Add ProjectUserPolicy and tests

begedin · joshsmith · commit b66ab3bff670 · 2017-02-28T16:02:49.000-08:00
diff --git a/lib/code_corps/helpers/policy.ex b/lib/code_corps/helpers/policy.ex
@@ -8,7 +8,7 @@ defmodule CodeCorps.Helpers.Policy do
 
   alias CodeCorps.{
     Organization, OrganizationMembership,
-    Project, Repo, StripeConnectAccount,
+    Project, ProjectUser, Repo, StripeConnectAccount,
     TaskSkill, Task, User, UserTask
   }
   alias Ecto.Changeset
@@ -46,9 +46,10 @@ defmodule CodeCorps.Helpers.Policy do
 
   Returns `:string`
   """
-  @spec get_role(nil | OrganizationMembership.t | Changeset.t) :: String.t | nil
+  @spec get_role(nil | OrganizationMembership.t | ProjectUser.t | Changeset.t) :: String.t | nil
   def get_role(nil), do: nil
   def get_role(%OrganizationMembership{role: role}), do: role
+  def get_role(%ProjectUser{role: role}), do: role
   def get_role(%Changeset{} = changeset), do: changeset |> Changeset.get_field(:role)
 
   @doc """
diff --git a/test/policies/project_user_policy_test.exs b/test/policies/project_user_policy_test.exs
@@ -0,0 +1,168 @@
+defmodule CodeCorps.ProjectUserPolicyTest do
+  use CodeCorps.PolicyCase
+
+  import CodeCorps.ProjectUserPolicy, only: [create?: 2, update?: 2, delete?: 2]
+  import CodeCorps.ProjectUser, only: [create_pending_changeset: 2, update_changeset: 2]
+
+  alias CodeCorps.ProjectUser
+
+  describe "create?/2" do
+    test "returns true when user is creating their own membership" do
+      user = insert(:user)
+      changeset = %ProjectUser{} |> create_pending_changeset(%{user_id: user.id})
+
+      assert create?(user, changeset)
+    end
+
+    test "returns false for normal user, creating someone else's membership" do
+      user = insert(:user)
+      changeset = %ProjectUser{} |> create_pending_changeset(%{user_id: "someone_else"})
+
+      refute create?(user, changeset)
+    end
+  end
+
+  describe "update?/2" do
+    test "returns false when user is non-member" do
+      user = insert(:user)
+      project_user = insert(:project_user)
+
+      changeset = project_user |> update_changeset(%{})
+
+      refute update?(user, changeset)
+    end
+
+    test "returns false when user is pending" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "pending", user: user, project: project)
+
+      project_user = insert(:project_user, project: project)
+
+      changeset = project_user |> update_changeset(%{})
+
+      refute update?(user, changeset)
+    end
+
+    test "returns false when user is contributor" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "contributor", user: user, project: project)
+
+      project_user = insert(:project_user, project: project)
+
+      changeset = project_user |> update_changeset(%{})
+
+      refute update?(user, changeset)
+    end
+
+    test "returns true when user is admin, approving a pending membership" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "admin", user: user, project: project)
+
+      project_user = insert(:project_user, project: project, role: "pending")
+
+      changeset = project_user |> update_changeset(%{role: "contributor"})
+
+      assert update?(user, changeset)
+    end
+
+    test "returns false when user is admin, doing something other than approving a pending membership" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "admin", user: user, project: project)
+
+      project_user = insert(:project_user, project: project, role: "contributor")
+
+      changeset = project_user |> update_changeset(%{})
+
+      refute update?(user, changeset)
+    end
+
+    test "returns true when user is owner and is changing a role other than owner" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "owner", user: user, project: project)
+
+      project_user = insert(:project_user, project: project, role: "admin")
+
+      changeset = project_user |> update_changeset(%{})
+
+      assert update?(user, changeset)
+    end
+
+    test "returns false when user is owner and is changing another owner" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "owner", user: user, project: project)
+
+      project_user = insert(:project_user, project: project, role: "owner")
+
+      changeset = project_user |> update_changeset(%{})
+
