pundit 2.0.1 → 2.3.0

data/spec/authorization_spec.rb

@@ -0,0 +1,258 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+describe Pundit::Authorization do
+  let(:controller) { Controller.new(user, "update", {}) }
+  let(:user) { double }
+  let(:post) { Post.new(user) }
+  let(:customer_post) { Customer::Post.new(user) }
+  let(:comment) { Comment.new }
+  let(:article) { Article.new }
+  let(:article_tag) { ArticleTag.new }
+  let(:wiki) { Wiki.new }
+
+  describe "#verify_authorized" do
+    it "does nothing when authorized" do
+      controller.authorize(post)
+      controller.verify_authorized
+    end
+
+    it "raises an exception when not authorized" do
+      expect { controller.verify_authorized }.to raise_error(Pundit::AuthorizationNotPerformedError)
+    end
+  end
+
+  describe "#verify_policy_scoped" do
+    it "does nothing when policy_scope is used" do
+      controller.policy_scope(Post)
+      controller.verify_policy_scoped
+    end
+
+    it "raises an exception when policy_scope is not used" do
+      expect { controller.verify_policy_scoped }.to raise_error(Pundit::PolicyScopingNotPerformedError)
+    end
+  end
+
+  describe "#pundit_policy_authorized?" do
+    it "is true when authorized" do
+      controller.authorize(post)
+      expect(controller.pundit_policy_authorized?).to be true
+    end
+
+    it "is false when not authorized" do
+      expect(controller.pundit_policy_authorized?).to be false
+    end
+  end
+
+  describe "#pundit_policy_scoped?" do
+    it "is true when policy_scope is used" do
+      controller.policy_scope(Post)
+      expect(controller.pundit_policy_scoped?).to be true
+    end
+
+    it "is false when policy scope is not used" do
+      expect(controller.pundit_policy_scoped?).to be false
+    end
+  end
+
+  describe "#authorize" do
+    it "infers the policy name and authorizes based on it" do
+      expect(controller.authorize(post)).to be_truthy
+    end
+
+    it "returns the record on successful authorization" do
+      expect(controller.authorize(post)).to eq(post)
+    end
+
+    it "returns the record when passed record with namespace " do
+      expect(controller.authorize([:project, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the record when passed record with nested namespace " do
+      expect(controller.authorize([:project, :admin, comment], :update?)).to eq(comment)
+    end
+
+    it "returns the policy name symbol when passed record with headless policy" do
+      expect(controller.authorize(:publication, :create?)).to eq(:publication)
+    end
+
+    it "returns the class when passed record not a particular instance" do
+      expect(controller.authorize(Post, :show?)).to eq(Post)
+    end
+
+    it "can be given a different permission to check" do
+      expect(controller.authorize(post, :show?)).to be_truthy
+      expect { controller.authorize(post, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
+    end
+
+    it "can be given a different policy class" do
+      expect(controller.authorize(post, :create?, policy_class: PublicationPolicy)).to be_truthy
+    end
+
+    it "works with anonymous class policies" do
+      expect(controller.authorize(article_tag, :show?)).to be_truthy
+      expect { controller.authorize(article_tag, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
+    end
+
+    it "throws an exception when the permission check fails" do
+      expect { controller.authorize(Post.new) }.to raise_error(Pundit::NotAuthorizedError)
+    end
+
+    it "throws an exception when a policy cannot be found" do
+      expect { controller.authorize(Article) }.to raise_error(Pundit::NotDefinedError)
+    end
+
+    it "caches the policy" do
+      expect(controller.policies[post]).to be_nil
+      controller.authorize(post)
+      expect(controller.policies[post]).not_to be_nil
+    end
+
+    it "raises an error when the given record is nil" do
+      expect { controller.authorize(nil, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
+    end
+
+    it "raises an error with a invalid policy constructor" do
+      expect { controller.authorize(wiki, :destroy?) }.to raise_error(Pundit::InvalidConstructorError)
+    end
+  end
+
+  describe "#skip_authorization" do
+    it "disables authorization verification" do
+      controller.skip_authorization
+      expect { controller.verify_authorized }.not_to raise_error
+    end
+  end
+
+  describe "#skip_policy_scope" do
+    it "disables policy scope verification" do
+      controller.skip_policy_scope
+      expect { controller.verify_policy_scoped }.not_to raise_error
+    end
+  end
+
+  describe "#pundit_user" do
+    it "returns the same thing as current_user" do
+      expect(controller.pundit_user).to eq controller.current_user
+    end
+  end
+
+  describe "#policy" do
+    it "returns an instantiated policy" do
+      policy = controller.policy(post)
+      expect(policy.user).to eq user
+      expect(policy.post).to eq post
+    end
+
+    it "throws an exception if the given policy can't be found" do
+      expect { controller.policy(article) }.to raise_error(Pundit::NotDefinedError)
+    end
+
+    it "raises an error with a invalid policy constructor" do
+      expect { controller.policy(wiki) }.to raise_error(Pundit::InvalidConstructorError)
+    end
+
+    it "allows policy to be injected" do
+      new_policy = OpenStruct.new
+      controller.policies[post] = new_policy
+
+      expect(controller.policy(post)).to eq new_policy
+    end
+  end
+
+  describe "#policy_scope" do
+    it "returns an instantiated policy scope" do
+      expect(controller.policy_scope(Post)).to eq :published
+    end
+
+    it "allows policy scope class to be overriden" do
+      expect(controller.policy_scope(Post, policy_scope_class: PublicationPolicy::Scope)).to eq :published
+    end
+
+    it "throws an exception if the given policy can't be found" do
+      expect { controller.policy_scope(Article) }.to raise_error(Pundit::NotDefinedError)
+    end
+
+    it "raises an error with a invalid policy scope constructor" do
+      expect { controller.policy_scope(Wiki) }.to raise_error(Pundit::InvalidConstructorError)
+    end
+
+    it "allows policy_scope to be injected" do
+      new_scope = OpenStruct.new
+      controller.policy_scopes[Post] = new_scope
+
+      expect(controller.policy_scope(Post)).to eq new_scope
+    end
+  end
+
+  describe "#permitted_attributes" do
+    it "checks policy for permitted attributes" do
+      params = ActionController::Parameters.new(
+        post: {
+          title: "Hello",
+          votes: 5,
+          admin: true
+        }
+      )
+
+      action = "update"
+
+      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq(
+        "title" => "Hello",
+        "votes" => 5
+      )
+      expect(Controller.new(double, action, params).permitted_attributes(post).to_h).to eq("votes" => 5)
+    end
+
+    it "checks policy for permitted attributes for record of a ActiveModel type" do
+      params = ActionController::Parameters.new(
+        customer_post: {
+          title: "Hello",
+          votes: 5,
+          admin: true
+        }
+      )
+
+      action = "update"
+
+      expect(Controller.new(user, action, params).permitted_attributes(customer_post).to_h).to eq(
+        "title" => "Hello",
+        "votes" => 5
+      )
+      expect(Controller.new(double, action, params).permitted_attributes(customer_post).to_h).to eq(
+        "votes" => 5
+      )
+    end
+  end
+
+  describe "#permitted_attributes_for_action" do
+    it "is checked if it is defined in the policy" do
+      params = ActionController::Parameters.new(
+        post: {
+          title: "Hello",
+          body: "blah",
+          votes: 5,
+          admin: true
+        }
+      )
+
+      action = "revise"
+      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq("body" => "blah")
+    end
+
+    it "can be explicitly set" do
+      params = ActionController::Parameters.new(
+        post: {
+          title: "Hello",
+          body: "blah",
+          votes: 5,
+          admin: true
+        }
+      )
+
+      action = "update"
+      expect(Controller.new(user, action, params).permitted_attributes(post, :revise).to_h).to eq("body" => "blah")
+    end
+  end
+end

