Merge branch 'develop' of github.com:metamaps/metamaps_gen002 into develop

This commit is contained in:
Connor Turland 2016-03-14 21:36:57 +11:00
commit 3e24a088da
13 changed files with 223 additions and 176 deletions

View file

@ -7,7 +7,6 @@ gem 'devise'
gem 'redis' gem 'redis'
gem 'pg' gem 'pg'
gem 'pundit' gem 'pundit'
gem 'cancan'
gem 'pundit_extra' gem 'pundit_extra'
gem 'formula' gem 'formula'
gem 'formtastic' gem 'formtastic'

View file

@ -57,7 +57,6 @@ GEM
debug_inspector (>= 0.0.1) debug_inspector (>= 0.0.1)
builder (3.2.2) builder (3.2.2)
byebug (8.2.2) byebug (8.2.2)
cancan (1.6.10)
cancancan (1.10.1) cancancan (1.10.1)
climate_control (0.0.3) climate_control (0.0.3)
activesupport (>= 3.0) activesupport (>= 3.0)
@ -265,7 +264,6 @@ DEPENDENCIES
best_in_place best_in_place
better_errors better_errors
binding_of_caller binding_of_caller
cancan
coffee-rails coffee-rails
delayed_job (~> 4.0.2) delayed_job (~> 4.0.2)
delayed_job_active_record (~> 4.0.1) delayed_job_active_record (~> 4.0.1)
@ -301,6 +299,3 @@ DEPENDENCIES
tunemygc tunemygc
uglifier uglifier
uservoice-ruby uservoice-ruby
BUNDLED WITH
1.11.2

View file

@ -88,15 +88,4 @@ class Topic < ActiveRecord::Base
def mk_permission def mk_permission
Perm.short(permission) Perm.short(permission)
end end
# has no viewable synapses helper function
def has_viewable_synapses(current)
result = false
synapses.each do |synapse|
if synapse.authorize_to_show(current)
result = true
end
end
result
end
end end

View file

@ -16,20 +16,28 @@ class MappingPolicy < ApplicationPolicy
end end
def show? def show?
map = Pundit.policy(user, record.map) map_policy.show? && mappable_policy.show?
mappable = Pundit.policy(user, record.mappable)
map.show? && mappable.show?
end end
def create? def create?
Pundit.policy(user, record.map).update? record.map.present? && map_policy.update?
end end
def update? def update?
Pundit.policy(user, record.map).update? record.mappable_type == 'Topic' && map_policy.update?
end end
def destroy? def destroy?
record.user == user || admin_override map_policy.update? || admin_override
end
# Helpers
def map_policy
@map_policy ||= Pundit.policy(user, record.map)
end
def mappable_policy
@mappable_policy ||= Pundit.policy(user, record.mappable)
end end
end end

View file

@ -89,7 +89,8 @@ RSpec.describe MapsController, type: :controller do
expect do expect do
delete :destroy, { id: unowned_map.to_param, format: :json } delete :destroy, { id: unowned_map.to_param, format: :json }
end.to change(Map, :count).by(0) end.to change(Map, :count).by(0)
expect(response.body).to eq("unauthorized") expect(response.body).to eq ''
expect(response.status).to eq 403
end end
it 'deletes owned map' do it 'deletes owned map' do
@ -97,7 +98,8 @@ RSpec.describe MapsController, type: :controller do
expect do expect do
delete :destroy, { id: owned_map.to_param, format: :json } delete :destroy, { id: owned_map.to_param, format: :json }
end.to change(Map, :count).by(-1) end.to change(Map, :count).by(-1)
expect(response.body).to eq("success") expect(response.body).to eq ''
expect(response.status).to eq 204
end end
end end
end end

View file

@ -92,10 +92,7 @@ RSpec.describe TopicsController, type: :controller do
expect do expect do
delete :destroy, { id: owned_topic.to_param, format: :json } delete :destroy, { id: owned_topic.to_param, format: :json }
end.to change(Topic, :count).by(-1) end.to change(Topic, :count).by(-1)
end expect(response.body).to eq ''
it 'return 204 NO CONTENT' do
delete :destroy, { id: topic.to_param, format: :json }
expect(response.status).to eq 204 expect(response.status).to eq 204
end end
end end

