Users & Auth

test/policies/application_policy_test.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class ApplicationPolicyTest < PolicyAssertions::Test
+  # Verify default policies are most restrictive
+
+  test 'should not permit by default' do
+    admin = users(:admin)
+    assert_not ApplicationPolicy.new(admin, nil).show?
+    assert_not ApplicationPolicy.new(admin, nil).index?
+    assert_not ApplicationPolicy.new(admin, nil).create?
+    assert_not ApplicationPolicy.new(admin, nil).new?
+    assert_not ApplicationPolicy.new(admin, nil).update?
+    assert_not ApplicationPolicy.new(admin, nil).edit?
+    assert_not ApplicationPolicy.new(admin, nil).destroy?
+  end
+end

test/policies/user_policy_test.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class UserPolicyTest < PolicyAssertions::Test
+  test 'must authenticate for actions' do
+    assert_raise Pundit::NotAuthorizedError do
+      %w[create show update destroy].each do |action|
+        UserPolicy.new(nil, User.new).send("#{action}?")
+      end
+    end
+  end
+
+  test 'should allow admin to scope' do
+    scope = UserPolicy::Scope.new(users(:admin), User).resolve
+    assert_equal User.count, scope.count
+  end
+
+  test 'non admins can only scope themselves' do
+    %i[author].each do |user|
+      scope = UserPolicy::Scope.new(users(user), User).resolve
+      assert_equal 1, scope.count, "Scope did not have 1 result for #{user}"
+      assert_equal users(user), scope.first, "Scope did not contain self for #{user}"
+    end
+  end
+
+  test 'admins have role in permitted params' do
+    policy = UserPolicy.new users(:admin), nil
+    assert policy.permitted_attributes.include?(:role)
+  end
+
+  test 'non-admins can not edit roles' do
+    %i[author].each do |user|
+      policy = UserPolicy.new users(user), nil
+      assert_not policy.permitted_attributes.include?(:role)
+    end
+  end
+
+  # create
+  test 'only admins can create' do
+    assert_permit users(:admin), User, :create?
+
+    %i[author].each do |user|
+      assert_not_permitted users(user), User, :create?
+    end
+  end
+
+  # delete
+  test 'only admins can destroy' do
+    assert_permit users(:admin), User, :destroy?
+
+    %i[author].each do |user|
+      assert_not_permitted users(user), User, :destroy?
+    end
+  end
+
+  # show
+  test 'admin can view any role' do
+    %i[admin author].each do |user|
+      assert_permit users(:admin), users(user), :show?
+    end
+  end
+
+  test 'non-admins can view themselves' do
+    %i[author].each do |user|
+      assert_permit users(user), users(user), :show?
+    end
+  end
+
+  test 'author roles can only view themselves' do
+    %i[admin sally michelle].each do |user|
+      assert_not_permitted users(:author), users(user), :show?
+    end
+  end
+
+  # updates
+  test 'admin can update any role' do
+    %i[admin author].each do |user|
+      assert_permit users(:admin), users(user), :update?
+    end
+  end
+
+  test 'non-admins can update themselves' do
+    %i[author].each do |user|
+      assert_permit users(user), users(user), :update?
+    end
+  end
+
+  test 'authors can not update other roles' do
+    %i[admin sally michelle].each do |user|
+      assert_not_permitted users(:author), users(user), :update?
+    end
+  end
+end