Refactor exercise_controller and move more checks to policy

* We introduce a custom handler for Pundit::NotAuthorizedError
2022-09-04 00:05:13 +02:00
parent 0de213b8c7
commit 49f4f0e6c5
4 changed files with 78 additions and 7 deletions
--- a/spec/policies/exercise_policy_spec.rb
+++ b/spec/policies/exercise_policy_spec.rb
@ -110,10 +110,54 @@ describe ExercisePolicy do
    end
  end

-  permissions :implement? do
-    it 'grants access to anyone' do
-      %i[admin external_user teacher].each do |factory_name|
-        expect(policy).to permit(build(factory_name), Exercise.new)
+  %i[implement? working_times? intervention? search? reload?].each do |action|
+    permissions(action) do
+      context 'when the exercise has no visible files' do
+        let(:exercise) { create(:dummy) }
+
+        it 'does not grant access to anyone' do
+          %i[admin external_user teacher].each do |factory_name|
+            expect(policy).not_to permit(build(factory_name), exercise)
+          end
+        end
+      end
+
+      context 'when the exercise has visible files' do
+        let(:exercise) { create(:fibonacci) }
+
+        it 'grants access to anyone' do
+          %i[admin external_user teacher].each do |factory_name|
+            expect(policy).to permit(build(factory_name), exercise)
+          end
+        end
+      end
+
+      context 'when the exercise is published' do
+        let(:exercise) { create(:fibonacci, unpublished: false) }
+
+        it 'grants access to anyone' do
+          %i[admin external_user teacher].each do |factory_name|
+            expect(policy).to permit(build(factory_name), exercise)
+          end
+        end
+      end
+
+      context 'when the exercise is unpublished' do
+        let(:exercise) { create(:fibonacci, unpublished: true) }
+
+        it 'grants access to admins' do
+          expect(policy).to permit(build(:admin), exercise)
+        end
+
+        it 'grants access to the author' do
+          expect(policy).to permit(exercise.author, exercise)
+        end
+
+        it 'does not grant access to everyone' do
+          %i[external_user teacher].each do |factory_name|
+            expect(policy).not_to permit(build(factory_name), exercise)
+          end
+        end
      end
    end
  end