require "rails_helper" # rubocop:disable RSpec/RepeatedExample RSpec.describe UserPolicy do subject(:policy) { described_class } let(:data_provider) { FactoryBot.create(:user, :data_provider) } let(:data_coordinator) { FactoryBot.create(:user, :data_coordinator) } let(:support) { FactoryBot.create(:user, :support) } permissions :edit_names? do it "allows changing their own name" do expect(policy).to permit(data_provider, data_provider) end it "as a coordinator it allows changing other user's name" do expect(policy).to permit(data_coordinator, data_provider) end it "as a support user it allows changing other user's name" do expect(policy).to permit(support, data_provider) end end permissions :edit_emails? do it "allows changing their own email" do expect(policy).to permit(data_provider, data_provider) end it "as a coordinator it allows changing other user's email" do expect(policy).to permit(data_coordinator, data_provider) end it "as a support user it allows changing other user's email" do expect(policy).to permit(support, data_provider) end end permissions :edit_password? do it "as a provider it allows changing their own password" do expect(policy).to permit(data_provider, data_provider) end it "as a coordinator it allows changing their own password" do expect(policy).to permit(data_coordinator, data_coordinator) end it "as a support user it allows changing their own password" do expect(policy).to permit(support, support) end it "as a coordinator it does not allow changing other user's password" do expect(policy).not_to permit(data_coordinator, data_provider) end it "as a support user it does not allow changing other user's password" do expect(policy).not_to permit(support, data_provider) end end permissions :edit_roles? do it "as a provider it does not allow changing roles" do expect(policy).not_to permit(data_provider, data_provider) end it "as a coordinator allows changing other user's roles" do expect(policy).to permit(data_coordinator, data_provider) end it "as a support user allows changing other user's roles" do expect(policy).to permit(support, data_provider) end end permissions :edit_dpo? do it "as a provider it does not allow changing dpo" do expect(policy).not_to permit(data_provider, data_provider) end it "as a coordinator allows changing other user's dpo" do expect(policy).to permit(data_coordinator, data_provider) end it "as a support user allows changing other user's dpo" do expect(policy).to permit(support, data_provider) end end permissions :edit_key_contact? do it "as a provider it does not allow changing key_contact" do expect(policy).not_to permit(data_provider, data_provider) end it "as a coordinator allows changing other user's key_contact" do expect(policy).to permit(data_coordinator, data_provider) end it "as a support user allows changing other user's key_contact" do expect(policy).to permit(support, data_provider) end end permissions :edit_organisation? do it "as a provider it does not allow changing organisation" do expect(policy).not_to permit(data_provider, data_provider) end it "as a coordinator it does not allow changing organisatio" do expect(policy).not_to permit(data_coordinator, data_provider) end it "as a support user allows changing other user's organisation" do expect(policy).to permit(support, data_provider) end end permissions :delete? do context "with active user" do let(:user) { create(:user, last_sign_in_at: Time.zone.yesterday) } it "does not allow deleting a user as a provider" do expect(user.status).to eq(:active) expect(policy).not_to permit(data_provider, user) end it "does not allow allows deleting a user as a coordinator" do expect(policy).not_to permit(data_coordinator, user) end it "does not allow deleting a user as a support user" do expect(policy).not_to permit(support, user) end end context "with unconfirmed user" do let(:user) { create(:user) } before do user.confirmed_at = nil user.save!(validate: false) end it "does not allow deleting a user as a provider" do expect(user.status).to eq(:unconfirmed) expect(policy).not_to permit(data_provider, user) end it "does not allow allows deleting a user as a coordinator" do expect(policy).not_to permit(data_coordinator, user) end it "does not allow deleting a user as a support user" do expect(policy).not_to permit(support, user) end end context "with deactivated user" do let(:user) { create(:user, active: false) } before do log = build(:lettings_log, owning_organisation: user.organisation, assigned_to: user, startdate: Time.zone.today - 2.years) log.save!(validate: false) end context "and associated logs in editable collection period" do before do create(:lettings_log, :sh, owning_organisation: user.organisation, assigned_to: user, startdate: Time.zone.yesterday) end it "does not allow deleting a user as a provider" do expect(policy).not_to permit(data_provider, user) end it "does not allow allows deleting a user as a coordinator" do expect(policy).not_to permit(data_coordinator, user) end it "does not allow deleting a user as a support user" do expect(policy).not_to permit(support, user) end end context "and no associated logs in editable collection period" do it "does not allow deleting a user as a provider" do expect(policy).not_to permit(data_provider, user) end it "does not allow allows deleting a user as a coordinator" do expect(policy).not_to permit(data_coordinator, user) end it "allows deleting a user as a support user" do expect(policy).to permit(support, user) end end context "and user is the DPO that has signed the agreement" do let(:user) { create(:user, active: false, is_dpo: true) } before do user.organisation.data_protection_confirmation.update!(data_protection_officer: user) end it "does not allow deleting a user as a provider" do expect(policy).not_to permit(data_provider, user) end it "does not allow allows deleting a user as a coordinator" do expect(policy).not_to permit(data_coordinator, user) end it "does not allow deleting a user as a support user" do expect(policy).not_to permit(support, user) end end context "and user is the DPO that hasn't signed the agreement" do let(:user) { create(:user, active: false, is_dpo: true, with_dsa: false) } it "does not allow deleting a user as a provider" do expect(policy).not_to permit(data_provider, user) end it "does not allow allows deleting a user as a coordinator" do expect(policy).not_to permit(data_coordinator, user) end it "allows deleting a user as a support user" do expect(policy).to permit(support, user) end end end end end # rubocop:enable RSpec/RepeatedExample