openHPI · arkirchner · Jul 17, 2025 · Jul 14, 2025 · Jul 17, 2025 · Jul 17, 2025
diff --git a/app/policies/comment_policy.rb b/app/policies/comment_policy.rb
@@ -9,7 +9,7 @@ def show?
     everyone
   end
 
-  %i[new? destroy? update? edit?].each do |action|
+  %i[destroy? update? edit?].each do |action|
     define_method(action) { admin? || author? || teacher_in_study_group? }
   end
 

diff --git a/spec/policies/comment_policy_spec.rb b/spec/policies/comment_policy_spec.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe CommentPolicy do
+  let(:user_types) { %i[learner teacher admin] }
+
+  permissions :create?, :show?, :index? do
+    let(:comment) { build_stubbed(:comment) }
+
+    it 'grants access to all user types' do
+      user_types.each do |user_type|
+        expect(described_class).to permit(build_stubbed(user_type), comment)
+      end
+    end
+  end
+
+  permissions :destroy?, :update?, :edit? do
+    let(:comment) { build_stubbed(:comment) }
+
+    it 'grants access to the author' do
+      expect(described_class).to permit(comment.user, comment)
+    end
+
+    it 'does not grant access to other learners' do
+      expect(described_class).not_to permit(build_stubbed(:learner), comment)
+    end
+
+    it 'does not grant access to teachers not in the same study group' do
+      expect(described_class).not_to permit(build_stubbed(:teacher), comment)
+    end
+
+    it 'grants access to teachers in the same study group' do
+      comment = create(:comment)
+      teacher = create(:teacher, study_groups: [comment.submission.study_group])
+
+      expect(described_class).to permit(teacher, comment)
+    end
+
+    it 'grants access to admins' do
+      expect(described_class).to permit(build_stubbed(:admin), comment)
+    end
+  end
+end