mastodon/spec/policies/status_policy_spec.rb

require 'rails_helper'
require 'pundit/rspec'

RSpec.describe StatusPolicy, type: :model do
  subject { described_class }

  let(:admin) { Fabricate(:user, admin: true) }
  let(:alice) { Fabricate(:account, username: 'alice') }
  let(:bob) { Fabricate(:account, username: 'bob') }
  let(:status) { Fabricate(:status, account: alice) }

  permissions :show?, :reblog? do
    it 'grants access when no viewer' do
      expect(subject).to permit(nil, status)
    end

    it 'denies access when viewer is blocked' do
      block = Fabricate(:block)
      status.visibility = :private
      status.account = block.target_account

      expect(subject).to_not permit(block.account, status)
    end
  end

  permissions :show? do
    it 'grants access when direct and account is viewer' do
      status.visibility = :direct

      expect(subject).to permit(status.account, status)
    end

    it 'grants access when direct and viewer is mentioned' do
      status.visibility = :direct
      status.mentions = [Fabricate(:mention, account: alice)]

      expect(subject).to permit(alice, status)
    end

    it 'denies access when direct and viewer is not mentioned' do
      viewer = Fabricate(:account)
      status.visibility = :direct

      expect(subject).to_not permit(viewer, status)
    end

    it 'grants access when private and account is viewer' do
      status.visibility = :private

      expect(subject).to permit(status.account, status)
    end

    it 'grants access when private and account is following viewer' do
      follow = Fabricate(:follow)
      status.visibility = :private
      status.account = follow.target_account

      expect(subject).to permit(follow.account, status)
    end

    it 'grants access when private and viewer is mentioned' do
      status.visibility = :private
      status.mentions = [Fabricate(:mention, account: alice)]

      expect(subject).to permit(alice, status)
    end

    it 'denies access when private and viewer is not mentioned or followed' do
      viewer = Fabricate(:account)
      status.visibility = :private

      expect(subject).to_not permit(viewer, status)
    end
  end

  permissions :reblog? do
    it 'denies access when private' do
      viewer = Fabricate(:account)
      status.visibility = :private

      expect(subject).to_not permit(viewer, status)
    end

    it 'denies access when direct' do
      viewer = Fabricate(:account)
      status.visibility = :direct

      expect(subject).to_not permit(viewer, status)
    end
  end

  permissions :destroy?, :unreblog? do
    it 'grants access when account is deleter' do
      expect(subject).to permit(status.account, status)
    end

    it 'grants access when account is admin' do
      expect(subject).to permit(admin.account, status)
    end

    it 'denies access when account is not deleter' do
      expect(subject).to_not permit(bob, status)
    end

    it 'denies access when no deleter' do
      expect(subject).to_not permit(nil, status)
    end
  end
end
Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00			`require 'rails_helper'`
			`require 'pundit/rspec'`

			`RSpec.describe StatusPolicy, type: :model do`
			`subject { described_class }`

Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization 2017-05-30 13:56:31 -07:00			`let(:admin) { Fabricate(:user, admin: true) }`
Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00			`let(:alice) { Fabricate(:account, username: 'alice') }`
Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization 2017-05-30 13:56:31 -07:00			`let(:bob) { Fabricate(:account, username: 'bob') }`
Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00			`let(:status) { Fabricate(:status, account: alice) }`

Move status reblog authorization into policy (#3425) 2017-05-30 06:16:14 -07:00			`permissions :show?, :reblog? do`
			`it 'grants access when no viewer' do`
			`expect(subject).to permit(nil, status)`
			`end`

			`it 'denies access when viewer is blocked' do`
			`block = Fabricate(:block)`
			`status.visibility = :private`
			`status.account = block.target_account`

			`expect(subject).to_not permit(block.account, status)`
			`end`
			`end`

Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00			`permissions :show? do`
			`it 'grants access when direct and account is viewer' do`
			`status.visibility = :direct`
Fix incorrect visibility setter in StatusPolicySpec (#3456) 2017-05-30 13:14:32 -07:00
Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00			`expect(subject).to permit(status.account, status)`
			`end`

			`it 'grants access when direct and viewer is mentioned' do`
			`status.visibility = :direct`
			`status.mentions = [Fabricate(:mention, account: alice)]`

			`expect(subject).to permit(alice, status)`
			`end`

			`it 'denies access when direct and viewer is not mentioned' do`
			`viewer = Fabricate(:account)`
			`status.visibility = :direct`

			`expect(subject).to_not permit(viewer, status)`
			`end`

			`it 'grants access when private and account is viewer' do`
Fix incorrect visibility setter in StatusPolicySpec (#3456) 2017-05-30 13:14:32 -07:00			`status.visibility = :private`
Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00
			`expect(subject).to permit(status.account, status)`
			`end`

			`it 'grants access when private and account is following viewer' do`
			`follow = Fabricate(:follow)`
			`status.visibility = :private`
			`status.account = follow.target_account`

			`expect(subject).to permit(follow.account, status)`
			`end`

			`it 'grants access when private and viewer is mentioned' do`
			`status.visibility = :private`
			`status.mentions = [Fabricate(:mention, account: alice)]`

			`expect(subject).to permit(alice, status)`
			`end`

			`it 'denies access when private and viewer is not mentioned or followed' do`
			`viewer = Fabricate(:account)`
			`status.visibility = :private`

			`expect(subject).to_not permit(viewer, status)`
			`end`
Move status reblog authorization into policy (#3425) 2017-05-30 06:16:14 -07:00			`end`
Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00
Move status reblog authorization into policy (#3425) 2017-05-30 06:16:14 -07:00			`permissions :reblog? do`
			`it 'denies access when private' do`
			`viewer = Fabricate(:account)`
			`status.visibility = :private`

			`expect(subject).to_not permit(viewer, status)`
Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00			`end`

Move status reblog authorization into policy (#3425) 2017-05-30 06:16:14 -07:00			`it 'denies access when direct' do`
			`viewer = Fabricate(:account)`
			`status.visibility = :direct`
Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00
Move status reblog authorization into policy (#3425) 2017-05-30 06:16:14 -07:00			`expect(subject).to_not permit(viewer, status)`
Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00			`end`
			`end`
Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization 2017-05-30 13:56:31 -07:00
			`permissions :destroy?, :unreblog? do`
			`it 'grants access when account is deleter' do`
			`expect(subject).to permit(status.account, status)`
			`end`

			`it 'grants access when account is admin' do`
			`expect(subject).to permit(admin.account, status)`
			`end`

			`it 'denies access when account is not deleter' do`
			`expect(subject).to_not permit(bob, status)`
			`end`

			`it 'denies access when no deleter' do`
			`expect(subject).to_not permit(nil, status)`
			`end`
			`end`
Extract authorization policy for viewing statuses (#3150) 2017-05-29 09:22:22 -07:00			`end`