Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apply authorisation changes to actors controller #76

Merged
merged 2 commits into from
Jan 18, 2024
Merged

Apply authorisation changes to actors controller #76

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dbc984e
also apply change to actors controller
tmfrnz Jan 4, 2024
5642c14
Add destroy specs and make the actor not draft
parndt Jan 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions app/controllers/actors_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
# frozen_string_literal: true

class ActorsController < ApplicationController
before_action :set_and_authorize_actor, only: [:show, :update, :destroy]

# GET /actors
def index
@actors = policy_scope(base_object).order(created_at: :desc).page(params[:page])
Expand Down Expand Up @@ -35,7 +33,7 @@ def update
return render json: '{"error":"Record outdated"}', status: :unprocessable_entity
end
if @actor.update!(permitted_attributes(@actor))
set_and_authorize_actor

render json: serialize(@actor)
end
end
Expand All @@ -52,11 +50,13 @@ def base_object
end

# Use callbacks to share common setup or constraints between actions.
def set_and_authorize_actor
@actor = policy_scope(base_object).find(params[:id])
authorize @actor
def authorize!
@actor = policy_scope(base_object)&.find(params[:id]) if params[:id]

authorize @actor || base_object
end


def serialize(target, serializer: ActorSerializer)
super
end
Expand Down
95 changes: 76 additions & 19 deletions spec/controllers/actors_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@
end

describe "PUT update" do
let(:actor) { FactoryBot.create(:actor) }
let(:actor) { FactoryBot.create(:actor, :not_draft) }
subject do
put :update,
format: :json,
Expand Down Expand Up @@ -327,34 +327,91 @@
end
end

describe "Delete destroy" do
describe "DELETE destroy" do
let(:actor) { FactoryBot.create(:actor) }
subject { delete :destroy, format: :json, params: {id: actor} }

context "when not signed in" do
it "not allow deleting an actor" do
expect(subject).to be_unauthorized
context "when signed in" do
before { sign_in user }

context "as a guest" do
let(:user) { FactoryBot.create(:user) }

context "with an actor not belonging to the signed in user" do
let(:actor) { FactoryBot.create(:actor) }

it "will not allow you to delete an actor" do
expect(subject).to be_forbidden
end
end

context "with an actor belonging to the signed in user" do
let(:actor) { FactoryBot.create(:actor, created_by: user) }

it "will not allow you to delete an actor" do
expect(subject).to be_forbidden
end
end
end
end

context "when user signed in" do
let(:admin) { FactoryBot.create(:user, :admin) }
let(:guest) { FactoryBot.create(:user) }
let(:user) { FactoryBot.create(:user, :manager) }
context "as a manager" do
let(:user) { FactoryBot.create(:user, :manager) }

it "will not allow a guest to delete an actor" do
sign_in guest
expect(subject).to be_forbidden
context "with an actor not belonging to the signed in user" do
let(:actor) { FactoryBot.create(:actor) }

it "will not allow you to delete an actor" do
expect(subject).to be_forbidden
end
end

context "with an actor belonging to the signed in user" do
let(:actor) { FactoryBot.create(:actor, created_by: user) }

it "will allow you to delete an actor" do
expect(subject).to be_no_content
end
end
end

it "will not allow a manager to delete an actor" do
sign_in manager
expect(subject).to be_forbidden
context "as a coordinator" do
let(:user) { FactoryBot.create(:user, :coordinator) }

context "with an actor not belonging to the signed in user" do
let(:actor) { FactoryBot.create(:actor) }

it "will not allow you to delete an actor" do
expect(subject).to be_forbidden
end
end

context "with an actor belonging to the signed in user" do
let(:actor) { FactoryBot.create(:actor, created_by: user) }

it "will allow you to delete an actor" do
expect(subject).to be_no_content
end
end
end

it "will allow an admin to delete an actor" do
sign_in admin
expect(subject).to be_no_content
context "as an admin" do
let(:user) { FactoryBot.create(:user, :admin) }

context "with an actor not belonging to the signed in user" do
let(:actor) { FactoryBot.create(:actor) }

it "will allow you to delete an actor" do
expect(subject).to be_no_content
end
end

context "with an actor belonging to the signed in user" do
let(:actor) { FactoryBot.create(:actor, created_by: user) }

it "will allow you to delete an actor" do
expect(subject).to be_no_content
end
end
end
end
end
Expand Down
Loading