Refs #3128 : Modify ReferentialPolicy to check user permissions

author: Vlatka Pavisic 2017-04-13 16:14:59 +0200
committer: Vlatka Pavisic 2017-04-13 16:15:05 +0200
commit: 7dbafc403f96c6aad2ed6862f1234ce76d7d123a (patch)
tree: c4d62f5ee46c86db1289c9a74735ce41e9a8db2a
parent: bc09c8f16726f520c116e158ef3390dc84736bd2 (diff)
download: chouette-core-7dbafc403f96c6aad2ed6862f1234ce76d7d123a.tar.bz2
9 files changed, 88 insertions, 15 deletions
diff --git a/app/controllers/referentials_controller.rb b/app/controllers/referentials_controller.rb
index ce875b6ba..f46cd188d 100644
--- a/app/controllers/referentials_controller.rb
+++ b/app/controllers/referentials_controller.rb
@@ -1,7 +1,7 @@
 class ReferentialsController < BreadcrumbController
   defaults :resource_class => Referential
   include PolicyChecker
-  before_action :check_policy, :only => [:edit, :update, :archive, :unarchive] # overrides default
+  before_action :check_policy, :only => [:edit, :update, :destroy, :archive, :unarchive] # overrides default
 
   respond_to :html
   respond_to :json, :only => :show
diff --git a/app/models/user.rb b/app/models/user.rb
index 2633fdacb..d27007d43 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -32,7 +32,7 @@ class User < ActiveRecord::Base
   @@edit_offer_permissions = ['routes.create', 'routes.edit', 'routes.destroy', 'journey_patterns.create', 'journey_patterns.edit', 'journey_patterns.destroy',
     'vehicle_journeys.create', 'vehicle_journeys.edit', 'vehicle_journeys.destroy', 'time_tables.create', 'time_tables.edit', 'time_tables.destroy',
     'footnotes.edit', 'footnotes.create', 'footnotes.destroy', 'routing_constraint_zones.create', 'routing_constraint_zones.edit',
-    'routing_constraint_zones.destroy']
+    'routing_constraint_zones.destroy', 'referentials.create', 'referentials.edit', 'referentials.destroy']
 
   def cas_extra_attributes=(extra_attributes)
     extra             = extra_attributes.inject({}){|memo,(k,v)| memo[k.to_sym] = v; memo}
diff --git a/app/policies/referential_policy.rb b/app/policies/referential_policy.rb
index 1175ba5c6..fb55f006a 100644
--- a/app/policies/referential_policy.rb
+++ b/app/policies/referential_policy.rb
@@ -6,15 +6,15 @@ class ReferentialPolicy < ApplicationPolicy
   end
 
   def create?
-    true
+    user.has_permission?('referentials.create')
   end
 
   def edit?
-    organisation_match?
+    user.has_permission?('referentials.edit')
   end
 
-  def update?
-    edit? && !record.archived?
+  def destroy?
+    user.has_permission?('referentials.destroy')
   end
 
   def archive?
@@ -22,8 +22,11 @@ class ReferentialPolicy < ApplicationPolicy
   end
 
   def unarchive? ; archive? end
-  def new?       ; create? end
-  def destroy?   ; edit? end
+  def update? ; edit? end
+  def new? ; create? end
+  def clone? ; create? end
 end
 
 
+
+
diff --git a/app/views/referentials/index.html.slim b/app/views/referentials/index.html.slim
index 8186f725f..8943d419c 100644
--- a/app/views/referentials/index.html.slim
+++ b/app/views/referentials/index.html.slim
@@ -13,7 +13,6 @@
   ul.actions
     li = link_to 'Données Reflex', stop_area_referential_path(1)
     li = link_to 'Données CodifLigne', line_referential_path(1)
-    li= link_to t('calendars.standard_calendars'), calendars_path
-    / FIXME #823
+    li = link_to t('calendars.standard_calendars'), calendars_path
     - if false
       li = link_to t('referentials.actions.new'), new_referential_path, class: 'add'
diff --git a/app/views/referentials/show.html.slim b/app/views/referentials/show.html.slim
index 04f93738e..617d5ad26 100644
--- a/app/views/referentials/show.html.slim
+++ b/app/views/referentials/show.html.slim
@@ -5,10 +5,10 @@
              t('last_update', time: l(@referential.updated_at, format: :short)),
              ((@referential.archived? || !policy(@referential).edit?) ? '' : link_to(t('actions.edit'), edit_referential_path(@referential), class: 'btn btn-default')) do
 
