Merge pull request #7311 from opf/fix/30231/allow-edit-work-packages-to-save-order
[30231] Allow users edit_work_packages permission to save querypull/7324/head
commit
7737dc66be
@ -0,0 +1,38 @@ |
||||
#-- encoding: UTF-8 |
||||
#-- copyright |
||||
# OpenProject is a project management system. |
||||
# Copyright (C) 2012-2018 the OpenProject Foundation (OPF) |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License version 3. |
||||
# |
||||
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: |
||||
# Copyright (C) 2006-2017 Jean-Philippe Lang |
||||
# Copyright (C) 2010-2013 the ChiliProject Team |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License |
||||
# as published by the Free Software Foundation; either version 2 |
||||
# of the License, or (at your option) any later version. |
||||
# |
||||
# This program is distributed in the hope that it will be useful, |
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
# GNU General Public License for more details. |
||||
# |
||||
# You should have received a copy of the GNU General Public License |
||||
# along with this program; if not, write to the Free Software |
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
||||
# |
||||
# See docs/COPYRIGHT.rdoc for more details. |
||||
#++ |
||||
|
||||
require 'queries/base_contract' |
||||
|
||||
module Queries |
||||
class UpdateFormContract < BaseContract |
||||
# Maintains validations from the base contract |
||||
# to ensure users without saving permissions can still |
||||
# alter existing queries through the form |
||||
end |
||||
end |
@ -0,0 +1,140 @@ |
||||
#-- encoding: UTF-8 |
||||
#-- copyright |
||||
# OpenProject is a project management system. |
||||
# Copyright (C) 2012-2018 the OpenProject Foundation (OPF) |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License version 3. |
||||
# |
||||
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows: |
||||
# Copyright (C) 2006-2017 Jean-Philippe Lang |
||||
# Copyright (C) 2010-2013 the ChiliProject Team |
||||
# |
||||
# This program is free software; you can redistribute it and/or |
||||
# modify it under the terms of the GNU General Public License |
||||
# as published by the Free Software Foundation; either version 2 |
||||
# of the License, or (at your option) any later version. |
||||
# |
||||
# This program is distributed in the hope that it will be useful, |
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
# GNU General Public License for more details. |
||||
# |
||||
# You should have received a copy of the GNU General Public License |
||||
# along with this program; if not, write to the Free Software |
||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
||||
# |
||||
# See docs/COPYRIGHT.rdoc for more details. |
||||
#++ |
||||
|
||||
require 'spec_helper' |
||||
|
||||
describe Queries::UpdateContract do |
||||
let(:project) { FactoryBot.build_stubbed :project } |
||||
let(:query) do |
||||
FactoryBot.build_stubbed(:query, project: project, is_public: public, user: user) |
||||
end |
||||
|
||||
let(:current_user) do |
||||
FactoryBot.build_stubbed(:user) do |user| |
||||
allow(user) |
||||
.to receive(:allowed_to?) do |permission, permission_project| |
||||
permissions.include?(permission) && project == permission_project |
||||
end |
||||
end |
||||
end |
||||
subject(:contract) { described_class.new(query, current_user) } |
||||
|
||||
before do |
||||
# Assume project is always visible |
||||
allow(contract).to receive(:project_visible?).and_return true |
||||
end |
||||
|
||||
def expect_valid(valid, symbols = {}) |
||||
expect(contract.validate).to eq(valid) |
||||
|
||||
symbols.each do |key, arr| |
||||
expect(contract.errors.symbols_for(key)).to match_array arr |
||||
end |
||||
end |
||||
|
||||
describe 'private query' do |
||||
let(:public) { false } |
||||
|
||||
context 'when user is author' do |
||||
let(:user) { current_user } |
||||
|
||||
context 'user has no permission to save' do |
||||
let(:permissions) { %i(edit_work_packages) } |
||||
|
||||
it 'is invalid' do |
||||
expect_valid(false, base: %i(error_unauthorized)) |
||||
end |
||||
end |
||||
|
||||
context 'user has permission to save' do |
||||
let(:permissions) { %i(save_queries) } |
||||
|
||||
it 'is valid' do |
||||
expect_valid(true) |
||||
end |
||||
end |
||||
end |
||||
|
||||
context 'when user is someone else' do |
||||
let(:user) { FactoryBot.build_stubbed :user } |
||||
let(:permissions) { %i(save_queries) } |
||||
|
||||
it 'is invalid' do |
||||
expect_valid(false, base: %i(error_unauthorized)) |
||||
end |
||||
end |
||||
end |
||||
|
||||
describe 'public query' do |
||||
let(:public) { true } |
||||
let(:user) { nil } |
||||
|
||||
context 'user has no permission to save' do |
||||
let(:permissions) { %i(invalid_permission) } |
||||
|
||||
it 'is invalid' do |
||||
expect_valid(false, base: %i(error_unauthorized)) |
||||
end |
||||
end |
||||
|
||||
context 'user has permission to edit' do |
||||
let(:permissions) { %i(edit_work_packages) } |
||||
|
||||
it 'is invalid' do |
||||
expect_valid(false, base: %i(error_unauthorized)) |
||||
end |
||||
|
||||
context 'when assuming only order changed' do |
||||
before do |
||||
query.ordered_work_packages = [1, 2, 3] |
||||
end |
||||
|
||||
it 'is valid' do |
||||
expect_valid(true) |
||||
end |
||||
end |
||||
end |
||||
|
||||
context 'user has no permission to manage public' do |
||||
let(:permissions) { %i(manage_public_queries) } |
||||
|
||||
it 'is valid' do |
||||
expect_valid(true) |
||||
end |
||||
end |
||||
|
||||
context 'user has permission to save only own' do |
||||
let(:permissions) { %i(save_queries) } |
||||
|
||||
it 'is invalid' do |
||||
expect_valid(false, base: %i(error_unauthorized)) |
||||
end |
||||
end |
||||
end |
||||
end |
Loading…
Reference in new issue