Refs: #3478@1h;

   -  All permissions tied to `!archived?`
   -  Tests adapted
   -  Policies refactored

   ?  Is `create?` permission bound to `organisation_match?`

16 files changed, 81 insertions, 44 deletions

diff --git a/app/helpers/table_builder_helper/custom_links.rb b/app/helpers/table_builder_helper/custom_links.rb
index 68cb24c7a..e3ffb18ac 100644
--- a/app/helpers/table_builder_helper/custom_links.rb
+++ b/app/helpers/table_builder_helper/custom_links.rb
@@ -33,7 +33,7 @@ module TableBuilderHelper
         polymorph_url << action
       end
 
-      polymorph_url += URL.polymorphic_url_parts(@object)
+      polymorph_url += URL.polymorphic_url_parts(object)
     end
 
     def method_for_action(action)
@@ -41,7 +41,7 @@ module TableBuilderHelper
     end
 
     def authorized_actions
-      @actions.select(&policy.method(:authorizes_action?))
+      actions.select(&policy.method(:authorizes_action?))
     end
 
     private
diff --git a/app/policies/acces_point_policy.rb b/app/policies/acces_point_policy.rb
new file mode 100644
index 000000000..ce3a8a1ef
--- /dev/null
+++ b/app/policies/acces_point_policy.rb
@@ -0,0 +1,25 @@
+class AccessPointPolicy < ApplicationPolicy
+  class Scope < Scope
+    def resolve
+      scope
+    end
+  end
+
+  def create?
+    !archived? &&
+      organisation_match? &&
+      user.has_permission?('access_points.create')
+  end
+
+  def update?
+    !archived? &&
+      organisation_match? &&
+      user.has_permission?('access_points.edit')
+  end
+
+  def destroy?
+    !archived? &&
+      organisation_match?
+    && user.has_permission?('access_points.destroy')
+  end
+end
diff --git a/app/policies/access_link_policy.rb b/app/policies/access_link_policy.rb
index 4c6473f18..a4f0e40e8 100644
--- a/app/policies/access_link_policy.rb
+++ b/app/policies/access_link_policy.rb
@@ -6,14 +6,14 @@ class AccessLinkPolicy < ApplicationPolicy
   end
 
   def create?
-    user.has_permission?('access_links.create') # organisation match via referential is checked in the view
+    !archived? && oragnisation_mathc? && user.has_permission?('access_links.create')
   end
 
   def update?
-    organisation_match? && user.has_permission?('access_links.edit')
+    !archived? && organisation_match? && user.has_permission?('access_links.edit')
   end
 
   def destroy?
-    organisation_match? && user.has_permission?('access_links.destroy')
+    !archived? && organisation_match? && user.has_permission?('access_links.destroy')
   end
 end
diff --git a/app/policies/access_point_policy.rb b/app/policies/access_point_policy.rb
index 4e017eae4..a1b57a3e5 100644
--- a/app/policies/access_point_policy.rb
+++ b/app/policies/access_point_policy.rb
@@ -6,14 +6,14 @@ class AccessPointPolicy < ApplicationPolicy
   end
 
   def create?
-    user.has_permission?('access_points.create') # organisation match via referential is checked in the view
+    !archived? && organisation_match? && user.has_permission?('access_points.create')
   end
 
   def update?
-    organisation_match? && user.has_permission?('access_points.edit')
+    !archived? && organisation_match? && user.has_permission?('access_points.edit')
   end
 
   def destroy?
-    organisation_match? && user.has_permission?('access_points.destroy')
+    !archived? && organisation_match? && user.has_permission?('access_points.destroy')
   end
 end
diff --git a/app/policies/calendar_policy.rb b/app/policies/calendar_policy.rb
index 927a985b3..3353988bd 100644
--- a/app/policies/calendar_policy.rb
+++ b/app/policies/calendar_policy.rb
@@ -6,13 +6,13 @@ class CalendarPolicy < ApplicationPolicy
   end
 
   def create? 
-    organisation_match?
+    !archived? && organisation_match?
   end
   def destroy?
-    organisation_match?
+    !archived? && organisation_match?
   end
   def update?
-    organisation_match?
+    !archived? && organisation_match?
   end
 
   def share?
diff --git a/app/policies/connection_link_policy.rb b/app/policies/connection_link_policy.rb
index 7dccd30a9..acadc807d 100644
--- a/app/policies/connection_link_policy.rb
+++ b/app/policies/connection_link_policy.rb
@@ -6,14 +6,14 @@ class ConnectionLinkPolicy < ApplicationPolicy
   end
 
   def create?
-    user.has_permission?('connection_links.create') # organisation match via referential is checked in the view
+    !archived? && organisation_match? && user.has_permission?('connection_links.create')
   end
 