-  / Below is secundary actions & optional contents (filters, ...)
+  / Below is secondary actions & optional contents (filters, ...)
   .row.mb-sm
     .col-lg-12.text-right
-      - if policy(@referential).new?
+      - if policy(@referential).clone?
         = link_to t('actions.clone'), new_referential_path(from: @referential.id), class: 'btn btn-primary'
 
       - if policy(@referential).edit?
diff --git a/app/views/workbenches/show.html.slim b/app/views/workbenches/show.html.slim
index 2d13501b7..f9a705c29 100644
--- a/app/views/workbenches/show.html.slim
+++ b/app/views/workbenches/show.html.slim
@@ -7,6 +7,7 @@
   / Below is secundary actions & optional contents (filters, ...)
   .row.mb-sm
     .col-lg-12.text-right
+      - if policy(Referential).create?
       = link_to t('referentials.actions.new'), new_referential_path(workbench_id: @workbench), class: 'btn btn-primary'
 
 / PageContent
diff --git a/spec/features/referentials_spec.rb b/spec/features/referentials_spec.rb
index ebaf70bca..3c2258a3a 100644
--- a/spec/features/referentials_spec.rb
+++ b/spec/features/referentials_spec.rb
@@ -55,6 +55,59 @@ describe "Referentials", :type => :feature do
         expect(page).to have_link(I18n.t('actions.edit'), href: edit_referential_path(referential))
       end
     end
+
+    context 'user has the permission to create referentials' do
+      it 'shows the clone link for referetnial' do
+        expect(page).to have_link(I18n.t('actions.clone'), href: new_referential_path(from: referential.id))
+      end
+    end
+
+    context 'user does not have the permission to create referentials' do
+      it 'does not show the clone link for referetnial' do
+        @user.update_attribute(:permissions, [])
+        visit referential_path(referential)
+        expect(page).not_to have_link(I18n.t('actions.clone'), href: new_referential_path(from: referential.id))
+      end
+    end
+
+    context 'user has the permission to edit referentials' do
+      it 'shows the link to edit the referential' do
+        expect(page).to have_link(I18n.t('actions.edit'), href: edit_referential_path(referential))
+      end
+
+      it 'shows the link to archive the referential' do
+        expect(page).to have_link(I18n.t('actions.archive'), href: archive_referential_path(referential))
+      end
+    end
+
+    context 'user does not have the permission to edit referentials' do
+      before(:each) do
+        @user.update_attribute(:permissions, [])
+        visit referential_path(referential)
+      end
+
+      it 'does not show the link to edit the referential' do
+        expect(page).not_to have_link(I18n.t('actions.edit'), href: edit_referential_path(referential))
+      end
+
+      it 'does not show the link to archive the referential' do
+        expect(page).not_to have_link(I18n.t('actions.archive'), href: archive_referential_path(referential))
+      end
+    end
+
+    context 'user has the permission to destroy referentials' do
+      it 'shows the link to destroy the referential' do
+        expect(page).to have_link(I18n.t('actions.destroy'), href: referential_path(referential))
+      end
+    end
+
+    context 'user does not have the permission to destroy referentials' do
+      it 'does not show the destroy link for referetnial' do
+        @user.update_attribute(:permissions, [])
+        visit referential_path(referential)
+        expect(page).not_to have_link(I18n.t('actions.destroy'), href: referential_path(referential))
+      end
+    end
   end
 
   describe "create" do
diff --git a/spec/features/workbenches_spec.rb b/spec/features/workbenches_spec.rb
index 608746e56..0a71a0b6b 100644
--- a/spec/features/workbenches_spec.rb
+++ b/spec/features/workbenches_spec.rb
@@ -18,11 +18,26 @@ describe 'Workbenches', type: :feature do
     let!(:ready_referential) { create :referential, workbench: workbench, metadatas: referential_metadatas, ready: true, organisation: @user.organisation }
     let!(:unready_referential) { create :referential, workbench: workbench }
 
