Refs #7101; Update policies

5 files changed, 50 insertions, 8 deletions

diff --git a/app/models/user.rb b/app/models/user.rb
index ba166b06f..fac031a5b 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -16,6 +16,7 @@ class User < ApplicationModel
   # attr_accessible :email, :password, :current_password, :password_confirmation, :remember_me, :name, :organisation_attributes
   belongs_to :organisation
   has_many :workbenches, through: :organisation
+  has_many :workgroups, through: :workbenches
   accepts_nested_attributes_for :organisation
 
   validates :organisation, :presence => true
diff --git a/app/policies/compliance_control_set_policy.rb b/app/policies/compliance_control_set_policy.rb
index 55507ffd9..0709e9323 100644
--- a/app/policies/compliance_control_set_policy.rb
+++ b/app/policies/compliance_control_set_policy.rb
@@ -18,10 +18,18 @@ class ComplianceControlSetPolicy < ApplicationPolicy
   end
 
   def update?
-    user.has_permission?('compliance_control_sets.update')
+    own_cc_set? && user.has_permission?('compliance_control_sets.update')
   end
 
   def clone?
-    create?
+    own_or_workgroup_cc_set? && create?
+  end
+
+  def own_cc_set?
+    @record.organisation == @user.organisation
+  end
+
+  def own_or_workgroup_cc_set?
+    own_cc_set? || @user.workgroups.pluck(:owner_id).include?(@record.organisation.id)
   end
 end
diff --git a/db/schema.rb b/db/schema.rb
index c5fe6e0d1..c87891152 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -92,9 +92,9 @@ ActiveRecord::Schema.define(version: 20180517190722) do
     t.integer   "organisation_id", limit: 8
     t.datetime  "created_at"
     t.datetime  "updated_at"
+    t.integer   "workgroup_id",    limit: 8
     t.integer   "int_day_types"
     t.date      "excluded_dates",                            array: true
-    t.integer   "workgroup_id",    limit: 8
     t.jsonb     "metadata",                  default: {}
   end
 
@@ -472,9 +472,9 @@ ActiveRecord::Schema.define(version: 20180517190722) do
     t.string   "type"
     t.integer  "parent_id",             limit: 8
     t.string   "parent_type"
+    t.datetime "notified_parent_at"
     t.integer  "current_step",                    default: 0
     t.integer  "total_steps",                     default: 0
-    t.datetime "notified_parent_at"
     t.string   "creator"
   end
 
diff --git a/spec/policies/compliance_control_set_policy_spec.rb b/spec/policies/compliance_control_set_policy_spec.rb
index 9b89338d6..29a571364 100644
--- a/spec/policies/compliance_control_set_policy_spec.rb
+++ b/spec/policies/compliance_control_set_policy_spec.rb
@@ -1,7 +1,7 @@
 require 'rails_helper'
 
 RSpec.describe ComplianceControlSetPolicy do
-
+  let( :user )  { create :user, organisation: create(:organisation) }
   let( :record ){ build_stubbed :compliance_control_set }
   before { stub_policy_scope(record) }
 
@@ -10,11 +10,43 @@ RSpec.describe ComplianceControlSetPolicy do
   end
 
   permissions :update? do
-    it_behaves_like 'permitted policy outside referential', 'compliance_control_sets.update'
+    it 'denies user' do
+      expect_it.to_not permit(user_context, record)
+      add_permissions('compliance_control_sets.update', to_user: user)
+      expect_it.to_not permit(user_context, record)
+    end
+
+    context "when owned by the user's organisation" do
+      before {
+        record.organisation = user.organisation
+      }
+      it_behaves_like 'permitted policy outside referential', 'compliance_control_sets.update'
+    end
   end
 
   permissions :clone? do
-    it_behaves_like 'permitted policy outside referential', 'compliance_control_sets.create'
+    it 'denies user' do
+      expect_it.to_not permit(user_context, record)
+      add_permissions('compliance_control_sets.create', to_user: user)
+      expect_it.to_not permit(user_context, record)
+    end
+
+    context "when owned by the user's organisation" do
+      before {
+        record.organisation = user.organisation
+      }
+      it_behaves_like 'permitted policy outside referential', 'compliance_control_sets.create'
+    end
+
+    context "when owned by the user's workgroup owner" do
+      before {
+        owner = create(:organisation)
+        workgroup = create :workgroup, owner: owner
+        create :workbench, organisation: user.organisation, workgroup: workgroup
+        record.organisation = owner
+      }
+      it_behaves_like 'permitted policy outside referential', 'compliance_control_sets.create'
+    end
   end
 
   permissions :destroy? do
diff --git a/spec/support/pundit/policies.rb b/spec/support/pundit/policies.rb
index d8d12d735..bbe695fbc 100644
--- a/spec/support/pundit/policies.rb
+++ b/spec/support/pundit/policies.rb
@@ -6,6 +6,7 @@ module Support
       def add_permissions(*permissions, to_user:)
         to_user.permissions ||= []
         to_user.permissions += permissions.flatten
+        # to_user.save if to_user.persisted?
       end
 
       def create_user_context(user:, referential:)
@@ -13,7 +14,7 @@ module Support
       end
 
       def finalise_referential
-        referential.referential_suite_id = random_int 
+        referential.referential_suite_id = random_int
       end
 
       def remove_permissions(*permissions, from_user:, save: false)