user-permissions-test

## User Permissions Test

Let us now replace our trivial test with real tests.   Looking at
`user.rb` the function most in need of testing is probably
`update_permitted?`.

The Hobo permission system is not invoked when you simply change
attributes on a model.  For example, `@user.name = "Another Name"`
will always succeed even though `User#update_permitted?` sometimes
doesn't allow the name to change.  To invoke the Hobo permissions
system, we need to do two things: set the `acting_user` for the model,
and change the attributes through the Hobo API.  We can do both using
(`user_update_attributes`)[/manual/permissions#the_permissions_api].

Knowing that, let's create a test:

SHOW_PATCH

test/unit/user_test.rb

@@ -1,9 +1,23 @@
 require 'test_helper'
 
 class UserTest < ActiveSupport::TestCase
-  # Replace this with your real tests.
-  test "the truth" do
-    @user = create :user
-    assert_equal "Test User", @user.name
+  context "user permissions" do
+    setup do
+      @admin = create(:admin)
+      @user = create(:user)
+      @user2 = create(:user, :name => "User 2", :email_address => "user2@example.com")
+    end
+
+    should "only let the admin change the admin flag" do
+      assert_nothing_raised { @user.user_update_attributes(@admin, {:administrator => true}) }
+      assert_equal true, @user.administrator
+      assert_raise(Hobo::PermissionDeniedError) { @user.user_update_attributes(@user, {:administrator => false}) }
+    end
+
+    should "only let an admin or the user change their email address" do
+      assert_nothing_raised { @user.user_update_attributes(@admin, {:email_address => "foo@example.com"}) }
+      assert_nothing_raised { @user.user_update_attributes(@user, {:email_address => "bar@example.com"}) }
+      assert_raise(Hobo::PermissionDeniedError) { @user.user_update_attributes(@user2, {:email_address => "baz@example.com"}) }
+    end
   end
 end