user policies

test/policies/application_policy_test.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+require 'test_helper'
+
+class ApplicationPolicyTest < PolicyAssertions::Test
+  # Verify default policies are most restrictive
+
+  test 'should require a user' do
+    assert_raise Pundit::NotAuthorizedError do
+      ApplicationPolicy.new(nil, User.new)
+    end
+  end
+
+  test 'should not allow collections' do
+    assert_raise Pundit::NotAuthorizedError do
+      ApplicationPolicy::Scope.new(users(:admin), User).resolve
+    end
+  end
+
+  test 'should not permit by default' do
+    admin = users(:admin)
+    refute ApplicationPolicy.new(admin, User.new).view?
+    refute ApplicationPolicy.new(admin, User.new).show?
+    refute ApplicationPolicy.new(admin, nil).index?
+    refute ApplicationPolicy.new(admin, nil).create?
+    refute ApplicationPolicy.new(admin, nil).new?
+    refute ApplicationPolicy.new(admin, nil).update?
+    refute ApplicationPolicy.new(admin, nil).edit?
+    refute ApplicationPolicy.new(admin, nil).destroy?
+  end
+end

test/policies/user_policy_test.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+require 'test_helper'
+
+class UserPolicyTest < PolicyAssertions::Test
+  test 'should allow admin to scope' do
+    scope = UserPolicy::Scope.new(users(:admin), User).resolve
+    assert_equal User.count, scope.count
+  end
+
+  test 'should not allow non_admin' do
+    assert_raise Pundit::NotAuthorizedError do
+      UserPolicy::Scope.new(users(:manager), User).resolve
+    end
+  end
+
+  test 'should require current_user' do
+    assert_raise Pundit::NotAuthorizedError do
+      UserPolicy.new(nil, User.first).view?
+    end
+  end
+
+  def test_view
+    refute_permit users(:manager), User.first
+    assert_permit users(:admin), User.first
+  end
+
+  def test_create_and_update
+    refute_permit users(:manager), User
+    assert_permit users(:admin), User
+  end
+end