require 'spec_helper' require 'synchromesh/integration/test_components' describe "regulate access allowed" do context "basic tests" do before(:each) do # spec_helper resets the policy system after each test so we have to setup # before each test stub_const 'TestApplication', Class.new stub_const 'C2', Class.new stub_const 'TestApplicationPolicy', Class.new TestApplicationPolicy.class_eval do regulate_class_connection { self } regulate_class_connection(C2) { self } regulate_instance_connections(TestModel) { self if self.is_a? TestModel } regulate_all_broadcasts(C2) { |policy| policy.send_all_but(:created_at) } regulate_broadcast(TestModel) do |policy| policy.send_all.to(TestApplication) unless test_attribute == "bogus" policy.send_all.to(self) end end end it "will allow access if the broadcast policy allows access" do m = FactoryGirl.create(:test_model, test_attribute: "hello") expect { m.check_permission_with_acting_user("user", :view_permitted?, :test_attribute) }. not_to raise_error expect { m.check_permission_with_acting_user("user", :view_permitted?, :created_at) }. not_to raise_error end it "will disallow access if acting_user is not allowed to connect" do m = FactoryGirl.create(:test_model, test_attribute: "hello") expect { m.check_permission_with_acting_user(nil, :view_permitted?, :test_attribute) }. to raise_error(ReactiveRecord::AccessViolation) expect { m.check_permission_with_acting_user(nil, :view_permitted?, :created_at) }. to raise_error(ReactiveRecord::AccessViolation) end it "will disallow access to attributes not broadcast by the model" do m = FactoryGirl.create(:test_model, test_attribute: "bogus") expect { m.check_permission_with_acting_user("user", :view_permitted?, :test_attribute) }. not_to raise_error expect { m.check_permission_with_acting_user("user", :view_permitted?, :created_at) }. to raise_error(ReactiveRecord::AccessViolation) end it "will allow access to attributes broadcast over an instance channel" do m = FactoryGirl.create(:test_model, test_attribute: "bogus") expect { m.check_permission_with_acting_user(m, :view_permitted?, :test_attribute) }. not_to raise_error expect { m.check_permission_with_acting_user(m, :view_permitted?, :created_at) }. not_to raise_error end end it "will include :id as read attribute as long as any other attribute is readable" do stub_const 'TestApplication', Class.new stub_const 'TestApplicationPolicy', Class.new TestApplicationPolicy.class_eval do always_allow_connection regulate_all_broadcasts { |policy| policy.send_only(:test_attribute) } end m = FactoryGirl.create(:test_model) expect { m.check_permission_with_acting_user(nil, :view_permitted?, :id) }. not_to raise_error end it "will not include :id as read attribute if no other attributes are readable" do stub_const 'TestApplication', Class.new stub_const 'TestApplicationPolicy', Class.new TestApplicationPolicy.class_eval do always_allow_connection end m = FactoryGirl.create(:test_model) expect { m.check_permission_with_acting_user(nil, :view_permitted?, :id) }. to raise_error(ReactiveRecord::AccessViolation) end it "will ignore auto_connect: false " do stub_const 'TestApplication', Class.new stub_const 'TestApplicationPolicy', Class.new TestApplicationPolicy.class_eval do regulate_class_connection(auto_connect: false) { true } regulate_instance_connections(TestModel, auto_connect: false) { self } regulate_all_broadcasts { |policy| policy.send_only(:test_attribute) } regulate_broadcast(TestModel) { |policy| policy.send_only(:created_at).to(self) } end m = FactoryGirl.create(:test_model) expect { m.check_permission_with_acting_user(m, :view_permitted?, :id) }. not_to raise_error expect { m.check_permission_with_acting_user(m, :view_permitted?, :test_attribute) }. not_to raise_error expect { m.check_permission_with_acting_user(m, :view_permitted?, :created_at) }. not_to raise_error end end