pundit: convert favorite groups to pundit.

2020-03-19 18:12:16 -05:00
parent 50fa674a3e
commit 2c4c29b81a
9 changed files with 80 additions and 54 deletions
--- a/test/functional/favorite_groups_controller_test.rb
+++ b/test/functional/favorite_groups_controller_test.rb
@@ -15,10 +15,22 @@ class FavoriteGroupsControllerTest < ActionDispatch::IntegrationTest
    end

    context "show action" do
-      should "render" do
+      should "show public favgroups to anonymous users" do
        get favorite_group_path(@favgroup)
        assert_response :success
      end
+
+      should "show private favgroups to the creator" do
+        @favgroup.update!(is_public: false)
+        get_auth favorite_group_path(@favgroup), @user
+        assert_response :success
+      end
+
+      should "not show private favgroups to other users" do
+        @favgroup = create(:favorite_group, is_public: false)
+        get_auth favorite_group_path(@favgroup), create(:user)
+        assert_response 403
+      end
    end

    context "new action" do
@@ -51,25 +63,46 @@ class FavoriteGroupsControllerTest < ActionDispatch::IntegrationTest
        assert_equal("foo", @favgroup.reload.name)
        assert_equal(@posts.map(&:id), @favgroup.post_ids)
      end
+
+      should "not allow users to update favgroups belonging to other users" do
+        put_auth favorite_group_path(@favgroup), create(:user), params: { favorite_group: { name: "foo" } }
+
+        assert_response 403
+        assert_not_equal("foo", @favgroup.reload.name)
+      end
    end

    context "destroy action" do
      should "render" do
        delete_auth favorite_group_path(@favgroup), @user
-        assert_redirected_to favorite_groups_path
+        assert_redirected_to favorite_groups_path(search: { creator_name: @user.name })
+      end
+
+      should "not destroy favgroups belonging to other users" do
+        delete_auth favorite_group_path(@favgroup), create(:user)
+        assert_response 403
      end
    end

    context "add_post action" do
      should "render" do
-        as_user do
-          @post = FactoryBot.create(:post)
-        end
-
+        @post = create(:post)
        put_auth add_post_favorite_group_path(@favgroup), @user, params: {post_id: @post.id, format: "js"}
        assert_response :success
-        @favgroup.reload
-        assert_equal([@post.id], @favgroup.post_ids)
+        assert_equal([@post.id], @favgroup.reload.post_ids)
+      end
+
+      should "not add posts to favgroups belonging to other users" do
+        @post = create(:post)
+        put_auth add_post_favorite_group_path(@favgroup), create(:user), params: {post_id: @post.id, format: "js"}
+        assert_response 403
+      end
+    end
+
+    context "edit order action" do
+      should "render" do
+        get_auth edit_favorite_group_order_path(@favgroup), @user
+        assert_response :success
      end
    end
  end