   def destroy?
-    organisation_match? && user.has_permission?('connection_links.destroy')
+    !archived? && organisation_match? && user.has_permission?('connection_links.destroy')
   end
 
   def update?
-    organisation_match? && user.has_permission?('connection_links.edit')
+    !archived? && organisation_match? && user.has_permission?('connection_links.edit')
   end
 end
diff --git a/app/policies/journey_pattern_policy.rb b/app/policies/journey_pattern_policy.rb
index 99e39eeff..810ead170 100644
--- a/app/policies/journey_pattern_policy.rb
+++ b/app/policies/journey_pattern_policy.rb
@@ -7,16 +7,15 @@ class JourneyPatternPolicy < ApplicationPolicy
   end
 
   def create?
-    # organisation match via referential is checked in the view
-    user.has_permission?('journey_patterns.create')
+    !archived? && organisation_match? && user.has_permission?('journey_patterns.create')
   end
 
   def destroy?
-    organisation_match? && user.has_permission?('journey_patterns.destroy')
+    !archived? && organisation_match? && user.has_permission?('journey_patterns.destroy')
   end
 
   def update?
-    organisation_match? && user.has_permission?('journey_patterns.edit')
+    !archived? && organisation_match? && user.has_permission?('journey_patterns.edit')
   end
 end
 
diff --git a/app/policies/referential_policy.rb b/app/policies/referential_policy.rb
index 371cae218..7f8c9e939 100644
--- a/app/policies/referential_policy.rb
+++ b/app/policies/referential_policy.rb
@@ -10,20 +10,25 @@ class ReferentialPolicy < ApplicationPolicy
   end
 
   def destroy?
-    organisation_match? && user.has_permission?('referentials.destroy')
+    !archived? && organisation_match? && user.has_permission?('referentials.destroy')
   end
 
   def update?
-    organisation_match? && user.has_permission?('referentials.edit')
+    !archived? && organisation_match? && user.has_permission?('referentials.edit')
   end
 
 
+
+  def clone?
+    !archived? && organisation_match? && create?
+  end
+
   def archive?
-    edit?
+    !archived? && update?
   end
 
-  def clone?
-    organisation_match? && create?
+  def unarchive?
+    archived? && update?
   end
 
   def common_lines?
@@ -31,11 +36,6 @@ class ReferentialPolicy < ApplicationPolicy
     true
   end
 
-  def show?
-    true
-  end
-
-  def unarchive? ; archive? end
 end
 
 
diff --git a/app/policies/routing_constraint_zone_policy.rb b/app/policies/routing_constraint_zone_policy.rb
index a10a2c909..3f2ad99a9 100644
--- a/app/policies/routing_constraint_zone_policy.rb
+++ b/app/policies/routing_constraint_zone_policy.rb
@@ -6,7 +6,7 @@ class RoutingConstraintZonePolicy < ApplicationPolicy
   end
 
   def create?
-    !archived? && user.has_permission?('routing_constraint_zones.create') # organisation match via referential is checked in the view
+    !archived? && organisation_match? && user.has_permission?('routing_constraint_zones.create')
   end
 
   def destroy?
diff --git a/app/policies/time_table_policy.rb b/app/policies/time_table_policy.rb
index acd31e9b1..acdc2d13c 100644
--- a/app/policies/time_table_policy.rb
+++ b/app/policies/time_table_policy.rb
@@ -7,7 +7,7 @@ class TimeTablePolicy < ApplicationPolicy
   end
 
   def create?
-    !archived? && user.has_permission?('time_tables.create') # organisation match via referential is checked in the view
+    !archived? && organisation_match? && user.has_permission?('time_tables.create')
   end
 
   def destroy?
diff --git a/app/policies/vehicle_journey_policy.rb b/app/policies/vehicle_journey_policy.rb
index 7737f6d7e..27d96e43b 100644
--- a/app/policies/vehicle_journey_policy.rb
+++ b/app/policies/vehicle_journey_policy.rb
@@ -6,14 +6,14 @@ class VehicleJourneyPolicy < ApplicationPolicy
   end
 
   def create?
-    user.has_permission?('vehicle_journeys.create') # organisation match via referential is checked in the view
+    !archived? && organisation_match? && user.has_permission?('vehicle_journeys.create')
   end
 
   def destroy?
-    organisation_match? && user.has_permission?('vehicle_journeys.destroy')
+    !archived? && organisation_match? && user.has_permission?('vehicle_journeys.destroy')
   end
 
   def update?
-    organisation_match? && user.has_permission?('vehicle_journeys.edit')
+    !archived? && organisation_match? && user.has_permission?('vehicle_journeys.edit')
   end
 end
diff --git a/spec/helpers/table_builder_helper/custom_links_spec.rb b/spec/helpers/table_builder_helper/custom_links_spec.rb
index bd0bd4fcf..4b07922a7 100644
--- a/spec/helpers/table_builder_helper/custom_links_spec.rb
+++ b/spec/helpers/table_builder_helper/custom_links_spec.rb
@@ -10,6 +10,7 @@ describe TableBuilderHelper::CustomLinks do
         referential: referential
       )
 
