closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8090 Commits
4 Branches
567 MiB
Tree: 4f59d1efd7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4f59d1efd7'
${ noResults }
mastodon/spec/policies/status_policy_spec.rb

121 lines
3.4 KiB
Raw Normal View History

Extract authorization policy for viewing statuses (#3150)
7 years ago
Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Move status reblog authorization into policy (#3425)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Fix incorrect visibility setter in StatusPolicySpec (#3456)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Fix incorrect visibility setter in StatusPolicySpec (#3456)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Update StatusPolicy to check current_account for local_only? toots. StatusPolicy#account was renamed to StatusPolicy#current_account in upstream. This commit renames the local-only changes to match and augments the #show? policy spec with what we expect for local-only toots.
7 years ago
Add test to disallow remote users from fetching local-only toots
6 years ago
Move status reblog authorization into policy (#3425)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Move status reblog authorization into policy (#3425)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Move status reblog authorization into policy (#3425)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Move status reblog authorization into policy (#3425)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
 
  1. require 'rails_helper'
  2. require 'pundit/rspec'
  3. 

  4. RSpec.describe StatusPolicy, type: :model do
  5.   subject { described_class }
  6. 

  7.   let(:admin) { Fabricate(:user, admin: true) }
  8.   let(:alice) { Fabricate(:account, username: 'alice') }
  9.   let(:bob) { Fabricate(:account, username: 'bob') }
  10.   let(:status) { Fabricate(:status, account: alice) }
  11. 

  12.   permissions :show?, :reblog? do
  13.     it 'grants access when no viewer' do
  14.       expect(subject).to permit(nil, status)
  15.     end
  16. 

  17.     it 'denies access when viewer is blocked' do
  18.       block = Fabricate(:block)
  19.       status.visibility = :private
  20.       status.account = block.target_account
  21. 

  22.       expect(subject).to_not permit(block.account, status)
  23.     end
  24.   end
  25. 

  26.   permissions :show? do
  27.     it 'grants access when direct and account is viewer' do
  28.       status.visibility = :direct
  29. 

  30.       expect(subject).to permit(status.account, status)
  31.     end
  32. 

  33.     it 'grants access when direct and viewer is mentioned' do
  34.       status.visibility = :direct
  35.       status.mentions = [Fabricate(:mention, account: alice)]
  36. 

  37.       expect(subject).to permit(alice, status)
  38.     end
  39. 

  40.     it 'denies access when direct and viewer is not mentioned' do
  41.       viewer = Fabricate(:account)
  42.       status.visibility = :direct
  43. 

  44.       expect(subject).to_not permit(viewer, status)
  45.     end
  46. 

  47.     it 'grants access when private and account is viewer' do
  48.       status.visibility = :private
  49. 

  50.       expect(subject).to permit(status.account, status)
  51.     end
  52. 

  53.     it 'grants access when private and account is following viewer' do
  54.       follow = Fabricate(:follow)
  55.       status.visibility = :private
  56.       status.account = follow.target_account
  57. 

  58.       expect(subject).to permit(follow.account, status)
  59.     end
  60. 

  61.     it 'grants access when private and viewer is mentioned' do
  62.       status.visibility = :private
  63.       status.mentions = [Fabricate(:mention, account: alice)]
  64. 

  65.       expect(subject).to permit(alice, status)
  66.     end
  67. 

  68.     it 'denies access when private and viewer is not mentioned or followed' do
  69.       viewer = Fabricate(:account)
  70.       status.visibility = :private
  71. 

  72.       expect(subject).to_not permit(viewer, status)
  73.     end
  74. 

  75.     it 'denies access when local-only and the viewer is not logged in' do
  76.       allow(status).to receive(:local_only?) { true }
  77. 

  78.       expect(subject).to_not permit(nil, status)
  79.     end
  80. 

  81.     it 'denies access when local-only and the viewer is from another domain' do
  82.       viewer = Fabricate(:account, domain: 'remote-domain')
  83.       allow(status).to receive(:local_only?) { true }
  84.       expect(subject).to_not permit(viewer, status)
  85.     end
  86.   end
  87. 

  88.   permissions :reblog? do
  89.     it 'denies access when private' do
  90.       viewer = Fabricate(:account)
  91.       status.visibility = :private
  92. 

  93.       expect(subject).to_not permit(viewer, status)
  94.     end
  95. 

  96.     it 'denies access when direct' do
  97.       viewer = Fabricate(:account)
  98.       status.visibility = :direct
  99. 

  100.       expect(subject).to_not permit(viewer, status)
  101.     end
  102.   end
  103. 

  104.   permissions :destroy?, :unreblog? do
  105.     it 'grants access when account is deleter' do
  106.       expect(subject).to permit(status.account, status)
  107.     end
  108. 

  109.     it 'grants access when account is admin' do
  110.       expect(subject).to permit(admin.account, status)
  111.     end
  112. 

  113.     it 'denies access when account is not deleter' do
  114.       expect(subject).to_not permit(bob, status)
  115.     end
  116. 

  117.     it 'denies access when no deleter' do
  118.       expect(subject).to_not permit(nil, status)
  119.     end
  120.   end
  121. end