permitter 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/MIT-LICENSE +20 -0
- data/README.rdoc +302 -0
- data/Rakefile +32 -0
- data/lib/generators/permitter/permission/USAGE +5 -0
- data/lib/generators/permitter/permission/permission_generator.rb +16 -0
- data/lib/generators/permitter/permission/templates/permission.rb +22 -0
- data/lib/generators/permitter/permission/templates/permission_spec.rb +17 -0
- data/lib/permitter.rb +4 -0
- data/lib/permitter/controller_additions.rb +43 -0
- data/lib/permitter/exceptions.rb +17 -0
- data/lib/permitter/matchers.rb +11 -0
- data/lib/permitter/model_additions.rb +30 -0
- data/lib/permitter/permission.rb +72 -0
- data/lib/permitter/version.rb +3 -0
- data/spec/README.rdoc +21 -0
- data/spec/controllers/projects_controller_spec.rb +243 -0
- data/spec/controllers/users_controller_spec.rb +77 -0
- data/spec/dummy/Rakefile +6 -0
- data/spec/dummy/app/assets/javascripts/application.js +13 -0
- data/spec/dummy/app/assets/stylesheets/application.css +13 -0
- data/spec/dummy/app/controllers/application_controller.rb +19 -0
- data/spec/dummy/app/controllers/projects_controller.rb +49 -0
- data/spec/dummy/app/controllers/users_controller.rb +17 -0
- data/spec/dummy/app/helpers/application_helper.rb +2 -0
- data/spec/dummy/app/models/permission.rb +26 -0
- data/spec/dummy/app/models/project.rb +3 -0
- data/spec/dummy/app/models/user.rb +3 -0
- data/spec/dummy/app/views/layouts/application.html.erb +14 -0
- data/spec/dummy/app/views/projects/edit.html.erb +0 -0
- data/spec/dummy/app/views/projects/index.html.erb +0 -0
- data/spec/dummy/app/views/projects/new.html.erb +0 -0
- data/spec/dummy/app/views/projects/show.html.erb +0 -0
- data/spec/dummy/app/views/users/index.html.erb +0 -0
- data/spec/dummy/app/views/users/show.html.erb +0 -0
- data/spec/dummy/bin/bundle +3 -0
- data/spec/dummy/bin/rails +4 -0
- data/spec/dummy/bin/rake +4 -0
- data/spec/dummy/config.ru +4 -0
- data/spec/dummy/config/application.rb +23 -0
- data/spec/dummy/config/boot.rb +5 -0
- data/spec/dummy/config/database.yml +25 -0
- data/spec/dummy/config/environment.rb +5 -0
- data/spec/dummy/config/environments/development.rb +29 -0
- data/spec/dummy/config/environments/production.rb +80 -0
- data/spec/dummy/config/environments/test.rb +36 -0
- data/spec/dummy/config/initializers/backtrace_silencers.rb +7 -0
- data/spec/dummy/config/initializers/filter_parameter_logging.rb +4 -0
- data/spec/dummy/config/initializers/inflections.rb +16 -0
- data/spec/dummy/config/initializers/mime_types.rb +5 -0
- data/spec/dummy/config/initializers/secret_token.rb +12 -0
- data/spec/dummy/config/initializers/session_store.rb +3 -0
- data/spec/dummy/config/initializers/wrap_parameters.rb +14 -0
- data/spec/dummy/config/locales/en.yml +23 -0
- data/spec/dummy/config/routes.rb +59 -0
- data/spec/dummy/db/development.sqlite3 +0 -0
- data/spec/dummy/db/migrate/20131205175023_create_projects.rb +10 -0
- data/spec/dummy/db/migrate/20131205175100_create_users.rb +10 -0
- data/spec/dummy/db/migrate/20131210152022_add_columns_to_projects.rb +5 -0
- data/spec/dummy/db/schema.rb +31 -0
- data/spec/dummy/db/test.sqlite3 +0 -0
- data/spec/dummy/log/development.log +825 -0
- data/spec/dummy/log/test.log +44662 -0
- data/spec/dummy/public/404.html +58 -0
- data/spec/dummy/public/422.html +58 -0
- data/spec/dummy/public/500.html +57 -0
- data/spec/dummy/public/favicon.ico +0 -0
- data/spec/factories/project.rb +6 -0
- data/spec/factories/user.rb +10 -0
