A bunch of auth backend work.

I split the auth into sections, any section that exists right now is complete (safe a few nuaices).
concerto · Apr 13, 2012 · 73b7a17 · 73b7a17
1 parent 8983741
commit 73b7a17
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 41 deletions.
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -29,43 +29,77 @@ def initialize(accessor)
   # Permissions we grant users
   def user_abilities(user)
 
-    # An admin can do anything
+    # An admin user can do anything
     if user.is_admin?
       can :manage, :all
     end
 
-    # A user can do anything to themselves.
+    ## Users
+    # A user can read and update themselves.
     can [:read, :update], User, :id => user.id
-
     # An unauthenticated user can create a new user
     can :create, User unless user.persisted?
 
-    # An authenticated user can create stuff
+    ## Content
+    # Authenticated users can create content
     can :create, Content if user.persisted?
+    # Users can update and delete their own content
+    can [:update, :delete], Content, :user_id => user.id
+
+    ## Screens
+    # Authenticated users can create screens
     can :create, Screen if user.persisted?
+    # Anyone can read public screens
+    can :read, Screen, :is_public => true
+    # Users can read, update and delete their own screens
+    can [:read, :update, :delete], Screen do |screen|
+      screen.owner.is_a?(User) && screen.owner == user
+    end
+    # Users can read group screens
+    can :read, Screen do |screen|
+      screen.owner.is_a?(Group) && screen.owner.include?(user)
+    end
+    # Group leaders can create / delete their group screens
+    can [:update, :delete], Screen do |screen|
+      screen.owner.is_a?(Group) && screen.owner.leaders.include?(user)
+    end
 
-    # An authenticated user can submit content
-    can :submit, Feed, :is_submittable => true if user.persisted?
+    ## Submissions
+    # An authenticated user can create a submission if
+    # the feed is submittable or they are a member of the group.
+    can :create, Submission, :feed => {:is_submittable => true} if user.persisted?
+    can :create, Submission, :feed => {:group => {:id => user.group_ids }}
+    # Users can delete and update their own submissions
+    can [:update, :delete], Submission, :content => {:user => {:id => user.id }}
+    # Submissions can be updated by moderators
+    can :update, Submission do |submission|
+      submission.feed.group.leaders.include?(user)
+    end
 
-    # If a user is part of the group, they can always
-    # read and submit content to the feed.
-    can [:read, :submit],  Feed do |feed|
-      feed.group.users.include?(user)
+    ## Feeds
+    # A feed can be read if it's viewable
+    can :read, Feed, :is_viewable => true
+    # Group members can read a feed they own
+    can :read, Feed, :group => {:id => user.group_ids }
+    # Group leaders can update / date a feed they own
+    can [:update, :delete], Feed do |feed|
+      feed.group.leaders.include?(user)
     end
 
+    ## Memberships
     # A group leader can manage all memberships
     # that belong to their group.
     can :manage, Membership do |membership|
       membership.group.leaders.include?(user)
     end
-
     # Regular users can only create pending memberships.
     can :create, Membership do |membership|
       user.persisted? && membership.level == Membership::LEVELS[:pending]
     end
-
     # Users can delete their own memberships.
     can :destroy, Membership, :user => user
+    # Group members can read all other memberships
+    can :read, Membership, :group => {:id => user.group_ids}
 
   end
 

diff --git a/test/unit/feed_test.rb b/test/unit/feed_test.rb
@@ -133,24 +133,6 @@ def setup
     assert ability.can?(:read, @hidden)
   end
 
-  # Users submitting to feeds
-  test "user can submit to submittable feeds" do
-    ability = Ability.new(users(:kristen))
-    assert ability.can?(:submit, @public)
-    assert ability.cannot?(:submit, @hidden)
-  end
-
-  test "new users can't submit to any feeds" do
-    ability = Ability.new(User.new)
-    assert ability.cannot?(:submit, @public)
-    assert ability.cannot?(:submit, @hidden)
-  end
-
-  test "user can submit hidden feed due to group" do
-    ability = Ability.new(users(:katie))
-    assert ability.can?(:submit, @hidden)
-  end
-
   # Screens reading feeds
   test "screens browse public viewable feeds" do
     ability = Ability.new(screens(:two))
@@ -173,15 +155,4 @@ def setup
     assert ability.can?(:read, @public)
     assert ability.cannot?(:read, @hidden)
   end
-
-  # Screens submitting (which they shouldn't do
-  test "screens cant submit anywhere" do
-    ability = Ability.new(screens(:one))
-    assert ability.cannot?(:submit, @public)
-    assert ability.cannot?(:submit, @hidden)
-
-    ability = Ability.new(Screen.new)
-    assert ability.cannot?(:submit, @public)
-    assert ability.cannot?(:submit, @hidden)
-  end
 end
diff --git a/test/unit/submission_test.rb b/test/unit/submission_test.rb
@@ -1,6 +1,11 @@
 require 'test_helper'
 
 class SubmissionTest < ActiveSupport::TestCase
+  def setup
+    @public_submission = Submission.new({:feed => feeds(:service)})
+    @hidden_submission = Submission.new({:feed => feeds(:secret_announcements)})
+  end
+
   # Attributes cannot be left empty/blank
   test "submission attributes must not be empty" do
     submission = Submission.new
@@ -129,4 +134,33 @@ class SubmissionTest < ActiveSupport::TestCase
     assert s.invalid?
   end
 
+  # Users submitting to feeds
+  test "user can submit to submittable feeds" do
+    ability = Ability.new(users(:kristen))
+    assert ability.can?(:create, @public_submission)
+    assert ability.cannot?(:create, @hidden_submission)
+  end
+
+  test "new users can't submit to any feeds" do
+    ability = Ability.new(User.new)
+    assert ability.cannot?(:create, @public_submission)
+    assert ability.cannot?(:create, @hidden_submission)
+  end
+
+  test "user can submit hidden feed due to group" do
+    ability = Ability.new(users(:katie))
+    assert ability.can?(:create, @hidden_submission)
+  end
+
+  # Screens submitting (which they shouldn't do
+  test "screens cant submit anywhere" do
+    ability = Ability.new(screens(:one))
+    assert ability.cannot?(:create, @public_submission)
+    assert ability.cannot?(:create, @hidden_submission)
+
+    ability = Ability.new(Screen.new)
+    assert ability.cannot?(:create, @public_submission)
+    assert ability.cannot?(:create, @hidden_submission)
+  end
+
 end