Fix import policy to not authorize destroy and not be linked with referential state (archived) Refs #5093

3 files changed, 23 insertions, 11 deletions

diff --git a/app/policies/compliance_check_set_policy.rb b/app/policies/compliance_check_set_policy.rb
index 171a33347..85e7e8ddd 100644
--- a/app/policies/compliance_check_set_policy.rb
+++ b/app/policies/compliance_check_set_policy.rb
@@ -3,5 +3,17 @@ class ComplianceCheckSetPolicy < ApplicationPolicy
     def resolve
       scope
     end
+
+      def create?
+        false # ComplianceCheckSet can not be created from controller
+      end
+
+      def destroy?
+        false # Asynchronous operations must not be deleted
+      end
+
+      def update?
+        false # ComplianceCheckSet can not be updated from controller
+      end
   end
-end
\ No newline at end of file
+end
diff --git a/app/policies/import_policy.rb b/app/policies/import_policy.rb
index b12dcc167..b5e8c5b7e 100644
--- a/app/policies/import_policy.rb
+++ b/app/policies/import_policy.rb
@@ -6,14 +6,14 @@ class ImportPolicy < ApplicationPolicy
   end
 
   def create?
-    !archived? && user.has_permission?('imports.create')
+    user.has_permission?('imports.create')
   end
 
   def destroy?
-    !archived? && user.has_permission?('imports.destroy')
+    false # Asynchronous operations must not be deleted
   end
 
   def update?
-    !archived? && user.has_permission?('imports.update')
+    user.has_permission?('imports.update')
   end
 end
diff --git a/spec/policies/import_policy_spec.rb b/spec/policies/import_policy_spec.rb
index fd9f3172c..9c7fca8a5 100644
--- a/spec/policies/import_policy_spec.rb
+++ b/spec/policies/import_policy_spec.rb
@@ -9,10 +9,10 @@ RSpec.describe ImportPolicy, type: :policy do
 
   context 'Non Destructive actions →' do
     permissions :index? do
-      it_behaves_like 'always allowed', 'anything', archived: true
+      it_behaves_like 'always allowed', 'anything'
     end
     permissions :show? do
-      it_behaves_like 'always allowed', 'anything', archived: true
+      it_behaves_like 'always allowed', 'anything'
     end
   end
 
@@ -23,19 +23,19 @@ RSpec.describe ImportPolicy, type: :policy do
 
   context 'Destructive actions →' do
     permissions :create? do
-      it_behaves_like 'permitted policy', 'imports.create', archived: true
+      it_behaves_like 'permitted policy', 'imports.create'
     end
     permissions :destroy? do
-      it_behaves_like 'permitted policy', 'imports.destroy', archived: true
+      it_behaves_like 'always forbidden', 'imports.destroy'
     end
     permissions :edit? do
-      it_behaves_like 'permitted policy', 'imports.update', archived: true
+      it_behaves_like 'permitted policy', 'imports.update'
     end
     permissions :new? do
-      it_behaves_like 'permitted policy', 'imports.create', archived: true
+      it_behaves_like 'permitted policy', 'imports.create'
     end
     permissions :update? do
-      it_behaves_like 'permitted policy', 'imports.update', archived: true
+      it_behaves_like 'permitted policy', 'imports.update'
     end
   end
 end