+      refute update?(user, changeset)
+    end
+  end
+
+  describe "delete?/2" do
+    test "returns true when contributor is deleting their own membership" do
+      user = insert(:user)
+      project = insert(:project)
+
+      project_user = insert(:project_user, project: project, user: user, role: "contributor")
+
+      assert delete?(user, project_user)
+    end
+
+    test "returns true when admin is deleting a pending membership" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "admin", user: user, project: project)
+
+      project_user = insert(:project_user, project: project, role: "pending")
+
+      assert delete?(user, project_user)
+    end
+
+    test "returns true when admin is deleting a contributor" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "admin", user: user, project: project)
+
+      project_user = insert(:project_user, project: project, role: "contributor")
+
+      assert delete?(user, project_user)
+    end
+
+    test "returns false when admin is deleting another admin" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "admin", user: user, project: project)
+
+      project_user = insert(:project_user, project: project, role: "admin")
+
+      refute delete?(user, project_user)
+    end
+
+    test "returns false when admin is deleting an owner" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "admin", user: user, project: project)
+
+      project_user = insert(:project_user, project: project, role: "owner")
+
+      refute delete?(user, project_user)
+    end
+
+    test "returns true when owner is deleting an admin" do
+      user = insert(:user)
+      project = insert(:project)
+      insert(:project_user, role: "owner", user: user, project: project)
+
+      project_user = insert(:project_user, project: project, role: "admin")
+
+      assert delete?(user, project_user)
+    end
+  end
+end
diff --git a/web/policies/project_user_policy.ex b/web/policies/project_user_policy.ex
@@ -0,0 +1,53 @@
+defmodule CodeCorps.ProjectUserPolicy do
+  @moduledoc """
+  Handles `User` authorization of actions on `ProjectUser` records
+  """
+  import CodeCorps.Helpers.Policy, only: [get_role: 1]
+
+  alias CodeCorps.{ProjectUser, Repo, User}
+  alias Ecto.Changeset
+
+  @spec create?(User.t, Ecto.Changeset.t) :: boolean
+  def create?(%User{id: id}, %Changeset{changes: %{user_id: user_id}}), do:  id == user_id
+  def create?(%User{}, %Changeset{}), do: false
+
+  @spec update?(User.t, Ecto.Changeset.t) :: boolean
+  def update?(%User{} = user, %Changeset{data: %ProjectUser{} = record} = changeset) do
+    user_membership = record |> get_project_membership(user)
+
+    user_role = user_membership |> get_role
+    old_role = record |> get_role
+    new_role = changeset |> get_role
+
+    case [user_role, old_role, new_role] do
+      # Non-member, pending and contributors can't do anything
+      [nil, _, _] -> false
+      ["pending", _, _] -> false
+      ["contributor", _, _] -> false
+      # Admins can only approve pending memberships and nothing else
+      ["admin", "pending", "contributor"] -> true
+      ["admin", _, _] -> false
+      # Owners can do everything expect changing other owners
+      ["owner", "owner", _] -> false
+      ["owner", _, _] -> true
+      # No other role change is allowed
+      [_, _, _] -> false
+    end
+  end
+
+  @spec delete?(User.t, ProjectUser.t) :: boolean
+  def delete?(%User{} = user, %ProjectUser{} = record) do
+    record |> get_project_membership(user) |> do_delete?(record)
+  end
+
+  defp do_delete?(%ProjectUser{} = user_m, %ProjectUser{} = current_m) when user_m == current_m, do: true
+  defp do_delete?(%ProjectUser{role: "owner"}, %ProjectUser{}), do: true
+  defp do_delete?(%ProjectUser{role: "admin"}, %ProjectUser{role: role}) when role in ~w(pending contributor), do: true
+  defp do_delete?(_, _), do: false
+
+  defp get_project_membership(%ProjectUser{user_id: nil}, %User{id: nil}), do: nil
+  defp get_project_membership(%ProjectUser{user_id: m_id} = membership, %User{id: u_id}) when m_id == u_id, do: membership
+  defp get_project_membership(%ProjectUser{project_id: project_id}, %User{id: user_id}) do
+    ProjectUser |> Repo.get_by(project_id: project_id, user_id: user_id)
+  end
+end
