1# frozen_string_literal: true 2 3require 'spec_helper' 4 5RSpec.describe UserPolicy do 6 let_it_be(:admin) { create(:user, :admin) } 7 let_it_be(:regular_user) { create(:user) } 8 let_it_be(:subject_user) { create(:user) } 9 10 let(:current_user) { regular_user } 11 let(:user) { subject_user } 12 13 subject { described_class.new(current_user, user) } 14 15 describe "reading a user's information" do 16 it { is_expected.to be_allowed(:read_user) } 17 end 18 19 describe "reading a different user's Personal Access Tokens" do 20 let(:token) { create(:personal_access_token, user: user) } 21 22 context 'when user is admin' do 23 let(:current_user) { admin } 24 25 context 'when admin mode is enabled', :enable_admin_mode do 26 it { is_expected.to be_allowed(:read_user_personal_access_tokens) } 27 end 28 29 context 'when admin mode is disabled' do 30 it { is_expected.not_to be_allowed(:read_user_personal_access_tokens) } 31 end 32 end 33 34 context 'when user is not an admin' do 35 context 'requesting their own personal access tokens' do 36 subject { described_class.new(current_user, current_user) } 37 38 it { is_expected.to be_allowed(:read_user_personal_access_tokens) } 39 end 40 41 context "requesting a different user's personal access tokens" do 42 it { is_expected.not_to be_allowed(:read_user_personal_access_tokens) } 43 end 44 end 45 end 46 47 describe "creating a different user's Personal Access Tokens" do 48 context 'when current_user is admin' do 49 let(:current_user) { admin } 50 51 context 'when admin mode is enabled and current_user is not blocked', :enable_admin_mode do 52 it { is_expected.to be_allowed(:create_user_personal_access_token) } 53 end 54 55 context 'when admin mode is enabled and current_user is blocked', :enable_admin_mode do 56 let(:current_user) { create(:admin, :blocked) } 57 58 it { is_expected.not_to be_allowed(:create_user_personal_access_token) } 59 end 60 61 context 'when admin mode is disabled' do 62 it { is_expected.not_to be_allowed(:create_user_personal_access_token) } 63 end 64 end 65 66 context 'when current_user is not an admin' do 67 context 'creating their own personal access tokens' do 68 subject { described_class.new(current_user, current_user) } 69 70 context 'when current_user is not blocked' do 71 it { is_expected.to be_allowed(:create_user_personal_access_token) } 72 end 73 74 context 'when current_user is blocked' do 75 let(:current_user) { create(:user, :blocked) } 76 77 it { is_expected.not_to be_allowed(:create_user_personal_access_token) } 78 end 79 end 80 81 context "creating a different user's personal access tokens" do 82 it { is_expected.not_to be_allowed(:create_user_personal_access_token) } 83 end 84 end 85 end 86 87 shared_examples 'changing a user' do |ability| 88 context "when a regular user tries to destroy another regular user" do 89 it { is_expected.not_to be_allowed(ability) } 90 end 91 92 context "when a regular user tries to destroy themselves" do 93 let(:current_user) { user } 94 95 it { is_expected.to be_allowed(ability) } 96 end 97 98 context "when an admin user tries to destroy a regular user" do 99 let(:current_user) { admin } 100 101 context 'when admin mode is enabled', :enable_admin_mode do 102 it { is_expected.to be_allowed(ability) } 103 end 104 105 context 'when admin mode is disabled' do 106 it { is_expected.to be_disallowed(ability) } 107 end 108 end 109 110 context "when an admin user tries to destroy a ghost user" do 111 let(:current_user) { admin } 112 let(:user) { create(:user, :ghost) } 113 114 it { is_expected.not_to be_allowed(ability) } 115 end 116 end 117 118 describe "updating a user's status" do 119 it_behaves_like 'changing a user', :update_user_status 120 end 121 122 describe "destroying a user" do 123 it_behaves_like 'changing a user', :destroy_user 124 end 125 126 describe "updating a user" do 127 it_behaves_like 'changing a user', :update_user 128 end 129 130 describe 'disabling two-factor authentication' do 131 context 'disabling their own two-factor authentication' do 132 let(:user) { current_user } 133 134 it { is_expected.to be_allowed(:disable_two_factor) } 135 end 136 137 context 'disabling the two-factor authentication of another user' do 138 context 'when the executor is an admin', :enable_admin_mode do 139 let(:current_user) { admin } 140 141 it { is_expected.to be_allowed(:disable_two_factor) } 142 end 143 144 context 'when the executor is not an admin' do 145 it { is_expected.not_to be_allowed(:disable_two_factor) } 146 end 147 end 148 end 149 150 describe "reading a user's group count" do 151 context "when current_user is an admin", :enable_admin_mode do 152 let(:current_user) { admin } 153 154 it { is_expected.to be_allowed(:read_group_count) } 155 end 156 157 context "for self users" do 158 let(:user) { current_user } 159 160 it { is_expected.to be_allowed(:read_group_count) } 161 end 162 163 context "when accessing a different user's group count" do 164 it { is_expected.not_to be_allowed(:read_group_count) } 165 end 166 end 167 168 describe ':read_user_profile' do 169 context 'when the user is unconfirmed' do 170 let(:user) { create(:user, :unconfirmed) } 171 172 it { is_expected.not_to be_allowed(:read_user_profile) } 173 end 174 175 context 'when the user is confirmed' do 176 it { is_expected.to be_allowed(:read_user_profile) } 177 end 178 end 179 180 describe ':read_user_groups' do 181 context 'when user is admin' do 182 let(:current_user) { admin } 183 184 context 'when admin mode is enabled', :enable_admin_mode do 185 it { is_expected.to be_allowed(:read_user_groups) } 186 end 187 188 context 'when admin mode is disabled' do 189 it { is_expected.not_to be_allowed(:read_user_groups) } 190 end 191 end 192 193 context 'when user is not an admin' do 194 context 'requesting their own manageable groups' do 195 subject { described_class.new(current_user, current_user) } 196 197 it { is_expected.to be_allowed(:read_user_groups) } 198 end 199 200 context "requesting a different user's manageable groups" do 201 it { is_expected.not_to be_allowed(:read_user_groups) } 202 end 203 end 204 end 205end 206