1# frozen_string_literal: true
2
3require 'spec_helper'
4
5RSpec.describe PersonalAccessTokenPolicy do
6  include AdminModeHelper
7
8  subject { described_class.new(current_user, token) }
9
10  context 'current_user is an administrator', :enable_admin_mode do
11    let_it_be(:current_user) { build_stubbed(:admin) }
12
13    context 'not the owner of the token' do
14      let_it_be(:token) { build_stubbed(:personal_access_token) }
15
16      it { is_expected.to be_allowed(:read_token) }
17      it { is_expected.to be_allowed(:revoke_token) }
18    end
19
20    context 'owner of the token' do
21      let_it_be(:token) { build_stubbed(:personal_access_token, user: current_user) }
22
23      it { is_expected.to be_allowed(:read_token) }
24      it { is_expected.to be_allowed(:revoke_token) }
25    end
26  end
27
28  context 'current_user is not an administrator' do
29    let_it_be(:current_user) { build_stubbed(:user) }
30
31    context 'not the owner of the token' do
32      let_it_be(:token) { build_stubbed(:personal_access_token) }
33
34      it { is_expected.to be_disallowed(:read_token) }
35      it { is_expected.to be_disallowed(:revoke_token) }
36    end
37
38    context 'owner of the token' do
39      let_it_be(:token) { build_stubbed(:personal_access_token, user: current_user) }
40
41      it { is_expected.to be_allowed(:read_token) }
42      it { is_expected.to be_allowed(:revoke_token) }
43    end
44
45    context 'subject of the impersonated token' do
46      let_it_be(:token) { build_stubbed(:personal_access_token, user: current_user, impersonation: true) }
47
48      it { is_expected.to be_disallowed(:read_token) }
49      it { is_expected.to be_disallowed(:revoke_token) }
50    end
51  end
52
53  context 'current_user is a blocked administrator', :enable_admin_mode do
54    let_it_be(:current_user) { create(:admin, :blocked) }
55
56    context 'owner of the token' do
57      let_it_be(:token) { build_stubbed(:personal_access_token, user: current_user) }
58
59      it { is_expected.to be_disallowed(:read_token) }
60      it { is_expected.to be_disallowed(:revoke_token) }
61    end
62
63    context 'not the owner of the token' do
64      let_it_be(:token) { build_stubbed(:personal_access_token) }
65
66      it { is_expected.to be_disallowed(:read_token) }
67      it { is_expected.to be_disallowed(:revoke_token) }
68    end
69  end
70end
71