- data/spec/models/permission_spec.rb +72 -0
- data/spec/permitter/controller_additions_spec.rb +44 -0
- data/spec/permitter/exceptions_spec.rb +36 -0
- data/spec/permitter/matchers_spec.rb +9 -0
- data/spec/permitter/model_additions_spec.rb +138 -0
- data/spec/permitter/permission_spec.rb +84 -0
- data/spec/spec_helper.rb +32 -0
- metadata +278 -0
@@ -0,0 +1,58 @@
|
|
1
|
+
<!DOCTYPE html>
|
2
|
+
<html>
|
3
|
+
<head>
|
4
|
+
<title>The page you were looking for doesn't exist (404)</title>
|
5
|
+
<style>
|
6
|
+
body {
|
7
|
+
background-color: #EFEFEF;
|
8
|
+
color: #2E2F30;
|
9
|
+
text-align: center;
|
10
|
+
font-family: arial, sans-serif;
|
11
|
+
}
|
12
|
+
|
13
|
+
div.dialog {
|
14
|
+
width: 25em;
|
15
|
+
margin: 4em auto 0 auto;
|
16
|
+
border: 1px solid #CCC;
|
17
|
+
border-right-color: #999;
|
18
|
+
border-left-color: #999;
|
19
|
+
border-bottom-color: #BBB;
|
20
|
+
border-top: #B00100 solid 4px;
|
21
|
+
border-top-left-radius: 9px;
|
22
|
+
border-top-right-radius: 9px;
|
23
|
+
background-color: white;
|
24
|
+
padding: 7px 4em 0 4em;
|
25
|
+
}
|
26
|
+
|
27
|
+
h1 {
|
28
|
+
font-size: 100%;
|
29
|
+
color: #730E15;
|
30
|
+
line-height: 1.5em;
|
31
|
+
}
|
32
|
+
|
33
|
+
body > p {
|
34
|
+
width: 33em;
|
35
|
+
margin: 0 auto 1em;
|
36
|
+
padding: 1em 0;
|
37
|
+
background-color: #F7F7F7;
|
38
|
+
border: 1px solid #CCC;
|
39
|
+
border-right-color: #999;
|
40
|
+
border-bottom-color: #999;
|
41
|
+
border-bottom-left-radius: 4px;
|
42
|
+
border-bottom-right-radius: 4px;
|
43
|
+
border-top-color: #DADADA;
|
44
|
+
color: #666;
|
45
|
+
box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
|
46
|
+
}
|
47
|
+
</style>
|
48
|
+
</head>
|
49
|
+
|
50
|
+
<body>
|
51
|
+
<!-- This file lives in public/404.html -->
|
52
|
+
<div class="dialog">
|
53
|
+
<h1>The page you were looking for doesn't exist.</h1>
|
54
|
+
<p>You may have mistyped the address or the page may have moved.</p>
|
55
|
+
</div>
|
56
|
+
<p>If you are the application owner check the logs for more information.</p>
|
57
|
+
</body>
|
58
|
+
</html>
|
@@ -0,0 +1,58 @@
|
|
1
|
+
<!DOCTYPE html>
|
2
|
+
<html>
|
3
|
+
<head>
|
4
|
+
<title>The change you wanted was rejected (422)</title>
|
5
|
+
<style>
|
6
|
+
body {
|
7
|
+
background-color: #EFEFEF;
|
8
|
+
color: #2E2F30;
|
9
|
+
text-align: center;
|
10
|
+
font-family: arial, sans-serif;
|
11
|
+
}
|
12
|
+
|
13
|
+
div.dialog {
|
14
|
+
width: 25em;
|
15
|
+
margin: 4em auto 0 auto;
|
16
|
+
border: 1px solid #CCC;
|
17
|
+
border-right-color: #999;
|
18
|
+
border-left-color: #999;
|
19
|
+
border-bottom-color: #BBB;
|
20
|
+
border-top: #B00100 solid 4px;
|
21
|
+
border-top-left-radius: 9px;
|
22
|
+
border-top-right-radius: 9px;
|
23
|
+
background-color: white;
|
24
|
+
padding: 7px 4em 0 4em;
|
25
|
+
}
|
26
|
+
|
27
|
+
h1 {
|
28
|
+
font-size: 100%;
|
29
|
+
color: #730E15;
|
30
|
+
line-height: 1.5em;
|
31
|
+
}
|
32
|
+
|
33
|
+
body > p {
|
34
|
+
width: 33em;
|
35
|
+
margin: 0 auto 1em;
|
36
|
+
padding: 1em 0;
|
37
|
+
background-color: #F7F7F7;
|
38
|
+
border: 1px solid #CCC;
|
39
|
+
border-right-color: #999;
|
40
|
+
border-bottom-color: #999;
|
41
|
+
border-bottom-left-radius: 4px;
|
42
|
+
border-bottom-right-radius: 4px;
|
43
|
+
border-top-color: #DADADA;
|
44
|
+
color: #666;
|
45
|
+
box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
|
46
|
+
}
|
47
|
+
</style>
|
48
|
+
</head>
|
49
|
+
|
50
|
+
<body>
|
51
|
+
