Extract authorization policy for viewing statuses (#3150)

2017-05-29 09:22:22 -07:00 · 2017-05-29 09:22:22 -07:00 · 3a2003ba86
commit 3a2003ba86
parent 9a81be0d37
16 changed files with 155 additions and 80 deletions
--- a/spec/controllers/media_controller_spec.rb
+++ b/spec/controllers/media_controller_spec.rb
@ -30,7 +30,7 @@ describe MediaController do
    it 'raises when not permitted to view' do
      status = Fabricate(:status)
      media_attachment = Fabricate(:media_attachment, status: status)
-      allow_any_instance_of(Status).to receive(:permitted?).and_return(false)
+      allow_any_instance_of(MediaController).to receive(:authorize).and_raise(ActiveRecord::RecordNotFound)
      get :show, params: { id: media_attachment.to_param }

      expect(response).to have_http_status(:missing)
--- a/spec/models/status_spec.rb
+++ b/spec/models/status_spec.rb
@ -119,66 +119,6 @@ RSpec.describe Status, type: :model do
    end
  end

-  describe '#permitted?' do
-    it 'returns true when direct and account is viewer' do
-      subject.visibility = :direct
-      expect(subject.permitted?(subject.account)).to be true
-    end
-
-    it 'returns true when direct and viewer is mentioned' do
-      subject.visibility = :direct
-      subject.mentions = [Fabricate(:mention, account: alice)]
-
-      expect(subject.permitted?(alice)).to be true
-    end
-
-    it 'returns false when direct and viewer is not mentioned' do
-      viewer = Fabricate(:account)
-      subject.visibility = :direct
-
-      expect(subject.permitted?(viewer)).to be false
-    end
-
-    it 'returns true when private and account is viewer' do
-      subject.visibility = :direct
-      expect(subject.permitted?(subject.account)).to be true
-    end
-
-    it 'returns true when private and account is following viewer' do
-      follow = Fabricate(:follow)
-      subject.visibility = :private
-      subject.account = follow.target_account
-
-      expect(subject.permitted?(follow.account)).to be true
-    end
-
-    it 'returns true when private and viewer is mentioned' do
-      subject.visibility = :private
-      subject.mentions = [Fabricate(:mention, account: alice)]
-
-      expect(subject.permitted?(alice)).to be true
-    end
-
-    it 'returns false when private and viewer is not mentioned or followed' do
-      viewer = Fabricate(:account)
-      subject.visibility = :private
-
-      expect(subject.permitted?(viewer)).to be false
-    end
-
-    it 'returns true when no viewer' do
-      expect(subject.permitted?).to be true
-    end
-
-    it 'returns false when viewer is blocked' do
-      block = Fabricate(:block)
-      subject.visibility = :private
-      subject.account = block.target_account
-
-      expect(subject.permitted?(block.account)).to be false
-    end
-  end
-
  describe '#ancestors' do
    let!(:alice)  { Fabricate(:account, username: 'alice') }
    let!(:bob)    { Fabricate(:account, username: 'bob', domain: 'example.com') }
--- a/spec/policies/status_policy_spec.rb
+++ b/spec/policies/status_policy_spec.rb
@ -0,0 +1,70 @@
+require 'rails_helper'
+require 'pundit/rspec'
+
+RSpec.describe StatusPolicy, type: :model do
+  subject { described_class }
+
+  let(:alice) { Fabricate(:account, username: 'alice') }
+  let(:status) { Fabricate(:status, account: alice) }
+
+  permissions :show? do
+    it 'grants access when direct and account is viewer' do
+      status.visibility = :direct
+      expect(subject).to permit(status.account, status)
+    end
+
+    it 'grants access when direct and viewer is mentioned' do
+      status.visibility = :direct
+      status.mentions = [Fabricate(:mention, account: alice)]
+
+      expect(subject).to permit(alice, status)
+    end
+
+    it 'denies access when direct and viewer is not mentioned' do
+      viewer = Fabricate(:account)
+      status.visibility = :direct
+
+      expect(subject).to_not permit(viewer, status)
+    end
+
+    it 'grants access when private and account is viewer' do
+      status.visibility = :direct
+
+      expect(subject).to permit(status.account, status)
+    end
+
+    it 'grants access when private and account is following viewer' do
+      follow = Fabricate(:follow)
+      status.visibility = :private
+      status.account = follow.target_account
+
+      expect(subject).to permit(follow.account, status)
+    end
+
+    it 'grants access when private and viewer is mentioned' do
+      status.visibility = :private
+      status.mentions = [Fabricate(:mention, account: alice)]
+
+      expect(subject).to permit(alice, status)
+    end
+
+    it 'denies access when private and viewer is not mentioned or followed' do
+      viewer = Fabricate(:account)
+      status.visibility = :private
+
+      expect(subject).to_not permit(viewer, status)
+    end
+
+    it 'grants access when no viewer' do
+      expect(subject).to permit(nil, status)
+    end
+
+    it 'denies access when viewer is blocked' do
+      block = Fabricate(:block)
+      status.visibility = :private
+      status.account = block.target_account
+
+      expect(subject).to_not permit(block.account, status)
+    end
+  end
+end