diff --git a/Gemfile b/Gemfile index bf5997af..497172e4 100644 --- a/Gemfile +++ b/Gemfile @@ -7,7 +7,6 @@ gem 'devise' gem 'redis' gem 'pg' gem 'pundit' -gem 'cancan' gem 'pundit_extra' gem 'formula' gem 'formtastic' diff --git a/Gemfile.lock b/Gemfile.lock index ff5c1317..86fea5e0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -57,7 +57,6 @@ GEM debug_inspector (>= 0.0.1) builder (3.2.2) byebug (8.2.2) - cancan (1.6.10) cancancan (1.10.1) climate_control (0.0.3) activesupport (>= 3.0) @@ -265,7 +264,6 @@ DEPENDENCIES best_in_place better_errors binding_of_caller - cancan coffee-rails delayed_job (~> 4.0.2) delayed_job_active_record (~> 4.0.1) @@ -301,6 +299,3 @@ DEPENDENCIES tunemygc uglifier uservoice-ruby - -BUNDLED WITH - 1.11.2 diff --git a/app/assets/javascripts/src/Metamaps.JIT.js.erb b/app/assets/javascripts/src/Metamaps.JIT.js.erb index 74e6c64b..744a78c3 100644 --- a/app/assets/javascripts/src/Metamaps.JIT.js.erb +++ b/app/assets/javascripts/src/Metamaps.JIT.js.erb @@ -108,7 +108,7 @@ Metamaps.JIT = { _.each(results[1], function (synapse) { mapping = synapse.getMapping(); Metamaps.Synapses.remove(synapse); - Metamaps.Mappings.remove(mapping); + if (Metamaps.Mappings) Metamaps.Mappings.remove(mapping); }); if (self.vizData.length == 0) { diff --git a/app/assets/javascripts/src/Metamaps.js.erb b/app/assets/javascripts/src/Metamaps.js.erb index d9e1f04a..c0f2daef 100644 --- a/app/assets/javascripts/src/Metamaps.js.erb +++ b/app/assets/javascripts/src/Metamaps.js.erb @@ -4364,11 +4364,11 @@ Metamaps.Topic = { nodeOnViz.setPos(new $jit.Complex(mapping.get('xloc'), mapping.get('yloc')), "end"); } if (Metamaps.Create.newTopic.addSynapse && permitCreateSynapseAfter) { - Metamaps.Create.newSynapse.topic1id = tempNode.getData('topic').id; - + Metamaps.Create.newSynapse.topic1id = Metamaps.tempNode.getData('topic').id; + // position the form - midpoint.x = tempNode.pos.getc().x + (nodeOnViz.pos.getc().x - tempNode.pos.getc().x) / 2; - midpoint.y = tempNode.pos.getc().y + (nodeOnViz.pos.getc().y - tempNode.pos.getc().y) / 2; + midpoint.x = Metamaps.tempNode.pos.getc().x + (nodeOnViz.pos.getc().x - Metamaps.tempNode.pos.getc().x) / 2; + midpoint.y = Metamaps.tempNode.pos.getc().y + (nodeOnViz.pos.getc().y - Metamaps.tempNode.pos.getc().y) / 2; pixelPos = Metamaps.Util.coordsToPixels(midpoint); $('#new_synapse').css('left', pixelPos.x + "px"); $('#new_synapse').css('top', pixelPos.y + "px"); @@ -4378,9 +4378,9 @@ Metamaps.Topic = { modes: ["node-property:dim"], duration: 500, onComplete: function () { - tempNode = null; - tempNode2 = null; - tempInit = false; + Metamaps.tempNode = null; + Metamaps.tempNode2 = null; + Metamaps.tempInit = false; } }); } else { diff --git a/app/controllers/topics_controller.rb b/app/controllers/topics_controller.rb index 1b1e9b3c..9911a7fe 100644 --- a/app/controllers/topics_controller.rb +++ b/app/controllers/topics_controller.rb @@ -24,9 +24,10 @@ class TopicsController < ApplicationController respond_to do |format| format.html { - @alltopics = ([@topic] + policy_scope(Topic.relatives(@topic.id))) - @allsynapses = policy_scope(Synapse.for_topic(@topic.id)) - + @alltopics = [@topic].concat(policy_scope(Topic.relatives1(@topic.id)).to_a).concat(policy_scope(Topic.relatives2(@topic.id)).to_a) + @allsynapses = policy_scope(Synapse.for_topic(@topic.id)).to_a +puts @alltopics.length +puts @allsynapses.length @allcreators = @alltopics.map(&:user).uniq @allcreators += @allsynapses.map(&:user).uniq @@ -41,8 +42,8 @@ class TopicsController < ApplicationController @topic = Topic.find(params[:id]) authorize @topic - @alltopics = [@topic] + policy_scope(@topic.relatives) - @allsynapses = policy_scope(@topic.synapses) + @alltopics = [@topic].concat(policy_scope(Topic.relatives1(@topic.id)).to_a).concat(policy_scope(Topic.relatives2(@topic.id)).to_a) + @allsynapses = policy_scope(Synapse.for_topic(@topic.id)) @allcreators = @alltopics.map(&:user).uniq @allcreators += @allsynapses.map(&:user).uniq @@ -65,8 +66,8 @@ class TopicsController < ApplicationController topicsAlreadyHas = params[:network] ? params[:network].split(',').map(&:to_i) : [] - @alltopics = policy_scope(@topic.relatives).to_a.uniq - @alltopics.delete_if! do |topic| + @alltopics = policy_scope(Topic.relatives1(@topic.id)).to_a.concat(policy_scope(Topic.relatives2(@topic.id)).to_a).uniq + @alltopics.delete_if do |topic| topicsAlreadyHas.index(topic.id) != nil end @@ -87,14 +88,15 @@ class TopicsController < ApplicationController topicsAlreadyHas = params[:network] ? params[:network].split(',').map(&:to_i) : [] - alltopics = policy_scope(@topic.relatives).to_a.uniq.delete_if do |topic| + alltopics = policy_scope(Topic.relatives1(@topic.id)).to_a.concat(policy_scope(Topic.relatives2(@topic.id)).to_a).uniq + alltopics.delete_if do |topic| topicsAlreadyHas.index(topic.id.to_s) != nil end #find synapses between topics in alltopics array - allsynapses = policy_scope(@topic.synapses) - synapse_ids = (allsynapses.map(&:topic1_id) + allsynapses.map(&:topic2_id)).uniq - allsynapses.delete_if! do |synapse| + allsynapses = policy_scope(Synapse.for_topic(@topic.id)).to_a + synapse_ids = (allsynapses.map(&:node1_id) + allsynapses.map(&:node2_id)).uniq + allsynapses.delete_if do |synapse| synapse_ids.index(synapse.id) != nil end diff --git a/app/models/topic.rb b/app/models/topic.rb index b2e8635b..dfbe7014 100644 --- a/app/models/topic.rb +++ b/app/models/topic.rb @@ -5,8 +5,8 @@ class Topic < ActiveRecord::Base has_many :synapses1, :class_name => 'Synapse', :foreign_key => 'node1_id', dependent: :destroy has_many :synapses2, :class_name => 'Synapse', :foreign_key => 'node2_id', dependent: :destroy - has_many :topics1, :through => :synapses2, :source => :topic1 - has_many :topics2, :through => :synapses1, :source => :topic2 + has_many :topics1, :through => :synapses2, source: :topic1 + has_many :topics2, :through => :synapses1, source: :topic2 has_many :mappings, as: :mappable, dependent: :destroy has_many :maps, :through => :mappings @@ -41,10 +41,15 @@ class Topic < ActiveRecord::Base belongs_to :metacode - scope :relatives, ->(topic_id = nil) { - includes(:synapses1) - .includes(:synapses2) - .where('synapses.node1_id = ? OR synapses.node2_id = ?', topic_id, topic_id) + scope :relatives1, ->(topic_id = nil) { + includes(:topics1) + .where('synapses.node1_id = ?', topic_id) + .references(:synapses) + } + + scope :relatives2, ->(topic_id = nil) { + includes(:topics2) + .where('synapses.node2_id = ?', topic_id) .references(:synapses) } @@ -83,47 +88,4 @@ class Topic < ActiveRecord::Base def mk_permission Perm.short(permission) end - - # has no viewable synapses helper function - def has_viewable_synapses(current) - result = false - synapses.each do |synapse| - if synapse.authorize_to_show(current) - result = true - end - end - result - end - - # TODO move to a decorator? - def synapses_csv(output_format = 'array') - output = [] - synapses.each do |synapse| - if synapse.category == 'from-to' - if synapse.node1_id == id - output << synapse.node1_id.to_s + '->' + synapse.node2_id.to_s - elsif synapse.node2_id == id - output << synapse.node2_id.to_s + '<-' + synapse.node1_id.to_s - else - fail 'invalid synapse on topic in synapse_csv' - end - elsif synapse.category == 'both' - if synapse.node1_id == id - output << synapse.node1_id.to_s + '<->' + synapse.node2_id.to_s - elsif synapse.node2_id == id - output << synapse.node2_id.to_s + '<->' + synapse.node1_id.to_s - else - fail 'invalid synapse on topic in synapse_csv' - end - end - end - if output_format == 'array' - return output - elsif output_format == 'text' - return output.join('; ') - else - fail 'invalid argument to synapses_csv' - end - output - end end diff --git a/app/policies/mapping_policy.rb b/app/policies/mapping_policy.rb index ed93bc66..5826ccd4 100644 --- a/app/policies/mapping_policy.rb +++ b/app/policies/mapping_policy.rb @@ -16,20 +16,28 @@ class MappingPolicy < ApplicationPolicy