<!-- This file lives in public/422.html -->
|
52
|
+
<div class="dialog">
|
53
|
+
<h1>The change you wanted was rejected.</h1>
|
54
|
+
<p>Maybe you tried to change something you didn't have access to.</p>
|
55
|
+
</div>
|
56
|
+
<p>If you are the application owner check the logs for more information.</p>
|
57
|
+
</body>
|
58
|
+
</html>
|
@@ -0,0 +1,57 @@
|
|
1
|
+
<!DOCTYPE html>
|
2
|
+
<html>
|
3
|
+
<head>
|
4
|
+
<title>We're sorry, but something went wrong (500)</title>
|
5
|
+
<style>
|
6
|
+
body {
|
7
|
+
background-color: #EFEFEF;
|
8
|
+
color: #2E2F30;
|
9
|
+
text-align: center;
|
10
|
+
font-family: arial, sans-serif;
|
11
|
+
}
|
12
|
+
|
13
|
+
div.dialog {
|
14
|
+
width: 25em;
|
15
|
+
margin: 4em auto 0 auto;
|
16
|
+
border: 1px solid #CCC;
|
17
|
+
border-right-color: #999;
|
18
|
+
border-left-color: #999;
|
19
|
+
border-bottom-color: #BBB;
|
20
|
+
border-top: #B00100 solid 4px;
|
21
|
+
border-top-left-radius: 9px;
|
22
|
+
border-top-right-radius: 9px;
|
23
|
+
background-color: white;
|
24
|
+
padding: 7px 4em 0 4em;
|
25
|
+
}
|
26
|
+
|
27
|
+
h1 {
|
28
|
+
font-size: 100%;
|
29
|
+
color: #730E15;
|
30
|
+
line-height: 1.5em;
|
31
|
+
}
|
32
|
+
|
33
|
+
body > p {
|
34
|
+
width: 33em;
|
35
|
+
margin: 0 auto 1em;
|
36
|
+
padding: 1em 0;
|
37
|
+
background-color: #F7F7F7;
|
38
|
+
border: 1px solid #CCC;
|
39
|
+
border-right-color: #999;
|
40
|
+
border-bottom-color: #999;
|
41
|
+
border-bottom-left-radius: 4px;
|
42
|
+
border-bottom-right-radius: 4px;
|
43
|
+
border-top-color: #DADADA;
|
44
|
+
color: #666;
|
45
|
+
box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
|
46
|
+
}
|
47
|
+
</style>
|
48
|
+
</head>
|
49
|
+
|
50
|
+
<body>
|
51
|
+
<!-- This file lives in public/500.html -->
|
52
|
+
<div class="dialog">
|
53
|
+
<h1>We're sorry, but something went wrong.</h1>
|
54
|
+
</div>
|
55
|
+
<p>If you are the application owner check the logs for more information.</p>
|
56
|
+
</body>
|
57
|
+
</html>
|
File without changes
|
@@ -0,0 +1,72 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
describe Permission do
|
4
|
+
let(:admin) { build(:admin) }
|
5
|
+
let(:user1) { create(:user) }
|
6
|
+
let(:user2) { create(:user) }
|
7
|
+
let(:project1) { build(:project, user: user1) }
|
8
|
+
let(:project2) { build(:project, user: user2) }
|
9
|
+
|
10
|
+
|
11
|
+
describe "as admin" do
|
12
|
+
subject { Permission.new(admin) }
|
13
|
+
|
14
|
+
it "allows anything" do
|
15
|
+
should allow_action(:anything, :here)
|
16
|
+
should allow_param(:anything, :here)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
|
21
|
+
describe "for user" do
|
22
|
+
subject { Permission.new(user1) }
|
23
|
+
|
24
|
+
it "projects" do
|
25
|
+
should allow_action(:projects, :index)
|
26
|
+
should allow_action(:projects, :new)
|
27
|
+
should allow_action(:projects, :create)
|
28
|
+
should allow_action(:projects, :show)
|
29
|
+
should_not allow_action(:projects, :edit)
|
30
|
+
should_not allow_action(:projects, :update)
|
31
|
+
should_not allow_action(:projects, :edit, project2)
|
32
|
+
should_not allow_action(:projects, :update, project2)
|
33
|
+
should allow_action(:projects, :edit, project1)
|
34
|
+
should allow_action(:projects, :update, project1)
|
35
|
+
should_not allow_action(:projects, :destroy)
|
36
|
+
should_not allow_action(:projects, :destroy, project1)
|
37
|
+
should_not allow_action(:projects, :destroy, project2)
|
38
|
+
should allow_param(:project, :title)