View file

@ -5,34 +5,5 @@ RSpec.describe Map, type: :model do
it { is_expected.to validate_presence_of :name } it { is_expected.to validate_presence_of :name }
it { is_expected.to validate_presence_of :permission } it { is_expected.to validate_presence_of :permission }
it { is_expected.to validate_inclusion_of(:permission).in_array Perm::ISSIONS.map(&:to_s) } it { is_expected.to validate_inclusion_of(:permission).in_array Perm::ISSIONS.map(&:to_s) }
context 'permissions' do
let(:owner) { create :user }
let(:other_user) { create :user }
let(:map) { create :map, user: owner, permission: :commons }
let(:private_map) { create :map, user: owner, permission: :private }
let(:public_map) { create :map, user: owner, permission: :public }
it 'prevents deletion by non-owner' do
expect(map.authorize_to_delete(other_user)).to eq false
expect(map.authorize_to_delete(owner)).to eq map
end
it 'prevents visibility if private' do
expect(map.authorize_to_show(other_user)).to eq map
expect(map.authorize_to_show(owner)).to eq map
expect(private_map.authorize_to_show(owner)).to eq private_map
expect(private_map.authorize_to_show(other_user)).to eq false
end
it 'only allows editing if commons or owned' do
expect(map.authorize_to_edit(other_user)).to eq map
expect(map.authorize_to_edit(owner)).to eq map
expect(private_map.authorize_to_edit(other_user)).to eq false
expect(private_map.authorize_to_edit(owner)).to eq private_map
expect(public_map.authorize_to_edit(other_user)).to eq false
expect(public_map.authorize_to_edit(owner)).to eq public_map
end
end
end end

View file

@ -10,33 +10,4 @@ RSpec.describe Synapse, type: :model do
it { is_expected.to validate_inclusion_of(:permission).in_array Perm::ISSIONS.map(&:to_s) } it { is_expected.to validate_inclusion_of(:permission).in_array Perm::ISSIONS.map(&:to_s) }
it { is_expected.to validate_inclusion_of(:category).in_array ['from-to', 'both'] } it { is_expected.to validate_inclusion_of(:category).in_array ['from-to', 'both'] }
it { is_expected.to validate_length_of(:desc).is_at_least(0) } # TODO don't allow nil it { is_expected.to validate_length_of(:desc).is_at_least(0) } # TODO don't allow nil
context 'permissions' do
let(:owner) { create :user }
let(:other_user) { create :user }
let(:synapse) { create :synapse, user: owner, permission: :commons }
let(:private_synapse) { create :synapse, user: owner, permission: :private }
let(:public_synapse) { create :synapse, user: owner, permission: :public }
it 'prevents deletion by non-owner' do
expect(synapse.authorize_to_delete(other_user)).to eq false
expect(synapse.authorize_to_delete(owner)).to eq synapse
end
it 'prevents visibility if private' do
expect(synapse.authorize_to_show(other_user)).to eq synapse
expect(synapse.authorize_to_show(owner)).to eq synapse
expect(private_synapse.authorize_to_show(owner)).to eq private_synapse
expect(private_synapse.authorize_to_show(other_user)).to eq false
end
it 'only allows editing if commons or owned' do
expect(synapse.authorize_to_edit(other_user)).to eq synapse
expect(synapse.authorize_to_edit(owner)).to eq synapse
expect(private_synapse.authorize_to_edit(other_user)).to eq false
expect(private_synapse.authorize_to_edit(owner)).to eq private_synapse
expect(public_synapse.authorize_to_edit(other_user)).to eq false
expect(public_synapse.authorize_to_edit(owner)).to eq public_synapse
end
end
end end

View file

@ -7,75 +7,4 @@ RSpec.describe Topic, type: :model do
it { is_expected.to have_many :mappings } it { is_expected.to have_many :mappings }
it { is_expected.to validate_presence_of :permission } it { is_expected.to validate_presence_of :permission }
it { is_expected.to validate_inclusion_of(:permission).in_array Perm::ISSIONS.map(&:to_s) } it { is_expected.to validate_inclusion_of(:permission).in_array Perm::ISSIONS.map(&:to_s) }
context 'has_viewable_synapses function' do
let (:user) { create(:user) }
let (:other_user) { create(:user) }
context 'topic with no synapses' do
let (:topic) { create(:topic) }
it 'returns false' do
expect(topic.has_viewable_synapses(user)).to eq false
end
end
context 'topic with one unpermitted synapse' do
let (:synapse) { create(:synapse, permission: :private, user: other_user) }
let (:topic) { create(:topic, synapses1: [synapse]) }
it 'returns false' do
expect(topic.has_viewable_synapses(user)).to eq false
end
end
context 'topic with one permitted synapse' do
let (:synapse) { create(:synapse, permission: :private, user: user) }
let(:topic) { create(:topic, synapses1: [synapse]) }
it 'returns true' do
expect(topic.has_viewable_synapses(user)).to eq true
end
end
context 'topic with one unpermitted, one permitted synapse' do
let (:synapse1) { create(:synapse, permission: :private, user: other_user) }
let (:synapse2) { create(:synapse, permission: :private, user: user) }
let (:topic) { create(:topic, synapses1: [synapse1, synapse2]) }
it 'returns true' do
expect(topic.synapses.count).to eq 2
expect(topic.has_viewable_synapses(user)).to eq true
end
end
end
context 'permssions' do
let(:owner) { create :user }
let(:other_user) { create :user }
let(:topic) { create :topic, user: owner, permission: :commons }
let(:private_topic) { create :topic, user: owner, permission: :private }
let(:public_topic) { create :topic, user: owner, permission: :public }
it 'prevents deletion by non-owner' do
expect(topic.authorize_to_delete(other_user)).to eq false
expect(topic.authorize_to_delete(owner)).to eq topic
end
it 'prevents visibility if private' do
expect(topic.authorize_to_show(other_user)).to eq topic
expect(topic.authorize_to_show(owner)).to eq topic
expect(private_topic.authorize_to_show(owner)).to eq private_topic
expect(private_topic.authorize_to_show(other_user)).to eq false
end
it 'only allows editing if commons or owned' do
expect(topic.authorize_to_edit(other_user)).to eq topic
expect(topic.authorize_to_edit(owner)).to eq topic
expect(private_topic.authorize_to_edit(other_user)).to eq false
expect(private_topic.authorize_to_edit(owner)).to eq private_topic
expect(public_topic.authorize_to_edit(other_user)).to eq false
expect(public_topic.authorize_to_edit(owner)).to eq public_topic
end
end
end end