end def show? - map = Pundit.policy(user, record.map) - mappable = Pundit.policy(user, record.mappable) - map.show? && mappable.show? + map_policy.show? && mappable_policy.show? end def create? - Pundit.policy(user, record.map).update? + record.map.present? && map_policy.update? end def update? - Pundit.policy(user, record.map).update? + record.mappable_type == 'Topic' && map_policy.update? end def destroy? - record.user == user || admin_override + map_policy.update? || admin_override + end + + # Helpers + + def map_policy + @map_policy ||= Pundit.policy(user, record.map) + end + + def mappable_policy + @mappable_policy ||= Pundit.policy(user, record.mappable) end end diff --git a/spec/controllers/maps_controller_spec.rb b/spec/controllers/maps_controller_spec.rb index 67950d75..35c3ddcc 100644 --- a/spec/controllers/maps_controller_spec.rb +++ b/spec/controllers/maps_controller_spec.rb @@ -89,7 +89,8 @@ RSpec.describe MapsController, type: :controller do expect do delete :destroy, { id: unowned_map.to_param, format: :json } end.to change(Map, :count).by(0) - expect(response.body).to eq("unauthorized") + expect(response.body).to eq '' + expect(response.status).to eq 403 end it 'deletes owned map' do @@ -97,7 +98,8 @@ RSpec.describe MapsController, type: :controller do expect do delete :destroy, { id: owned_map.to_param, format: :json } end.to change(Map, :count).by(-1) - expect(response.body).to eq("success") + expect(response.body).to eq '' + expect(response.status).to eq 204 end end end diff --git a/spec/controllers/topics_controller_spec.rb b/spec/controllers/topics_controller_spec.rb index 2dd999a1..2fc99b22 100644 --- a/spec/controllers/topics_controller_spec.rb +++ b/spec/controllers/topics_controller_spec.rb @@ -92,10 +92,7 @@ RSpec.describe TopicsController, type: :controller do expect do delete :destroy, { id: owned_topic.to_param, format: :json } end.to change(Topic, :count).by(-1) - end - - it 'return 204 NO CONTENT' do - delete :destroy, { id: topic.to_param, format: :json } + expect(response.body).to eq '' expect(response.status).to eq 204 end end diff --git a/spec/models/map_spec.rb b/spec/models/map_spec.rb index d1486192..27227188 100644 --- a/spec/models/map_spec.rb +++ b/spec/models/map_spec.rb @@ -5,34 +5,5 @@ RSpec.describe Map, type: :model do it { is_expected.to validate_presence_of :name } it { is_expected.to validate_presence_of :permission } it { is_expected.to validate_inclusion_of(:permission).in_array Perm::ISSIONS.map(&:to_s) } - - context 'permissions' do - let(:owner) { create :user } - let(:other_user) { create :user } - let(:map) { create :map, user: owner, permission: :commons } - let(:private_map) { create :map, user: owner, permission: :private } - let(:public_map) { create :map, user: owner, permission: :public } - - it 'prevents deletion by non-owner' do - expect(map.authorize_to_delete(other_user)).to eq false - expect(map.authorize_to_delete(owner)).to eq map - end - - it 'prevents visibility if private' do - expect(map.authorize_to_show(other_user)).to eq map - expect(map.authorize_to_show(owner)).to eq map - expect(private_map.authorize_to_show(owner)).to eq private_map - expect(private_map.authorize_to_show(other_user)).to eq false - end - - it 'only allows editing if commons or owned' do - expect(map.authorize_to_edit(other_user)).to eq map - expect(map.authorize_to_edit(owner)).to eq map - expect(private_map.authorize_to_edit(other_user)).to eq false - expect(private_map.authorize_to_edit(owner)).to eq private_map - expect(public_map.authorize_to_edit(other_user)).to eq false - expect(public_map.authorize_to_edit(owner)).to eq public_map - end - end end diff --git a/spec/models/synapse_spec.rb b/spec/models/synapse_spec.rb index dcf85358..6ba5ff22 100644 --- a/spec/models/synapse_spec.rb +++ b/spec/models/synapse_spec.rb @@ -10,33 +10,4 @@ RSpec.describe Synapse, type: :model do it { is_expected.to validate_inclusion_of(:permission).in_array Perm::ISSIONS.map(&:to_s) } it { is_expected.to validate_inclusion_of(:category).in_array ['from-to', 'both'] } it { is_expected.to validate_length_of(:desc).is_at_least(0) } # TODO don't allow nil - - context 'permissions' do - let(:owner) { create :user } - let(:other_user) { create :user } - let(:synapse) { create :synapse, user: owner, permission: :commons } - let(:private_synapse) { create :synapse, user: owner, permission: :private } - let(:public_synapse) { create :synapse, user: owner, permission: :public } - - it 'prevents deletion by non-owner' do - expect(synapse.authorize_to_delete(other_user)).to eq false - expect(synapse.authorize_to_delete(owner)).to eq synapse - end - - it 'prevents visibility if private' do - expect(synapse.authorize_to_show(other_user)).to eq synapse - expect(synapse.authorize_to_show(owner)).to eq synapse - expect(private_synapse.authorize_to_show(owner)).to eq private_synapse - expect(private_synapse.authorize_to_show(other_user)).to eq false - end - - it 'only allows editing if commons or owned' do - expect(synapse.authorize_to_edit(other_user)).to eq synapse - expect(synapse.authorize_to_edit(owner)).to eq synapse - expect(private_synapse.authorize_to_edit(other_user)).to eq false - expect(private_synapse.authorize_to_edit(owner)).to eq private_synapse - expect(public_synapse.authorize_to_edit(other_user)).to eq false - expect(public_synapse.authorize_to_edit(owner)).to eq public_synapse - end - end end diff --git a/spec/models/topic_spec.rb b/spec/models/topic_spec.rb index b499daac..dbaac86d 100644 --- a/spec/models/topic_spec.rb +++ b/spec/models/topic_spec.rb @@ -7,75 +7,4 @@ RSpec.describe Topic, type: :model do it { is_expected.to have_many :mappings } it { is_expected.to validate_presence_of :permission } it { is_expected.to validate_inclusion_of(:permission).in_array Perm::ISSIONS.map(&:to_s) } - - context 'has_viewable_synapses function' do - let (:user) { create(:user) } - let (:other_user) { create(:user) } - - context 'topic with no synapses' do - let (:topic) { create(:topic) } - - it 'returns false' do - expect(topic.has_viewable_synapses(user)).to eq false - end - end - - context 'topic with one unpermitted synapse' do - let (:synapse) { create(:synapse, permission: :private, user: other_user) } - let (:topic) { create(:topic, synapses1: [synapse]) } - - it 'returns false' do - expect(topic.has_viewable_synapses(user)).to eq false - end - end - - context 'topic with one permitted synapse' do - let (:synapse) { create(:synapse, permission: :private, user: user) } - let(:topic) { create(:topic, synapses1: [synapse]) } - - it 'returns true' do - expect(topic.has_viewable_synapses(user)).to eq true - end - end - - context 'topic with one unpermitted, one permitted synapse' do - let (:synapse1) { create(:synapse, permission: :private, user: other_user) } - let (:synapse2) { create(:synapse, permission: :private, user: user) } - let (:topic) { create(:topic, synapses1: [synapse1, synapse2]) } - - it 'returns true' do - expect(topic.synapses.count).to eq 2 - expect(topic.has_viewable_synapses(user)).to eq true - end - end - end - - context 'permssions' do - let(:owner) { create :user } - let(:other_user) { create :user } - let(:topic) { create :topic, user: owner, permission: :commons } - let(:private_topic) { create :topic, user: owner, permission: :private } - let(:public_topic) { create :topic, user: owner, permission: :public } - - it 'prevents deletion by non-owner' do - expect(topic.authorize_to_delete(other_user)).to eq false - expect(topic.authorize_to_delete(owner)).to eq topic - end - - it 'prevents visibility if private' do - expect(topic.authorize_to_show(other_user)).to eq topic - expect(topic.authorize_to_show(owner)).to eq topic - expect(private_topic.authorize_to_show(owner)).to eq private_topic - expect(private_topic.authorize_to_show(other_user)).to eq false - end - - it 'only allows editing if commons or owned' do - expect(topic.authorize_to_edit(other_user)).to eq