+      stub_policy_scope(referential)
       expect(
         TableBuilderHelper::CustomLinks.new(
           referential,
diff --git a/spec/helpers/table_builder_helper_spec.rb b/spec/helpers/table_builder_helper_spec.rb
index 6b505c940..4afd0774c 100644
--- a/spec/helpers/table_builder_helper_spec.rb
+++ b/spec/helpers/table_builder_helper_spec.rb
@@ -27,6 +27,7 @@ describe TableBuilderHelper, type: :helper do
       referentials = [referential]
 
       allow(referentials).to receive(:model).and_return(Referential)
+      stub_policy_scope(referential)
 
       allow(helper).to receive(:params).and_return({
         controller: 'workbenches',
@@ -193,7 +194,7 @@ describe TableBuilderHelper, type: :helper do
         companies,
         with: CompanyDecorator
       )
-      allow(CompanyDecorator).to receive(:where).with(id: company.id).and_return double.as_null_object
+      stub_policy_scope(company)
 
       expected = <<-HTML
 <table class="table has-search">
@@ -303,7 +304,7 @@ describe TableBuilderHelper, type: :helper do
         with: CompanyDecorator,
         context: {line_referential: line_referential}
       )
-      allow(CompanyDecorator).to receive(:where).with(id: company.id).and_return double.as_null_object
+      stub_policy_scope(company)
 
       expected = <<-HTML
 <table class="table has-search">
diff --git a/spec/policies/routing_constraint_zone_policy_spec.rb b/spec/policies/routing_constraint_zone_policy_spec.rb
index 2508b49f9..f91313390 100644
--- a/spec/policies/routing_constraint_zone_policy_spec.rb
+++ b/spec/policies/routing_constraint_zone_policy_spec.rb
@@ -4,7 +4,7 @@ RSpec.describe RoutingConstraintZonePolicy, type: :policy do
 
 
   permissions :create? do
-    it_behaves_like 'permitted policy', 'routing_constraint_zones.create', archived: true
+    it_behaves_like 'permitted policy and same organisation', 'routing_constraint_zones.create', archived: true
   end
 
   permissions :destroy? do
@@ -16,7 +16,7 @@ RSpec.describe RoutingConstraintZonePolicy, type: :policy do
   end
 
   permissions :new? do
-    it_behaves_like 'permitted policy', 'routing_constraint_zones.create', archived: true
+    it_behaves_like 'permitted policy and same organisation', 'routing_constraint_zones.create', archived: true
   end
 
   permissions :update? do
diff --git a/spec/policies/time_table_policy_spec.rb b/spec/policies/time_table_policy_spec.rb
index 90e6600ea..6c19362d2 100644
--- a/spec/policies/time_table_policy_spec.rb
+++ b/spec/policies/time_table_policy_spec.rb
@@ -3,8 +3,10 @@ RSpec.describe TimeTablePolicy, type: :policy do
   let( :record ){ build_stubbed :time_table }
 
 
-  permissions :duplicate? do
-    it_behaves_like 'permitted policy and same organisation', 'time_tables.create', archived: true
+  %w{create duplicate}.each do | permission |
+    permissions "#{permission}?".to_sym do
+      it_behaves_like 'permitted policy and same organisation', 'time_tables.create', archived: true
+    end
   end
 
   %w{destroy edit}.each do | permission |
@@ -13,9 +15,4 @@ RSpec.describe TimeTablePolicy, type: :policy do
     end
   end
 
-  permissions :create? do
-    it_behaves_like 'permitted policy', 'time_tables.create', archived: true
-  end
-
-
 end
diff --git a/spec/support/apartment_stubbing.rb b/spec/support/apartment_stubbing.rb
new file mode 100644
index 000000000..408d3b878
--- /dev/null
+++ b/spec/support/apartment_stubbing.rb
@@ -0,0 +1,14 @@
+module Support
+  # This is needed for referentials that are stubbed with `build_stubbed`
+  # As one cannot switch to such referentials (obviously the schema does not exist)
+  # we provide a stub for `scope.where(...` needed in ApplicationPolicy#show 
+  module ApartmentStubbing
+    def stub_policy_scope(model)
+      allow(model.class).to receive(:where).with(id: model.id).and_return double("instance of #{model.class}").as_null_object
+    end
+  end
+end
+
+RSpec.configure do | conf |
+  conf.include Support::ApartmentStubbing
+end