micro-blogger/test/policies/user_policy_test.rb

95 lines
2.4 KiB
Ruby
Raw Permalink Normal View History

2018-11-10 18:46:47 -06:00
# frozen_string_literal: true
require 'test_helper'
class UserPolicyTest < PolicyAssertions::Test
test 'must authenticate for actions' do
assert_raise Pundit::NotAuthorizedError do
%w[create show update destroy].each do |action|
UserPolicy.new(nil, User.new).send("#{action}?")
end
end
end
test 'should allow admin to scope' do
scope = UserPolicy::Scope.new(users(:admin), User).resolve
assert_equal User.count, scope.count
end
test 'non admins can only scope themselves' do
%i[author].each do |user|
scope = UserPolicy::Scope.new(users(user), User).resolve
assert_equal 1, scope.count, "Scope did not have 1 result for #{user}"
assert_equal users(user), scope.first, "Scope did not contain self for #{user}"
end
end
test 'admins have role in permitted params' do
policy = UserPolicy.new users(:admin), nil
assert policy.permitted_attributes.include?(:role)
end
test 'non-admins can not edit roles' do
%i[author].each do |user|
policy = UserPolicy.new users(user), nil
assert_not policy.permitted_attributes.include?(:role)
end
end
# create
test 'only admins can create' do
assert_permit users(:admin), User, :create?
%i[author].each do |user|
assert_not_permitted users(user), User, :create?
end
end
# delete
test 'only admins can destroy' do
assert_permit users(:admin), User, :destroy?
%i[author].each do |user|
assert_not_permitted users(user), User, :destroy?
end
end
# show
test 'admin can view any role' do
%i[admin author].each do |user|
assert_permit users(:admin), users(user), :show?
end
end
test 'non-admins can view themselves' do
%i[author].each do |user|
assert_permit users(user), users(user), :show?
end
end
test 'author roles can only view themselves' do
%i[admin sally michelle].each do |user|
assert_not_permitted users(:author), users(user), :show?
end
end
# updates
test 'admin can update any role' do
%i[admin author].each do |user|
assert_permit users(:admin), users(user), :update?
end
end
test 'non-admins can update themselves' do
%i[author].each do |user|
assert_permit users(user), users(user), :update?
end
end
test 'authors can not update other roles' do
%i[admin sally michelle].each do |user|
assert_not_permitted users(:author), users(user), :update?
end
end
end