|
39
|
+
should_not allow_param(:project, :sticky)
|
40
|
+
end
|
41
|
+
|
42
|
+
it 'users' do
|
43
|
+
should allow_action(:users, :index)
|
44
|
+
should_not allow_action(:users, :show)
|
45
|
+
should_not allow_action(:users, :show, user2)
|
46
|
+
should allow_action(:users, :show, user1)
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
|
51
|
+
describe "for visitor" do
|
52
|
+
subject { Permission.new(nil) }
|
53
|
+
|
54
|
+
it "projects" do
|
55
|
+
should allow_action(:projects, :index)
|
56
|
+
should_not allow_action(:projects, :new)
|
57
|
+
should_not allow_action(:projects, :create)
|
58
|
+
should_not allow_action(:projects, :show)
|
59
|
+
should_not allow_action(:projects, :edit)
|
60
|
+
should_not allow_action(:projects, :update)
|
61
|
+
should_not allow_action(:projects, :destroy)
|
62
|
+
should_not allow_action(:projects, :show, project1)
|
63
|
+
should_not allow_action(:projects, :edit, project1)
|
64
|
+
should_not allow_action(:projects, :update, project1)
|
65
|
+
should_not allow_action(:projects, :destroy, project1)
|
66
|
+
should_not allow_action(:projects, :show, project2)
|
67
|
+
should_not allow_action(:projects, :edit, project2)
|
68
|
+
should_not allow_action(:projects, :update, project2)
|
69
|
+
should_not allow_action(:projects, :destroy, project2)
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
@@ -0,0 +1,44 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
class StubbedPermission
|
4
|
+
include Permitter::Permission
|
5
|
+
|
6
|
+
def initialize(user)
|
7
|
+
allow_action :foo, :bar
|
8
|
+
end
|
9
|
+
|
10
|
+
end
|
11
|
+
|
12
|
+
|
13
|
+
describe Permitter::ControllerAdditions do
|
14
|
+
before(:each) do
|
15
|
+
@params = HashWithIndifferentAccess.new
|
16
|
+
@current_user = nil
|
17
|
+
|
18
|
+
@controller_class = Class.new
|
19
|
+
@controller = @controller_class.new
|
20
|
+
|
21
|
+
@controller.stub(:params) { @params }
|
22
|
+
@controller_class.stub(:helper_method) { :helper_method }
|
23
|
+
@controller.stub(:current_permissions) { StubbedPermission.new(@current_user) }
|
24
|
+
|
25
|
+
@controller_class.send(:include, Permitter::ControllerAdditions)
|
26
|
+
end
|
27
|
+
|
28
|
+
it "provides an allowed_action? method which goes through the current permissions" do
|
29
|
+
expect(@controller.allowed_action?(:foo, :bar)).to be true
|
30
|
+
expect(@controller.allowed_action?(:foo, :baz)).to be false
|
31
|
+
end
|
32
|
+
|
33
|
+
it "authorize_user! should raise Unauthorized when user not authoried" do
|
34
|
+
authorization = ->(action) do
|
35
|
+
@params.merge!(controller: "foo", action: action)
|
36
|
+
@controller.instance_eval{ authorize_user! }
|
37
|
+
end
|
38
|
+
|
39
|
+
expect(-> {authorization.call('bar')}).to_not raise_error
|
40
|
+
expect(-> {authorization.call('baz')}).to raise_error Permitter::Unauthorized
|
41
|
+
end
|
42
|
+
|
43
|
+
|
44
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
describe Permitter::Unauthorized do
|
4
|
+
describe "with action and subject" do
|
5
|
+
before(:each) do
|
6
|
+
@exception = Permitter::Unauthorized.new(nil, :some_action, :some_subject)
|
7
|
+
end
|
8
|
+
|
9
|
+
it "has action and subject accessors" do
|
10
|
+
expect(@exception.action).to eq :some_action
|
11
|
+
expect(@exception.subject).to eq :some_subject
|
12
|
+
end
|
13
|
+
|
14
|
+
it "has a changable default message" do
|
15
|
+
expect(@exception.message).to eq "You are not authorized to access this page."