data/spec/generators_spec.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+require "tmpdir"
+
+require "rails/generators"
+require "generators/pundit/install/install_generator"
+require "generators/pundit/policy/policy_generator"
+
+RSpec.describe "generators" do
+  before(:all) do
+    @tmpdir = Dir.mktmpdir
+
+    Dir.chdir(@tmpdir) do
+      Pundit::Generators::InstallGenerator.new([], { quiet: true }).invoke_all
+      Pundit::Generators::PolicyGenerator.new(%w[Widget], { quiet: true }).invoke_all
+
+      require "./app/policies/application_policy"
+      require "./app/policies/widget_policy"
+    end
+  end
+
+  after(:all) do
+    FileUtils.remove_entry(@tmpdir)
+  end
+
+  describe "WidgetPolicy", type: :policy do
+    permissions :index?, :show?, :create?, :new?, :update?, :edit?, :destroy? do
+      it "has safe defaults" do
+        expect(WidgetPolicy).not_to permit(double("User"), double("Widget"))
+      end
+    end
+
+    describe "WidgetPolicy::Scope" do
+      describe "#resolve" do
+        it "raises a descriptive error" do
+          scope = WidgetPolicy::Scope.new(double("User"), double("User.all"))
+          expect { scope.resolve }.to raise_error(NotImplementedError, /WidgetPolicy::Scope/)
+        end
+      end
+    end
+  end
+end

data/spec/policies/post_policy_spec.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 require "spec_helper"
 
