2 files changed, 100 insertions, 17 deletions

diff --git a/spec/support/devise.rb b/spec/support/devise.rb
index d4a279a41..28703c072 100644
--- a/spec/support/devise.rb
+++ b/spec/support/devise.rb
@@ -4,12 +4,12 @@ module DeviseRequestHelper
   def login_user
     organisation = Organisation.where(:code => "first").first_or_create(attributes_for(:organisation))
     @user ||= create(:user, :organisation => organisation,
-      :permissions => ['routes.create', 'routes.edit', 'routes.destroy', 'journey_patterns.create', 'journey_patterns.edit', 'journey_patterns.destroy',
-        'vehicle_journeys.create', 'vehicle_journeys.edit', 'vehicle_journeys.destroy', 'time_tables.create', 'time_tables.edit', 'time_tables.destroy',
-        'footnotes.edit', 'footnotes.create', 'footnotes.destroy', 'routing_constraint_zones.create', 'routing_constraint_zones.edit', 'routing_constraint_zones.destroy',
-        'access_points.create', 'access_points.edit', 'access_points.destroy', 'access_links.create', 'access_links.edit', 'access_links.destroy',
-        'connection_links.create', 'connection_links.edit', 'connection_links.destroy', 'route_sections.create', 'route_sections.edit', 'route_sections.destroy',
-        'referentials.create', 'referentials.edit', 'referentials.destroy'])
+                     :permissions => ['routes.create', 'routes.update', 'routes.destroy', 'journey_patterns.create', 'journey_patterns.update', 'journey_patterns.destroy',
+                                      'vehicle_journeys.create', 'vehicle_journeys.update', 'vehicle_journeys.destroy', 'time_tables.create', 'time_tables.update', 'time_tables.destroy',
+                                      'footnotes.update', 'footnotes.create', 'footnotes.destroy', 'routing_constraint_zones.create', 'routing_constraint_zones.update', 'routing_constraint_zones.destroy',
+                                      'access_points.create', 'access_points.update', 'access_points.destroy', 'access_links.create', 'access_links.update', 'access_links.destroy',
+                                      'connection_links.create', 'connection_links.update', 'connection_links.destroy', 'route_sections.create', 'route_sections.update', 'route_sections.destroy',
+                                      'referentials.create', 'referentials.update', 'referentials.destroy'])
     login_as @user, :scope => :user
     # post_via_redirect user_session_path, 'user[email]' => @user.email, 'user[password]' => @user.password
   end
@@ -36,25 +36,42 @@ module DeviseRequestHelper
 end
 
 module DeviseControllerHelper
+
   def setup_user
+    _all_actions = %w{create destroy update}
+    _all_resources = %w{ access_links
+            access_points
+            connection_links
+            footnotes
+            journey_patterns
+            referentials
+            route_sections
+            routes
+            routing_constraint_zones
+            time_tables
+            vehicle_journeys }
+    join_with =  -> (separator) do 
+      -> (ary) { ary.join(separator) }
+    end
+
     before do
       @request.env["devise.mapping"] = Devise.mappings[:user]
       organisation = Organisation.where(:code => "first").first_or_create(attributes_for(:organisation))
-      @user = create(:user, :organisation => organisation,
-        :permissions => ['routes.create', 'routes.edit', 'routes.destroy', 'journey_patterns.create', 'journey_patterns.edit', 'journey_patterns.destroy',
-        'vehicle_journeys.create', 'vehicle_journeys.edit', 'vehicle_journeys.destroy', 'time_tables.create', 'time_tables.edit', 'time_tables.destroy',
-        'footnotes.edit', 'footnotes.create', 'footnotes.destroy', 'routing_constraint_zones.create', 'routing_constraint_zones.edit', 'routing_constraint_zones.destroy',
-        'access_points.create', 'access_points.edit', 'access_points.destroy', 'access_links.create', 'access_links.edit', 'access_links.destroy',
-        'connection_links.create', 'connection_links.edit', 'connection_links.destroy', 'route_sections.create', 'route_sections.edit', 'route_sections.destroy',
-        'referentials.create', 'referentials.edit', 'referentials.destroy'])
+      @user = create(:user,
+                     organisation: organisation,
+                     permissions: _all_resources.product( _all_actions ).map(&join_with.('.')))
     end
   end
+
   def login_user()
     setup_user
     before do
       sign_in @user
     end
   end
+
+  private
+
 end
 
 RSpec.configure do |config|
diff --git a/spec/support/pundit/shared_examples.rb b/spec/support/pundit/shared_examples.rb
index 33ed1ffae..357004f4e 100644
--- a/spec/support/pundit/shared_examples.rb
+++ b/spec/support/pundit/shared_examples.rb
@@ -1,3 +1,69 @@
+
+RSpec.shared_examples 'always allowed' do
+  | permission, archived: false|
+  context 'same organisation →' do
+    before do
+      user.organisation_id = referential.organisation_id
+    end
+    it "allows a user with the same organisation" do
+      expect_it.to permit(user_context, record)
+    end
+    if archived
+      it 'does not remove permission for archived referentials' do
+        referential.archived_at = 42.seconds.ago
+        expect_it.to permit(user_context, record)
+      end
+    end
+  end
+
+  context 'different organisations →' do
+    before do
+      add_permissions(permission, for_user: user)
+    end
+    it "allows a user with a different organisation" do
+      expect_it.to permit(user_context, record)
+    end
+    if archived
+      it 'does not remove permission for archived referentials' do
+        referential.archived_at = 42.seconds.ago
+        expect_it.to permit(user_context, record)
+      end
+    end
+  end
+end
+
+RSpec.shared_examples 'always forbidden' do
+  | permission, archived: false|
+  context 'same organisation →' do
+    before do
+      user.organisation_id = referential.organisation_id
+    end
+    it "allows a user with the same organisation" do
+      expect_it.not_to permit(user_context, record)
+    end
+    if archived
+      it 'still no permission for archived referentials' do
+        referential.archived_at = 42.seconds.ago
+        expect_it.not_to permit(user_context, record)
+      end
+    end
+  end
+
+  context 'different organisations →' do
+    before do
+      add_permissions(permission, for_user: user)
+    end
+    it "denies a user with a different organisation" do
+      expect_it.not_to permit(user_context, record)
+    end
+    if archived
+      it 'still no permission for archived referentials' do
+        referential.archived_at = 42.seconds.ago
+        expect_it.not_to permit(user_context, record)
+      end
+    end
+  end
+end
 RSpec.shared_examples 'permitted policy and same organisation' do
   | permission, archived: false|
 
@@ -6,11 +72,11 @@ RSpec.shared_examples 'permitted policy and same organisation' do
       expect_it.not_to permit(user_context, record)
     end
     it 'and also a user with the same organisation' do
-      user.organisation = referential.organisation
+      user.organisation_id = referential.organisation_id
       expect_it.not_to permit(user_context, record)
     end
   end
-  
+
   context 'permission present → '  do
     before do
       add_permissions(permission, for_user: user)
@@ -21,13 +87,13 @@ RSpec.shared_examples 'permitted policy and same organisation' do
     end
 
     it 'but allows it for a user with the same organisation' do
-      user.organisation = referential.organisation
+      user.organisation_id = referential.organisation_id
       expect_it.to permit(user_context, record)
     end
 
     if archived
       it 'removes the permission for archived referentials' do
-        user.organisation = referential.organisation
+        user.organisation_id = referential.organisation_id
         referential.archived_at = 42.seconds.ago
         expect_it.not_to permit(user_context, record)
       end