|
16
|
+
@exception.default_message = "Unauthorized!"
|
17
|
+
expect(@exception.message).to eq "Unauthorized!"
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
describe "with only a message" do
|
22
|
+
before(:each) do
|
23
|
+
@exception = Permitter::Unauthorized.new("Access denied!")
|
24
|
+
end
|
25
|
+
|
26
|
+
it "has nil action and subject" do
|
27
|
+
expect(@exception.action).to be nil
|
28
|
+
expect(@exception.subject).to be nil
|
29
|
+
end
|
30
|
+
|
31
|
+
it "has passed message" do
|
32
|
+
expect(@exception.message).to eq "Access denied!"
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
end
|
@@ -0,0 +1,138 @@
|
|
1
|
+
require "spec_helper"
|
2
|
+
|
3
|
+
class Category < ActiveRecord::Base
|
4
|
+
unless connection.tables.include?(table_name)
|
5
|
+
connection.create_table(table_name) do |t|
|
6
|
+
t.boolean :visible
|
7
|
+
end
|
8
|
+
end
|
9
|
+
has_many :articles
|
10
|
+
end
|
11
|
+
|
12
|
+
class Article < ActiveRecord::Base
|
13
|
+
unless connection.tables.include?(table_name)
|
14
|
+
connection.create_table(table_name) do |t|
|
15
|
+
t.integer :category_id
|
16
|
+
t.string :name
|
17
|
+
t.boolean :published
|
18
|
+
t.boolean :secret
|
19
|
+
t.integer :priority
|
20
|
+
end
|
21
|
+
end
|
22
|
+
belongs_to :category
|
23
|
+
has_many :comments
|
24
|
+
end
|
25
|
+
|
26
|
+
class Comment < ActiveRecord::Base
|
27
|
+
unless connection.tables.include?(table_name)
|
28
|
+
connection.create_table(table_name) do |t|
|
29
|
+
t.integer :article_id
|
30
|
+
t.boolean :spam
|
31
|
+
end
|
32
|
+
end
|
33
|
+
belongs_to :article
|
34
|
+
end
|
35
|
+
|
36
|
+
describe Permitter::ModelAdditions do
|
37
|
+
before do
|
38
|
+
Article.delete_all
|
39
|
+
Comment.delete_all
|
40
|
+
|
41
|
+
@permissions = Object.new
|
42
|
+
@permissions.extend(Permitter::Permission)
|
43
|
+
|
44
|
+
@article_table = Article.table_name
|
45
|
+
@comment_table = Comment.table_name
|
46
|
+
end
|
47
|
+
|
48
|
+
it "does not fetch any records when no permissions are defined" do
|
49
|
+
Article.create!
|
50
|
+
|
51
|
+
expect(Article.permitted_by(@permissions)).to be_empty
|
52
|
+
end
|
53
|
+
|
54
|
+
it "fetches all articles when one can read all" do
|
55
|
+
@permissions.allow_action(:articles, :show)
|
56
|
+
|
57
|
+
article1 = Article.create!
|
58
|
+
article2 = Article.create!