View file

@ -7,12 +7,12 @@ RSpec.describe MapPolicy, type: :policy do
context 'commons' do context 'commons' do
let(:map) { create(:map, permission: :commons) } let(:map) { create(:map, permission: :commons) }
permissions :show? do permissions :show? do
it 'can view' do it 'permits access' do
expect(subject).to permit(nil, map) expect(subject).to permit(nil, map)
end end
end end
permissions :create?, :update?, :destroy? do permissions :create?, :update?, :destroy? do
it 'can not modify' do it 'denies access' do
expect(subject).to_not permit(nil, map) expect(subject).to_not permit(nil, map)
end end
end end
@ -21,7 +21,7 @@ RSpec.describe MapPolicy, type: :policy do
context 'private' do context 'private' do
let(:map) { create(:map, permission: :private) } let(:map) { create(:map, permission: :private) }
permissions :show?, :create?, :update?, :destroy? do permissions :show?, :create?, :update?, :destroy? do
it 'can not view or modify' do it 'permits access' do
expect(subject).to_not permit(nil, map) expect(subject).to_not permit(nil, map)
end end
end end
@ -39,15 +39,15 @@ RSpec.describe MapPolicy, type: :policy do
let(:owner) { create(:user) } let(:owner) { create(:user) }
let(:map) { create(:map, permission: :commons, user: owner) } let(:map) { create(:map, permission: :commons, user: owner) }
permissions :show?, :create?, :update? do permissions :show?, :create?, :update? do
it 'can view and modify' do it 'permits access' do
expect(subject).to permit(user, map) expect(subject).to permit(user, map)
end end
end end
permissions :destroy? do permissions :destroy? do
it 'can not destroy' do it 'denies access' do
expect(subject).to_not permit(user, map) expect(subject).to_not permit(user, map)
end end
it 'owner can destroy' do it 'permits access to owner' do
expect(subject).to permit(owner, map) expect(subject).to permit(owner, map)
end end
end end
@ -56,21 +56,16 @@ RSpec.describe MapPolicy, type: :policy do
context 'public' do context 'public' do
let(:owner) { create(:user) } let(:owner) { create(:user) }
let(:map) { create(:map, permission: :public, user: owner) } let(:map) { create(:map, permission: :public, user: owner) }
permissions :show? do permissions :show?, :create? do
it 'can view' do it 'permits access' do
expect(subject).to permit(user, map)
end
end
permissions :create? do
it 'can create' do
expect(subject).to permit(user, map) expect(subject).to permit(user, map)
end end
end end
permissions :update?, :destroy? do permissions :update?, :destroy? do
it 'can not update/destroy' do it 'denies access' do
expect(subject).to_not permit(user, map) expect(subject).to_not permit(user, map)
end end
it 'owner can update/destroy' do it 'permits access to owner' do
expect(subject).to permit(owner, map) expect(subject).to permit(owner, map)
end end
end end
@ -80,15 +75,15 @@ RSpec.describe MapPolicy, type: :policy do
let(:owner) { create(:user) } let(:owner) { create(:user) }
let(:map) { create(:map, permission: :private, user: owner) } let(:map) { create(:map, permission: :private, user: owner) }
permissions :create? do permissions :create? do
it 'can create' do it 'permits access' do
expect(subject).to permit(user, map) expect(subject).to permit(user, map)
end end
end end
permissions :show?, :update?, :destroy? do permissions :show?, :update?, :destroy? do
it 'can not view or modify' do it 'denies access' do
expect(subject).to_not permit(user, map) expect(subject).to_not permit(user, map)
end end
it 'owner can view and modify' do it 'permits access to owner' do
expect(subject).to permit(owner, map) expect(subject).to permit(owner, map)
end end
end end

