Add pundit policy for workflow_run show view

openSUSE · Jan 24, 2022 · d998aea · d998aea
1 parent f6670ee
commit d998aea
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/src/api/app/policies/workflow_run_policy.rb b/src/api/app/policies/workflow_run_policy.rb
@@ -18,4 +18,8 @@ def resolve
 
     attr_reader :user, :scope, :opts
   end
+
+  def show?
+    record.token.user == user
+  end
 end
diff --git a/src/api/spec/policies/workflow_run_policy_spec.rb b/src/api/spec/policies/workflow_run_policy_spec.rb
@@ -1,13 +1,13 @@
 require 'rails_helper'
 
 RSpec.describe WorkflowRunPolicy do
+  let(:token_user) { create(:confirmed_user, login: 'foo') }
+  let(:workflow_token) { create(:workflow_token, user: token_user) }
+  let!(:workflow_run) { create(:workflow_run, token: workflow_token) }
+
   describe '#resolve' do
     subject { WorkflowRunPolicy::Scope }
 
-    let(:token_user) { create(:confirmed_user, login: 'foo') }
-    let(:workflow_token) { create(:workflow_token, user: token_user) }
-    let!(:workflow_run) { create(:workflow_run, token: workflow_token) }
-
     before do
       User.session = token_user
     end
@@ -36,4 +36,15 @@
       end
     end
   end
+
+  permissions :show? do
+    subject { WorkflowRunPolicy }
+
+    let(:anonymous_user) { create(:user_nobody) }
+    let(:user_without_permission) { create(:confirmed_user) }
+
+    it { is_expected.to permit(token_user, workflow_run) }
+    it { is_expected.not_to permit(anonymous_user, workflow_run) }
+    it { is_expected.not_to permit(user_without_permission, workflow_run) }
+  end
 end