+        before { allow(appeal).to receive(:pending?).and_return(false) }
+
+        it 'denies' do
+          expect(policy).to_not permit(admin, appeal)
+        end
+      end
+    end
+
+    context 'with a non admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, appeal)
+      end
+    end
+  end
+end
diff --git a/spec/policies/canonical_email_block_policy_spec.rb b/spec/policies/canonical_email_block_policy_spec.rb
new file mode 100644
index 000000000..0e55febfa
--- /dev/null
+++ b/spec/policies/canonical_email_block_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe CanonicalEmailBlockPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :index?, :show?, :test?, :create?, :destroy? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+end
diff --git a/spec/policies/delivery_policy_spec.rb b/spec/policies/delivery_policy_spec.rb
new file mode 100644
index 000000000..fbcbf390d
--- /dev/null
+++ b/spec/policies/delivery_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe DeliveryPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :clear_delivery_errors?, :restart_delivery?, :stop_delivery? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+end
diff --git a/spec/policies/email_domain_block_policy_spec.rb b/spec/policies/email_domain_block_policy_spec.rb
index 913075c3d..e7c455907 100644
--- a/spec/policies/email_domain_block_policy_spec.rb
+++ b/spec/policies/email_domain_block_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe EmailDomainBlockPolicy do
   let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
   let(:john)    { Fabricate(:account) }
 
-  permissions :index?, :create?, :destroy? do
+  permissions :index?, :show?, :create?, :destroy? do
     context 'admin' do
       it 'permits' do
         expect(subject).to permit(admin, EmailDomainBlock)
diff --git a/spec/policies/follow_recommendation_policy_spec.rb b/spec/policies/follow_recommendation_policy_spec.rb
new file mode 100644
index 000000000..01f4da0be
--- /dev/null
+++ b/spec/policies/follow_recommendation_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe FollowRecommendationPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :show?, :suppress?, :unsuppress? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+end
diff --git a/spec/policies/ip_block_policy_spec.rb b/spec/policies/ip_block_policy_spec.rb
new file mode 100644
index 000000000..3cfa85863
--- /dev/null
+++ b/spec/policies/ip_block_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe IpBlockPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :index?, :show?, :create?, :update?, :destroy? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+end
diff --git a/spec/policies/preview_card_policy_spec.rb b/spec/policies/preview_card_policy_spec.rb
new file mode 100644
index 000000000..d6675c5b3
--- /dev/null
+++ b/spec/policies/preview_card_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe PreviewCardPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :index?, :review? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+end
diff --git a/spec/policies/preview_card_provider_policy_spec.rb b/spec/policies/preview_card_provider_policy_spec.rb
new file mode 100644
index 000000000..8d3715de9
--- /dev/null
+++ b/spec/policies/preview_card_provider_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe PreviewCardProviderPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :index?, :review? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+end
diff --git a/spec/policies/rule_policy_spec.rb b/spec/policies/rule_policy_spec.rb
new file mode 100644
index 000000000..0e45f6df0
--- /dev/null
+++ b/spec/policies/rule_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe RulePolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :index?, :create?, :update?, :destroy? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+end
diff --git a/spec/policies/settings_policy_spec.rb b/spec/policies/settings_policy_spec.rb
index e16ee51a4..3268c1622 100644
--- a/spec/policies/settings_policy_spec.rb
+++ b/spec/policies/settings_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe SettingsPolicy do
   let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
   let(:john)    { Fabricate(:account) }
 
-  permissions :update?, :show? do
+  permissions :update?, :show?, :destroy? do
     context 'admin?' do
       it 'permits' do
         expect(subject).to permit(admin, Settings)
diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb
index b88521708..9ae54780e 100644
--- a/spec/policies/status_policy_spec.rb
+++ b/spec/policies/status_policy_spec.rb
@@ -39,6 +39,14 @@ RSpec.describe StatusPolicy, type: :model do
       expect(subject).to permit(alice, status)
     end
 
+    it 'grants access when direct and non-owner viewer is mentioned and mentions are loaded' do
+      status.visibility = :direct
+      status.mentions = [Fabricate(:mention, account: bob)]
+      status.mentions.load
+
+      expect(subject).to permit(bob, status)
+    end
+
     it 'denies access when direct and viewer is not mentioned' do
       viewer = Fabricate(:account)
       status.visibility = :direct
diff --git a/spec/policies/tag_policy_spec.rb b/spec/policies/tag_policy_spec.rb
index 9be7140fc..fb09fdd3b 100644
--- a/spec/policies/tag_policy_spec.rb
+++ b/spec/policies/tag_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe TagPolicy do
   let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
   let(:john)    { Fabricate(:account) }
 
-  permissions :index?, :show?, :update? do
+  permissions :index?, :show?, :update?, :review? do
     context 'staff?' do
       it 'permits' do
         expect(subject).to permit(admin, Tag)
diff --git a/spec/policies/webhook_policy_spec.rb b/spec/policies/webhook_policy_spec.rb
new file mode 100644
index 000000000..1eac8932d
--- /dev/null
+++ b/spec/policies/webhook_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe WebhookPolicy do
+  let(:policy) { described_class }
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :index?, :create?, :show?, :update?, :enable?, :disable?, :rotate_secret?, :destroy? do
+    context 'with an admin' do
+      it 'permits' do
+        expect(policy).to permit(admin, Tag)
+      end
+    end
+
+    context 'with a non-admin' do
+      it 'denies' do
+        expect(policy).to_not permit(john, Tag)
+      end
+    end
+  end
+end