|
59
|
+
|
60
|
+
expect(@permissions).to allow_action(:articles, :show)
|
61
|
+
expect(Article.permitted_by(@permissions)).to eq([article1, article2])
|
62
|
+
end
|
63
|
+
|
64
|
+
it "fetches only the articles that are published" do
|
65
|
+
block = Proc.new { |article| article.published == true }
|
66
|
+
|
67
|
+
@permissions.allow_action(:articles, :show, &block)
|
68
|
+
|
69
|
+
article1 = Article.create!(published: true)
|
70
|
+
article2 = Article.create!(published: false)
|
71
|
+
|
72
|
+
expect(@permissions).to allow_action(:articles, :show, article1)
|
73
|
+
expect(@permissions).to_not allow_action(:articles, :show, article2)
|
74
|
+
expect(Article.permitted_by(@permissions)).to eq([article1])
|
75
|
+
end
|
76
|
+
|
77
|
+
it "fetches any articles which are published or secret" do
|
78
|
+
block = Proc.new { |article| (article.published == true) | (article.secret == true) }
|
79
|
+
|
80
|
+
@permissions.allow_action(:articles, :show, &block)
|
81
|
+
|
82
|
+
article1 = Article.create!(published: true, secret: false)
|
83
|
+
article2 = Article.create!(published: true, secret: true)
|
84
|
+
article3 = Article.create!(published: false, secret: true)
|
85
|
+
article4 = Article.create!(published: false, secret: false)
|
86
|
+
|
87
|
+
expect(@permissions).to allow_action(:articles, :show, article1)
|
88
|
+
expect(@permissions).to allow_action(:articles, :show, article2)
|
89
|
+
expect(@permissions).to allow_action(:articles, :show, article3)
|
90
|
+
expect(@permissions).to_not allow_action(:articles, :show, article4)
|
91
|
+
expect(Article.permitted_by(@permissions)).to eq([article1, article2, article3])
|
92
|
+
end
|
93
|
+
|
94
|
+
it "fetches only the articles that are published and not secret" do
|
95
|
+
block = Proc.new { |article| (article.published == true) & (article.secret == false) }
|
96
|
+
|
97
|
+
@permissions.allow_action(:articles, :show, &block)
|
98
|
+
|
99
|
+
article1 = Article.create!(published: true, secret: false)
|
100
|
+
article2 = Article.create!(published: true, secret: true)
|
101
|
+
article3 = Article.create!(published: false, secret: true)
|
102
|
+
article4 = Article.create!(published: false, secret: false)
|
103
|
+
|
104
|
+
expect(@permissions).to allow_action(:articles, :show, article1)
|
105
|
+
expect(@permissions).to_not allow_action(:articles, :show, article2)
|
106
|
+
expect(@permissions).to_not allow_action(:articles, :show, article3)
|
107
|
+
expect(@permissions).to_not allow_action(:articles, :show, article4)
|
108
|
+
expect(Article.permitted_by(@permissions)).to eq([article1])
|
109
|
+
end
|
110
|
+
|
111
|
+
it "only reads comments for articles which are published" do
|
112
|
+
block = Proc.new { article.published == true }
|
113
|
+
|
114
|
+
@permissions.allow_action(:comments, :permitted, &block)
|
115
|
+
|
116
|
+
comment1 = Comment.create!(article: Article.create!(published: true))
|
117
|
+
comment2 = Comment.create!(article: Article.create!(published: false))
|
118
|
+
|
119
|
+
@comments = Comment.joins(:article).permitted_by(@permissions, :permitted)
|
120
|
+
expect(@comments).to eq([comment1])
|
121
|
+
|
122
|
+
@comments = Comment.joins{article}.permitted_by(@permissions, :permitted)
|
123
|
+
expect(@comments).to eq([comment1])
|
124
|
+
end
|
125
|
+
|
126
|
+
it "only reads comments for visible categories through articles" do
|
127
|
+
block = Proc.new { article.category.visible == true }
|
128
|
+
|
129
|
+
@permissions.allow_action(:comments, :permitted, &block)
|
130
|
+
|
131
|
+
comment1 = Comment.create!(article: Article.create!(category: Category.create!(visible: true)))
|
132
|
+
comment2 = Comment.create!(article: Article.create!(category: Category.create!(visible: false)))
|
133
|
+
|
134
|
+
@comments = Comment.joins{article.category}.permitted_by(@permissions, :permitted)
|
135
|
+
expect(@comments).to eq([comment1])
|
136
|
+
end
|
137
|
+
|
138
|
+
end
|