Filling out Submission Read ability for work on #78.

concerto · May 3, 2012 · 4590cc1 · 4590cc1
1 parent 0c39f96
commit 4590cc1
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 9 deletions.
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -17,7 +17,6 @@ def initialize(accessor)
     can :read, Feed, :is_viewable => true
     #TODO Content permissions per #78
     can :read, Content if true
-    can :read, Submission if true 
 
     ## Fields
     # Anything can read fields and positions.
@@ -102,12 +101,17 @@ def user_abilities(user)
     # the feed is submittable or they are a member of the group.
     can :create, Submission, :feed => {:is_submittable => true} if user.persisted?
     can :create, Submission, :feed => {:group => {:id => user.group_ids }}
-    # Users can delete and update their own submissions
-    can [:update, :delete], Submission, :content => {:user => {:id => user.id }}
-    # Submissions can be updated by moderators
-    can :update, Submission do |submission|
+    # Users can read, delete and update their own submissions.
+    can [:read, :update, :delete], Submission, :content => {:user => {:id => user.id }}
+    # Submissions can be read and updated by moderators.
+    can [:read, :update], Submission do |submission|
       submission.feed.group.leaders.include?(user)
     end
+    # Approved submissions can be read if their feed is public of the user is a member
+    # of the feeds group.
+    can :read, Submission do |s|
+      s.moderation_flag && (s.feed.is_viewable || s.feed.group.users.include?(user))
+    end
 
     ## Feeds
     # A feed can be read if it's viewable

diff --git a/test/unit/abilities/user/submission_test.rb b/test/unit/abilities/user/submission_test.rb
@@ -9,6 +9,56 @@ def setup
     @submission = Submission.new
   end
 
+  test "Approved submission can be read on public feed" do
+    users = [User.new, @katie, @kristen]
+    users.each do |user|
+      ability = Ability.new(user)
+      @submission.feed = @wtg
+      @submission.moderation_flag = true
+      assert ability.can?(:read, @submission), "Failing for #{user.name}"
+    end
+  end
+
+  test "Denied and pending submissions cannot be read on public feed" do
+    users = [User.new, @kristen]
+    users.each do |user|
+      ability = Ability.new(user)
+      @submission.feed = @wtg
+      [false, nil].each do |flag|
+        @submission.moderation_flag = flag
+        assert ability.cannot?(:read, @submission), "Failing for #{user.name}"
+      end
+    end
+  end
+
+  test "Denied and pending submission can be read by feed moderator" do
+    ability = Ability.new(@katie)
+    @submission.feed = @wtg
+    [false, nil].each do |flag|
+      @submission.moderation_flag = flag
+      assert ability.can?(:read, @submission)
+    end
+  end
+
+  test "Submission cannot be read on private feed" do
+    users = [User.new, @kristen]
+    users.each do |user|
+      [true, false, nil].each do |flag|
+        ability = Ability.new(user)
+        @submission.feed = @rpitv
+        @submission.moderation_flag = flag
+        assert ability.cannot?(:read, @submission), "Failing u:#{user.name}, f:#{flag}!"
+      end
+    end
+  end
+
+  test "Approved submission can be read on private feed by group member" do
+    ability = Ability.new(@katie)
+    @submission.feed = @rpitv
+    @submission.moderation_flag = true
+    assert ability.can?(:read, @submission)
+  end
+
   test "Submissions cannot be created by unsaved users" do
     ability = Ability.new(User.new)
     @submission.feed = @wtg
@@ -37,7 +87,7 @@ def setup
     ability = Ability.new(@katie)
     content = Content.new(:user => users(:admin))
     @submission.content = content
-    @submission.feed = @wtg
+    @submission.feed = feeds(:sleepy_announcements)
 
     assert ability.can?(:update, @submission)
   end
@@ -46,21 +96,23 @@ def setup
     ability = Ability.new(@katie)
     content = Content.new(:user => users(:admin))
     @submission.content = content
-    @submission.feed = @wtg
+    @submission.feed = feeds(:sleepy_announcements)
 
     assert ability.cannot?(:delete, @submission)
   end
 
-  test "Submission can be modified by content owner" do
-    ability = Ability.new(@kristen)
+  test "Submission can be read and modified by content owner" do
     content = Content.new(:user => @kristen)
     @submission.content = content
     @submission.feed = @rpitv
 
+    ability = Ability.new(@kristen)
+    assert ability.can?(:read, @submission)
     assert ability.can?(:update, @submission)
     assert ability.can?(:delete, @submission)
 
     ability = Ability.new(@katie)
+    assert ability.cannot?(:read, @submission)
     assert ability.cannot?(:update, @submission)
     assert ability.cannot?(:delete, @submission)
   end