+    before(:each) { visit workbench_path(workbench) }
+
     it 'shows ready referentials belonging to that workbench by default' do
-      visit workbench_path(workbench)
       expect(page).to have_content(ready_referential.name)
       expect(page).not_to have_content(unready_referential.name)
     end
+
+    context 'user has the permission to create referentials' do
+      it 'shows the link for a new referetnial' do
+        expect(page).to have_link(I18n.t('referentials.actions.new'), href: new_referential_path(workbench_id: workbenches.first))
+      end
+    end
+
+    context 'user does not have the permission to create referentials' do
+      it 'does not show the clone link for referetnial' do
+        @user.update_attribute(:permissions, [])
+        visit referential_path(referential)
+        expect(page).not_to have_link(I18n.t('referentials.actions.new'), href: new_referential_path(workbench_id: workbenches.first))
+      end
+    end
   end
 
   describe 'create new Referential' do
diff --git a/spec/support/devise.rb b/spec/support/devise.rb
index 0e3ceefac..14e316bea 100644
--- a/spec/support/devise.rb
+++ b/spec/support/devise.rb
@@ -8,7 +8,8 @@ module DeviseRequestHelper
         'vehicle_journeys.create', 'vehicle_journeys.edit', 'vehicle_journeys.destroy', 'time_tables.create', 'time_tables.edit', 'time_tables.destroy',
         'footnotes.edit', 'footnotes.create', 'footnotes.destroy', 'routing_constraint_zones.create', 'routing_constraint_zones.edit', 'routing_constraint_zones.destroy',
         'access_points.create', 'access_points.edit', 'access_points.destroy', 'access_links.create', 'access_links.edit', 'access_links.destroy',
-        'connection_links.create', 'connection_links.edit', 'connection_links.destroy', 'route_sections.create', 'route_sections.edit', 'route_sections.destroy'])
+        'connection_links.create', 'connection_links.edit', 'connection_links.destroy', 'route_sections.create', 'route_sections.edit', 'route_sections.destroy',
+        'referentials.create', 'referentials.edit', 'referentials.destroy'])
     login_as @user, :scope => :user
     # post_via_redirect user_session_path, 'user[email]' => @user.email, 'user[password]' => @user.password
   end
@@ -44,7 +45,8 @@ module DeviseControllerHelper
         'vehicle_journeys.create', 'vehicle_journeys.edit', 'vehicle_journeys.destroy', 'time_tables.create', 'time_tables.edit', 'time_tables.destroy',
         'footnotes.edit', 'footnotes.create', 'footnotes.destroy', 'routing_constraint_zones.create', 'routing_constraint_zones.edit', 'routing_constraint_zones.destroy',
         'access_points.create', 'access_points.edit', 'access_points.destroy', 'access_links.create', 'access_links.edit', 'access_links.destroy',
-        'connection_links.create', 'connection_links.edit', 'connection_links.destroy', 'route_sections.create', 'route_sections.edit', 'route_sections.destroy'])
+        'connection_links.create', 'connection_links.edit', 'connection_links.destroy', 'route_sections.create', 'route_sections.edit', 'route_sections.destroy',
+        'referentials.create', 'referentials.edit', 'referentials.destroy'])
       sign_in @user
     end
   end
author	Vlatka Pavisic	2017-04-13 16:14:59 +0200
committer	Vlatka Pavisic	2017-04-13 16:15:05 +0200
commit	7dbafc403f96c6aad2ed6862f1234ce76d7d123a (patch)
tree	c4d62f5ee46c86db1289c9a74735ce41e9a8db2a
parent	bc09c8f16726f520c116e158ef3390dc84736bd2 (diff)
download	chouette-core-7dbafc403f96c6aad2ed6862f1234ce76d7d123a.tar.bz2