View file

@ -0,0 +1,7 @@
require 'rails_helper'
RSpec.describe MappingPolicy, type: :policy do
subject { described_class }
pending 'Implement some mapping tests!'
end

View file

@ -0,0 +1,92 @@
require 'rails_helper'
RSpec.describe SynapsePolicy, type: :policy do
subject { described_class }
context 'unauthenticated' do
context 'commons' do
let(:synapse) { create(:synapse, permission: :commons) }
permissions :show? do
it 'permits access' do
expect(subject).to permit(nil, synapse)
end
end
permissions :create?, :update?, :destroy? do
it 'denies access' do
expect(subject).to_not permit(nil, synapse)
end
end
end
context 'private' do
let(:synapse) { create(:synapse, permission: :private) }
permissions :show?, :create?, :update?, :destroy? do
it 'denies access' do
expect(subject).to_not permit(nil, synapse)
end
end
end
end
#
# Now begin the logged-in tests
#
context 'logged in' do
let(:user) { create(:user) }
context 'commons' do
let(:owner) { create(:user) }
let(:synapse) { create(:synapse, permission: :commons, user: owner) }
permissions :show?, :create?, :update? do
it 'permits access' do
expect(subject).to permit(user, synapse)
end
end
permissions :destroy? do
it 'denies access' do
expect(subject).to_not permit(user, synapse)
end
it 'permits access to owner' do
expect(subject).to permit(owner, synapse)
end
end
end
context 'public' do
let(:owner) { create(:user) }
let(:synapse) { create(:synapse, permission: :public, user: owner) }
permissions :show?, :create? do
it 'permits access' do
expect(subject).to permit(user, synapse)
end
end
permissions :update?, :destroy? do
it 'denies access' do
expect(subject).to_not permit(user, synapse)
end
it 'permits access to owner' do
expect(subject).to permit(owner, synapse)
end
end
end
context 'private' do
let(:owner) { create(:user) }
let(:synapse) { create(:synapse, permission: :private, user: owner) }
permissions :create? do
it 'permits access' do
expect(subject).to permit(user, synapse)
end
end
permissions :show?, :update?, :destroy? do
it 'denies access' do
expect(subject).to_not permit(user, synapse)
end
it 'permits access to owner' do
expect(subject).to permit(owner, synapse)
end
end
end
end
end

View file

@ -0,0 +1,92 @@
require 'rails_helper'
RSpec.describe TopicPolicy, type: :policy do
subject { described_class }
context 'unauthenticated' do
context 'commons' do
let(:topic) { create(:topic, permission: :commons) }
permissions :show? do
it 'permits access' do
expect(subject).to permit(nil, topic)
end
end
permissions :create?, :update?, :destroy? do
it 'denies access' do
expect(subject).to_not permit(nil, topic)
end
end
end
context 'private' do
let(:topic) { create(:topic, permission: :private) }
permissions :show?, :create?, :update?, :destroy? do
it 'denies access' do
expect(subject).to_not permit(nil, topic)
end
end
end
end
#
# Now begin the logged-in tests
#
context 'logged in' do
let(:user) { create(:user) }
context 'commons' do
let(:owner) { create(:user) }
let(:topic) { create(:topic, permission: :commons, user: owner) }
permissions :show?, :create?, :update? do
it 'permits access' do
expect(subject).to permit(user, topic)
end
end
permissions :destroy? do
it 'denies access' do
expect(subject).to_not permit(user, topic)
end
it 'permits access to owner' do
expect(subject).to permit(owner, topic)
end
end
end
context 'public' do
let(:owner) { create(:user) }
let(:topic) { create(:topic, permission: :public, user: owner) }
permissions :show?, :create? do
it 'permits access' do
expect(subject).to permit(user, topic)
end
end
permissions :update?, :destroy? do
it 'denies access' do
expect(subject).to_not permit(user, topic)
end
it 'permits access to owner' do
expect(subject).to permit(owner, topic)
end
end
end
context 'private' do
let(:owner) { create(:user) }
let(:topic) { create(:topic, permission: :private, user: owner) }
permissions :create? do
it 'permits access' do
expect(subject).to permit(user, topic)
end
end
permissions :show?, :update?, :destroy? do
it 'denies access' do
expect(subject).to_not permit(user, topic)
end
it 'permits access to owner' do
expect(subject).to permit(owner, topic)
end
end
end
end
end