closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7049 Commits
4 Branches
567 MiB
Tree: 82ab5aacb2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '82ab5aacb2'
${ noResults }
mastodon/spec/policies/status_policy_spec.rb

115 lines
3.1 KiB
Raw Normal View History

Extract authorization policy for viewing statuses (#3150)
7 years ago
Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Move status reblog authorization into policy (#3425)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Fix incorrect visibility setter in StatusPolicySpec (#3456)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Fix incorrect visibility setter in StatusPolicySpec (#3456)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Update StatusPolicy to check current_account for local_only? toots. StatusPolicy#account was renamed to StatusPolicy#current_account in upstream. This commit renames the local-only changes to match and augments the #show? policy spec with what we expect for local-only toots.
7 years ago
Move status reblog authorization into policy (#3425)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Move status reblog authorization into policy (#3425)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Move status reblog authorization into policy (#3425)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Move status reblog authorization into policy (#3425)
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
Add status destroy authorization to policy (#3453) * Add status destroy authorization to policy * Create explicit unreblog status authorization
7 years ago
Extract authorization policy for viewing statuses (#3150)
7 years ago
 
  1. require 'rails_helper'
  2. require 'pundit/rspec'
  3. 

  4. RSpec.describe StatusPolicy, type: :model do
  5.   subject { described_class }
  6. 

  7.   let(:admin) { Fabricate(:user, admin: true) }
  8.   let(:alice) { Fabricate(:account, username: 'alice') }
  9.   let(:bob) { Fabricate(:account, username: 'bob') }
  10.   let(:status) { Fabricate(:status, account: alice) }
  11. 

  12.   permissions :show?, :reblog? do
  13.     it 'grants access when no viewer' do
  14.       expect(subject).to permit(nil, status)
  15.     end
  16. 

  17.     it 'denies access when viewer is blocked' do
  18.       block = Fabricate(:block)
  19.       status.visibility = :private
  20.       status.account = block.target_account
  21. 

  22.       expect(subject).to_not permit(block.account, status)
  23.     end
  24.   end
  25. 

  26.   permissions :show? do
  27.     it 'grants access when direct and account is viewer' do
  28.       status.visibility = :direct
  29. 

  30.       expect(subject).to permit(status.account, status)
  31.     end
  32. 

  33.     it 'grants access when direct and viewer is mentioned' do
  34.       status.visibility = :direct
  35.       status.mentions = [Fabricate(:mention, account: alice)]
  36. 

  37.       expect(subject).to permit(alice, status)
  38.     end
  39. 

  40.     it 'denies access when direct and viewer is not mentioned' do
  41.       viewer = Fabricate(:account)
  42.       status.visibility = :direct
  43. 

  44.       expect(subject).to_not permit(viewer, status)
  45.     end
  46. 

  47.     it 'grants access when private and account is viewer' do
  48.       status.visibility = :private
  49. 

  50.       expect(subject).to permit(status.account, status)
  51.     end
  52. 

  53.     it 'grants access when private and account is following viewer' do
  54.       follow = Fabricate(:follow)
  55.       status.visibility = :private
  56.       status.account = follow.target_account
  57. 

  58.       expect(subject).to permit(follow.account, status)
  59.     end
  60. 

  61.     it 'grants access when private and viewer is mentioned' do
  62.       status.visibility = :private
  63.       status.mentions = [Fabricate(:mention, account: alice)]
  64. 

  65.       expect(subject).to permit(alice, status)
  66.     end
  67. 

  68.     it 'denies access when private and viewer is not mentioned or followed' do
  69.       viewer = Fabricate(:account)
  70.       status.visibility = :private
  71. 

  72.       expect(subject).to_not permit(viewer, status)
  73.     end
  74. 

  75.     it 'denies access when local-only and the viewer is not logged in' do
  76.       allow(status).to receive(:local_only?) { true }
  77. 

  78.       expect(subject).to_not permit(nil, status)
  79.     end
  80.   end
  81. 

  82.   permissions :reblog? do
  83.     it 'denies access when private' do
  84.       viewer = Fabricate(:account)
  85.       status.visibility = :private
  86. 

  87.       expect(subject).to_not permit(viewer, status)
  88.     end
  89. 

  90.     it 'denies access when direct' do
  91.       viewer = Fabricate(:account)
  92.       status.visibility = :direct
  93. 

  94.       expect(subject).to_not permit(viewer, status)
  95.     end
  96.   end
  97. 

  98.   permissions :destroy?, :unreblog? do
  99.     it 'grants access when account is deleter' do
  100.       expect(subject).to permit(status.account, status)
  101.     end
  102. 

  103.     it 'grants access when account is admin' do
  104.       expect(subject).to permit(admin.account, status)
  105.     end
  106. 

  107.     it 'denies access when account is not deleter' do
  108.       expect(subject).to_not permit(bob, status)
  109.     end
  110. 

  111.     it 'denies access when no deleter' do
  112.       expect(subject).to_not permit(nil, status)
  113.     end
  114.   end
  115. end