topic - expect(topic.authorize_to_edit(owner)).to eq topic - expect(private_topic.authorize_to_edit(other_user)).to eq false - expect(private_topic.authorize_to_edit(owner)).to eq private_topic - expect(public_topic.authorize_to_edit(other_user)).to eq false - expect(public_topic.authorize_to_edit(owner)).to eq public_topic - end - end end diff --git a/spec/policies/map_policy_spec.rb b/spec/policies/map_policy_spec.rb index b160fead..7dd33707 100644 --- a/spec/policies/map_policy_spec.rb +++ b/spec/policies/map_policy_spec.rb @@ -7,12 +7,12 @@ RSpec.describe MapPolicy, type: :policy do context 'commons' do let(:map) { create(:map, permission: :commons) } permissions :show? do - it 'can view' do + it 'permits access' do expect(subject).to permit(nil, map) end end permissions :create?, :update?, :destroy? do - it 'can not modify' do + it 'denies access' do expect(subject).to_not permit(nil, map) end end @@ -21,7 +21,7 @@ RSpec.describe MapPolicy, type: :policy do context 'private' do let(:map) { create(:map, permission: :private) } permissions :show?, :create?, :update?, :destroy? do - it 'can not view or modify' do + it 'permits access' do expect(subject).to_not permit(nil, map) end end @@ -39,15 +39,15 @@ RSpec.describe MapPolicy, type: :policy do let(:owner) { create(:user) } let(:map) { create(:map, permission: :commons, user: owner) } permissions :show?, :create?, :update? do - it 'can view and modify' do + it 'permits access' do expect(subject).to permit(user, map) end end permissions :destroy? do - it 'can not destroy' do + it 'denies access' do expect(subject).to_not permit(user, map) end - it 'owner can destroy' do + it 'permits access to owner' do expect(subject).to permit(owner, map) end end @@ -56,21 +56,16 @@ RSpec.describe MapPolicy, type: :policy do context 'public' do let(:owner) { create(:user) } let(:map) { create(:map, permission: :public, user: owner) } - permissions :show? do - it 'can view' do - expect(subject).to permit(user, map) - end - end - permissions :create? do - it 'can create' do + permissions :show?, :create? do + it 'permits access' do expect(subject).to permit(user, map) end end permissions :update?, :destroy? do - it 'can not update/destroy' do + it 'denies access' do expect(subject).to_not permit(user, map) end - it 'owner can update/destroy' do + it 'permits access to owner' do expect(subject).to permit(owner, map) end end @@ -80,15 +75,15 @@ RSpec.describe MapPolicy, type: :policy do let(:owner) { create(:user) } let(:map) { create(:map, permission: :private, user: owner) } permissions :create? do - it 'can create' do + it 'permits access' do expect(subject).to permit(user, map) end end permissions :show?, :update?, :destroy? do - it 'can not view or modify' do + it 'denies access' do expect(subject).to_not permit(user, map) end - it 'owner can view and modify' do + it 'permits access to owner' do expect(subject).to permit(owner, map) end end diff --git a/spec/policies/mapping_policy_spec.rb b/spec/policies/mapping_policy_spec.rb new file mode 100644 index 00000000..291a9c17 --- /dev/null +++ b/spec/policies/mapping_policy_spec.rb @@ -0,0 +1,7 @@ +require 'rails_helper' + +RSpec.describe MappingPolicy, type: :policy do + subject { described_class } + + pending 'Implement some mapping tests!' +end diff --git a/spec/policies/synapse_policy.rb b/spec/policies/synapse_policy.rb new file mode 100644 index 00000000..4c725e37 --- /dev/null +++ b/spec/policies/synapse_policy.rb @@ -0,0 +1,92 @@ +require 'rails_helper' + +RSpec.describe SynapsePolicy, type: :policy do + subject { described_class } + + context 'unauthenticated' do + context 'commons' do + let(:synapse) { create(:synapse, permission: :commons) } + permissions :show? do + it 'permits access' do + expect(subject).to permit(nil, synapse) + end + end + permissions :create?, :update?, :destroy? do + it 'denies access' do + expect(subject).to_not permit(nil, synapse) + end + end + end + + context 'private' do + let(:synapse) { create(:synapse, permission: :private) } + permissions :show?, :create?, :update?, :destroy? do + it 'denies access' do + expect(subject).to_not permit(nil, synapse) + end + end + end + end + + # + # Now begin the logged-in tests + # + + context 'logged in' do + let(:user) { create(:user) } + + context 'commons' do + let(:owner) { create(:user) } + let(:synapse) { create(:synapse, permission: :commons, user: owner) } + permissions :show?, :create?, :update? do + it 'permits access' do + expect(subject).to permit(user, synapse) + end + end + permissions :destroy? do + it 'denies access' do + expect(subject).to_not permit(user, synapse) + end + it 'permits access to owner' do + expect(subject).to permit(owner, synapse) + end + end + end + + context 'public' do + let(:owner) { create(:user) } + let(:synapse) { create(:synapse, permission: :public, user: owner) } + permissions :show?, :create? do + it 'permits access' do + expect(subject).to permit(user, synapse) + end + end + permissions :update?, :destroy? do + it 'denies access' do + expect(subject).to_not permit(user, synapse) + end + it 'permits access to owner' do + expect(subject).to permit(owner, synapse) + end + end + end + + context 'private' do + let(:owner) { create(:user) } + let(:synapse) { create(:synapse, permission: :private, user: owner) } + permissions :create? do + it 'permits access' do + expect(subject).to permit(user, synapse) + end + end + permissions :show?, :update?, :destroy? do + it 'denies access' do + expect(subject).to_not permit(user, synapse) + end + it 'permits access to owner' do + expect(subject).to permit(owner, synapse) + end + end + end + end +end diff --git a/spec/policies/topic_policy_spec.rb b/spec/policies/topic_policy_spec.rb new file mode 100644 index 00000000..7078496c --- /dev/null +++ b/spec/policies/topic_policy_spec.rb @@ -0,0 +1,92 @@ +require 'rails_helper' + +RSpec.describe TopicPolicy, type: :policy do + subject { described_class } + + context 'unauthenticated' do + context 'commons' do + let(:topic) { create(:topic, permission: :commons) } + permissions :show? do + it 'permits access' do + expect(subject).to permit(nil, topic) + end + end + permissions :create?, :update?, :destroy? do + it 'denies access' do + expect(subject).to_not permit(nil, topic) + end + end + end + + context 'private' do + let(:topic) { create(:topic, permission: :private) } + permissions :show?, :create?, :update?, :destroy? do + it 'denies access' do + expect(subject).to_not permit(nil, topic) + end + end + end + end + + # + # Now begin the logged-in tests + # + + context 'logged in' do + let(:user) { create(:user) } + + context 'commons' do + let(:owner) { create(:user) } + let(:topic) { create(:topic, permission: :commons, user: owner) } + permissions :show?, :create?, :update? do + it 'permits access' do + expect(subject).to permit(user, topic) + end + end + permissions :destroy? do + it 'denies access' do + expect(subject).to_not permit(user, topic) + end + it 'permits access to owner' do + expect(subject).to permit(owner, topic) + end + end + end + + context 'public' do + let(:owner) { create(:user) } + let(:topic) { create(:topic, permission: :public, user: owner) } + permissions :show?, :create? do + it 'permits access' do + expect(subject).to permit(user, topic) + end + end + permissions :update?, :destroy? do + it 'denies access' do + expect(subject).to_not permit(user, topic) + end + it 'permits access to owner' do + expect(subject).to permit(owner, topic) + end + end + end + + context 'private' do + let(:owner) { create(:user) } + let(:topic) { create(:topic, permission: :private, user: owner) } + permissions :create? do + it 'permits access' do + expect(subject).to permit(user, topic) + end + end + permissions :show?, :update?, :destroy? do + it 'denies access' do + expect(subject).to_not permit(user, topic) + end + it 'permits access to owner' do + expect(subject).to permit(owner, topic) + end + end + end + end +end