Disentangle the api abilities from the web abilities

This will allow us to rename api actions without causing permissions headaches. The choice of abilities files is made by inheriting from either api_controller or application_controller. Also rename capabilities to api_capabilites, for consistency.
2019-03-27 18:00:57 +01:00 · 2019-03-27 18:00:57 +01:00 · 7b057545c0
commit 7b057545c0
parent 3af16f6337
8 changed files with 165 additions and 77 deletions
--- a/test/abilities/api_abilities_test.rb
+++ b/test/abilities/api_abilities_test.rb
@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class ApiAbilityTest < ActiveSupport::TestCase
+end
+
+class GuestApiAbilityTest < ApiAbilityTest
+  test "note permissions for a guest" do
+    ability = ApiAbility.new nil
+
+    [:index, :create, :comment, :feed, :show, :search].each do |action|
+      assert ability.can?(action, Note), "should be able to #{action} Notes"
+    end
+
+    [:close, :reopen, :destroy].each do |action|
+      assert ability.cannot?(action, Note), "should not be able to #{action} Notes"
+    end
+  end
+end
+
+class UserApiAbilityTest < ApiAbilityTest
+  test "Note permissions" do
+    ability = ApiAbility.new create(:user)
+
+    [:index, :create, :comment, :feed, :show, :search, :close, :reopen].each do |action|
+      assert ability.can?(action, Note), "should be able to #{action} Notes"
+    end
+
+    [:destroy].each do |action|
+      assert ability.cannot?(action, Note), "should not be able to #{action} Notes"
+    end
+  end
+end
+
+class ModeratorApiAbilityTest < ApiAbilityTest
+  test "Note permissions" do
+    ability = ApiAbility.new create(:moderator_user)
+
+    [:index, :create, :comment, :feed, :show, :search, :close, :reopen, :destroy].each do |action|
+      assert ability.can?(action, Note), "should be able to #{action} Notes"
+    end
+  end
+end