-describe PostPolicy do
+RSpec.describe PostPolicy do
   let(:user) { double }
   let(:own_post) { double(user: user) }
   let(:other_post) { double(user: double) }

data/spec/policy_finder_spec.rb

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
+
 require "spec_helper"
 
-describe Pundit::PolicyFinder do
+class Foo; end
+RSpec.describe Pundit::PolicyFinder do
   let(:user) { double }
   let(:post) { Post.new(user) }
   let(:comment) { CommentFourFiveSix.new }
@@ -22,37 +25,99 @@ describe Pundit::PolicyFinder do
   end
 
   describe "#policy" do
-    subject { described_class.new(post) }
+    context "with an instance" do
+      it "returns the associated policy" do
+        object = described_class.new(post)
+
+        expect(object.policy).to eq PostPolicy
+      end
+    end
+
+    context "with an array of symbols" do
+      it "returns the associated namespaced policy" do
+        object = described_class.new(%i[project post])
+
+        expect(object.policy).to eq Project::PostPolicy
+      end
+    end
 
-    it "returns a policy" do
-      expect(subject.policy).to eq PostPolicy
+    context "with an array of a symbol and an instance" do
+      it "returns the associated namespaced policy" do
+        object = described_class.new([:project, post])
+
+        expect(object.policy).to eq Project::PostPolicy
+      end
     end
 
-    context "with a string" do
-      it "returns a policy" do
-        allow(subject).to receive(:find).and_return "PostPolicy"
-        expect(subject.policy).to eq PostPolicy
+    context "with an array of a symbol and a class with a specified policy class" do
+      it "returns the associated namespaced policy" do
+        object = described_class.new([:project, Customer::Post])
+
+        expect(object.policy).to eq Project::PostPolicy
+      end
+    end
+
+    context "with an array of a symbol and a class with a specified model name" do
+      it "returns the associated namespaced policy" do
+        object = described_class.new([:project, CommentsRelation])
+
+        expect(object.policy).to eq Project::CommentPolicy
       end
     end
 
     context "with a class" do
-      it "returns a policy" do
-        allow(subject).to receive(:find).and_return PostPolicy
-        expect(subject.policy).to eq PostPolicy
+      it "returns the associated policy" do
+        object = described_class.new(Post)
+
+        expect(object.policy).to eq PostPolicy
+      end
+    end
+
+    context "with a class which has a specified policy class" do
+      it "returns the associated policy" do
+        object = described_class.new(Customer::Post)
+
+        expect(object.policy).to eq PostPolicy
+      end
+    end
+
+    context "with an instance which has a specified policy class" do
+      it "returns the associated policy" do
+        object = described_class.new(Customer::Post.new(user))
+
+        expect(object.policy).to eq PostPolicy
+      end
+    end
+
+    context "with a class which has a specified model name" do
+      it "returns the associated policy" do
+        object = described_class.new(CommentsRelation)
+
+        expect(object.policy).to eq CommentPolicy
+      end
+    end
+
+    context "with an instance which has a specified policy class" do
+      it "returns the associated policy" do
+        object = described_class.new(CommentsRelation.new)
+
+        expect(object.policy).to eq CommentPolicy
       end
     end
 
     context "with nil" do
-      it "returns nil" do
-        allow(subject).to receive(:find).and_return nil
-        expect(subject.policy).to eq nil
+      it "returns a NilClassPolicy" do
+        object = described_class.new(nil)
+
+        expect(object.policy).to eq NilClassPolicy
       end
     end
 
-    context "with a string that can't be constantized" do
+    context "with a class that doesn't have an associated policy" do
       it "returns nil" do
-        allow(subject).to receive(:find).and_return "FooPolicy"
-        expect(subject.policy).to eq nil
+        object = described_class.new(Foo)
+
+        expect(object.policy).to eq nil
       end
     end
   end