diff options
Diffstat (limited to 'spec/policies/personal_access_token_policy_spec.rb')
-rw-r--r-- | spec/policies/personal_access_token_policy_spec.rb | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/spec/policies/personal_access_token_policy_spec.rb b/spec/policies/personal_access_token_policy_spec.rb new file mode 100644 index 00000000000..71795202e13 --- /dev/null +++ b/spec/policies/personal_access_token_policy_spec.rb @@ -0,0 +1,63 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe PersonalAccessTokenPolicy do + include AdminModeHelper + + subject { described_class.new(current_user, token) } + + context 'current_user is an administrator', :enable_admin_mode do + let_it_be(:current_user) { build(:admin) } + + context 'not the owner of the token' do + let_it_be(:token) { build(:personal_access_token) } + + it { is_expected.to be_allowed(:read_token) } + it { is_expected.to be_allowed(:revoke_token) } + end + + context 'owner of the token' do + let_it_be(:token) { build(:personal_access_token, user: current_user) } + + it { is_expected.to be_allowed(:read_token) } + it { is_expected.to be_allowed(:revoke_token) } + end + end + + context 'current_user is not an administrator' do + let_it_be(:current_user) { build(:user) } + + context 'not the owner of the token' do + let_it_be(:token) { build(:personal_access_token) } + + it { is_expected.to be_disallowed(:read_token) } + it { is_expected.to be_disallowed(:revoke_token) } + end + + context 'owner of the token' do + let_it_be(:token) { build(:personal_access_token, user: current_user) } + + it { is_expected.to be_allowed(:read_token) } + it { is_expected.to be_allowed(:revoke_token) } + end + end + + context 'current_user is a blocked administrator', :enable_admin_mode do + let_it_be(:current_user) { build(:admin, :blocked) } + + context 'owner of the token' do + let_it_be(:token) { build(:personal_access_token, user: current_user) } + + it { is_expected.to be_disallowed(:read_token) } + it { is_expected.to be_disallowed(:revoke_token) } + end + + context 'not the owner of the token' do + let_it_be(:token) { build(:personal_access_token) } + + it { is_expected.to be_disallowed(:read_token) } + it { is_expected.to be_disallowed(:revoke_token) } + end + end +end |