Site creation permission as an Ability

matiasgarciaisaia · matiasgarciaisaia · commit 60a23a0a8918 · 2017-05-31T20:18:07.000-03:00
Fixes #811
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -96,6 +96,11 @@ def initialize(user, format = nil)
       user_membership.can_update?("location")
     end
 
+    can :create_site, Collection do |collection|
+      user_membership = user.membership_in(collection)
+      user_membership && user_membership.can_update?("name") && user_membership.can_update?("location")
+    end
+
     ### Reminders ###
 
     can [:create, :update, :read, :destroy, :set_status], Reminder, :collection => { :memberships => { :user_id => user.id } }
diff --git a/app/models/site.rb b/app/models/site.rb
@@ -121,6 +121,8 @@ def update_single_property!(es_code, value)
   def validate_and_process_parameters(site_params, user)
     user_membership = user.membership_in(collection)
 
+    user.authorize! :create_site, collection, message: "Not authorized to create site" if new_record?
+
     if site_params.has_key?("name")
       user.authorize! :update_name, user_membership, message: "Not authorized to update site name"
       self.name = site_params["name"]
diff --git a/spec/controllers/api/sites_controller_spec.rb b/spec/controllers/api/sites_controller_spec.rb
@@ -31,7 +31,7 @@
       site_params = {:name => "new site"}.to_json
       post :create, {:id => collection.id, :site => site_params }
       expect(response.status).to eq(403)
-      expect(response.body).to include('name')
+      expect(response.body).to include('create site')
     end
 
   end
diff --git a/spec/models/ability_spec.rb b/spec/models/ability_spec.rb
@@ -200,6 +200,36 @@
         it { expect(member_ability_with_write_permission).to be_able_to(:update_site_property, field, site) }
         it { expect(member_ability_with_write_permission).to be_able_to(:read_site_property, field, site) }
       end
+
+      context "Site creation" do
+        it "can't create sites if it doesn't have write permissions" do
+          membership.set_access({object: 'name', new_action: 'read'})
+          membership.set_access({object: 'location', new_action: 'read'})
+
+          expect(member_ability).not_to be_able_to(:create_site, collection)
+        end
+
+        it "can't create sites if it doesn't have both write permissions" do
+          membership.set_access({object: 'name', new_action: 'update'})
+          membership.set_access({object: 'location', new_action: 'read'})
+
+          expect(member_ability).not_to be_able_to(:create_site, collection)
+        end
+
+        it "can't create sites if it doesn't have both write permissions" do
+          membership.set_access({object: 'name', new_action: 'read'})
+          membership.set_access({object: 'location', new_action: 'update'})
+
+          expect(member_ability).not_to be_able_to(:create_site, collection)
+        end
+
+        it "can create sites if it has both write permissions" do
+          membership.set_access({object: 'name', new_action: 'update'})
+          membership.set_access({object: 'location', new_action: 'update'})
+
+          expect(member_ability).to be_able_to(:create_site, collection)
+        end
+      end
     end
 
     describe "guest user should not be able to update site property" do
