Use author_in_programming_group? policy for files & RfCs

* Allow all members of a programming group to list and solve RfCs * Also adjust policy specs to respect programming groups
2023-08-22 09:23:20 +02:00
parent 9d1be1eeff
commit 01accdae58
7 changed files with 101 additions and 19 deletions
--- a/spec/policies/code_ocean/file_policy_spec.rb
+++ b/spec/policies/code_ocean/file_policy_spec.rb
@ -30,31 +30,81 @@ describe CodeOcean::FilePolicy do
    context 'when being part of a submission' do
      let(:file) { submission.files.first }

-      context 'when file creation is allowed' do
+      shared_context 'when file creation is allowed' do
        before do
          submission.exercise.update(allow_file_creation: true)
        end
-
-        it 'grants access to authors' do
-          expect(policy).to permit(submission.author, file)
-        end
      end

-      context 'when file creation is not allowed' do
+      shared_context 'when file creation is not allowed' do
        before do
          submission.exercise.update(allow_file_creation: false)
        end
+      end

-        it 'grants access to authors' do
-          expect(policy).not_to permit(submission.author, file)
+      shared_examples 'no other user allowed to access' do
+        it 'does not grant access to all other users' do
+          %i[admin external_user teacher].each do |factory_name|
+            expect(policy).not_to permit(create(factory_name), file)
+          end
        end
      end

-      it 'does not grant access to all other users' do
-        %i[admin external_user teacher].each do |factory_name|
-          expect(policy).not_to permit(create(factory_name), file)
+      context 'when a single user authored' do
+        context 'when file creation is allowed' do
+          include_context 'when file creation is allowed'
+
+          it 'grants access to authors' do
+            expect(policy).to permit(submission.author, file)
+          end
+
+          it_behaves_like 'no other user allowed to access'
+        end
+
+        context 'when file creation is not allowed' do
+          include_context 'when file creation is not allowed'
+
+          it 'does not grant access to authors' do
+            expect(policy).not_to permit(submission.author, file)
+          end
+
+          it_behaves_like 'no other user allowed to access'
        end
      end
+
+      context 'when a programming group authored' do
+        let(:group_author) { create(:external_user) }
+        let(:other_group_author) { create(:external_user) }
+        let(:programming_group) { create(:programming_group, exercise: submission.exercise, users: [group_author, other_group_author]) }
+
+        before do
+          submission.update(contributor: programming_group)
+        end
+
+        context 'when file creation is allowed' do
+          include_context 'when file creation is allowed'
+
+          it 'grants access to authors' do
+            expect(policy).to permit(group_author, file)
+            expect(policy).to permit(other_group_author, file)
+          end
+
+          it_behaves_like 'no other user allowed to access'
+        end
+
+        context 'when file creation is not allowed' do
+          include_context 'when file creation is not allowed'
+
+          it 'does not grant access to authors' do
+            expect(policy).not_to permit(group_author, file)
+            expect(policy).not_to permit(other_group_author, file)
+          end
+
+          it_behaves_like 'no other user allowed to access'
+        end
+      end
+
+      it_behaves_like 'no other user allowed to access'
    end
  end

--- a/spec/policies/request_for_comment_policy_spec.rb
+++ b/spec/policies/request_for_comment_policy_spec.rb
@ -59,6 +59,12 @@ describe RequestForCommentPolicy do
      it 'grants access to authors' do
        expect(policy).to permit(rfc.author, rfc)
      end
+
+      it 'grant access to other authors of the programming group' do
+        rfc.submission.update(contributor: programming_group)
+        expect(policy).to permit(author_other_group_member, rfc)
+        expect(policy).to permit(viewer_other_group_member, rfc)
+      end
    end

    shared_examples 'grants access to admins and authors only' do
@ -70,6 +76,12 @@ describe RequestForCommentPolicy do
        expect(policy).to permit(rfc.author, rfc)
      end

+      it 'grant access to other authors of the programming group' do
+        rfc.submission.update(contributor: programming_group)
+        expect(policy).to permit(author_other_group_member, rfc)
+        expect(policy).to permit(viewer_other_group_member, rfc)
+      end
+
      it 'does not grant access to all other users' do
        %i[external_user teacher].each do |factory_name|
          expect(policy).not_to permit(create(factory_name, consumer: viewer_consumer, study_groups: viewer_study_groups), rfc)
@ -81,6 +93,10 @@ describe RequestForCommentPolicy do
    let(:author_study_groups) { create_list(:study_group, 1, consumer: author_consumer) }
    let(:rfc) { create(:rfc, user: rfc_author) }

+    let(:author_other_group_member) { create(:external_user, consumer: author_consumer) }
+    let(:viewer_other_group_member) { create(:external_user, consumer: viewer_consumer) }
+    let(:programming_group) { create(:programming_group, exercise: rfc.submission.exercise, users: [rfc.author, author_other_group_member, viewer_other_group_member]) }
+
    context "when the author's rfc_visibility is set to all" do
      let(:author_consumer) { create(:consumer, rfc_visibility: 'all') }