diff --git a/app/models/admin.rb b/app/models/admin.rb index 42c16d8e64e..e57d07fb6b6 100644 --- a/app/models/admin.rb +++ b/app/models/admin.rb @@ -1,5 +1,5 @@ class Admin < ApplicationRecord - VALID_ROLES = %w[superadmin board communications development_and_membership elections translation tag_wrangling docs support policy_and_abuse open_doors].freeze + VALID_ROLES = %w[superadmin board board_assistants_team communications development_and_membership docs elections translation tag_wrangling support policy_and_abuse open_doors].freeze serialize :roles, Array diff --git a/app/policies/admin_banner_policy.rb b/app/policies/admin_banner_policy.rb index d0195c810b2..7f1ccffa36f 100644 --- a/app/policies/admin_banner_policy.rb +++ b/app/policies/admin_banner_policy.rb @@ -1,6 +1,6 @@ class AdminBannerPolicy < ApplicationPolicy - ACCESS_AND_EDIT_ROLES = %w[superadmin board communications development_and_membership support].freeze - CREATE_AND_DESTROY_ROLES = %w[superadmin board communications support].freeze + ACCESS_AND_EDIT_ROLES = %w[superadmin board board_assistants_team communications development_and_membership support].freeze + CREATE_AND_DESTROY_ROLES = %w[superadmin board board_assistants_team communications support].freeze def index? user_has_roles?(ACCESS_AND_EDIT_ROLES) diff --git a/app/policies/admin_post_policy.rb b/app/policies/admin_post_policy.rb index 0269a0dd32f..957e1c46e53 100644 --- a/app/policies/admin_post_policy.rb +++ b/app/policies/admin_post_policy.rb @@ -1,5 +1,5 @@ class AdminPostPolicy < ApplicationPolicy - POSTING_ROLES = %w[superadmin board communications support translation].freeze + POSTING_ROLES = %w[superadmin board board_assistants_team communications support translation].freeze def can_post? user_has_roles?(POSTING_ROLES) diff --git a/app/policies/comment_policy.rb b/app/policies/comment_policy.rb index c6c1fdbb840..52745bc7ccc 100644 --- a/app/policies/comment_policy.rb +++ b/app/policies/comment_policy.rb @@ -1,11 +1,12 @@ class CommentPolicy < ApplicationPolicy DESTROY_COMMENT_ROLES = %w[superadmin board policy_and_abuse support].freeze - DESTROY_ADMIN_POST_COMMENT_ROLES = %w[superadmin board communications elections policy_and_abuse support].freeze + DESTROY_ADMIN_POST_COMMENT_ROLES = %w[superadmin board board_assistants_team communications elections policy_and_abuse support].freeze FREEZE_TAG_COMMENT_ROLES = %w[superadmin tag_wrangling].freeze FREEZE_WORK_COMMENT_ROLES = %w[superadmin policy_and_abuse].freeze HIDE_TAG_COMMENT_ROLES = %w[superadmin tag_wrangling].freeze HIDE_WORK_COMMENT_ROLES = %w[superadmin policy_and_abuse].freeze - SPAM_ROLES = %w[superadmin board communications elections policy_and_abuse support].freeze + SPAM_ADMIN_POST_COMMENT_ROLES = %w[superadmin board board_assistants_team communications elections policy_and_abuse support].freeze + SPAM_COMMENT_ROLES = %w[superadmin board policy_and_abuse support].freeze def can_destroy_comment? case record.ultimate_parent @@ -39,7 +40,12 @@ def can_hide_comment? end def can_mark_comment_spam? - user_has_roles?(SPAM_ROLES) + case record.ultimate_parent + when AdminPost + user_has_roles?(SPAM_ADMIN_POST_COMMENT_ROLES) + else + user_has_roles?(SPAM_COMMENT_ROLES) + end end alias destroy? can_destroy_comment? diff --git a/config/locales/models/en.yml b/config/locales/models/en.yml index a031e19ef6e..61e3df5bb02 100644 --- a/config/locales/models/en.yml +++ b/config/locales/models/en.yml @@ -4,6 +4,7 @@ en: attributes: admin/role: board: Board + board_assistants_team: Board Assistants Team communications: Communications development_and_membership: Development & Membership docs: AO3 Docs diff --git a/spec/controllers/admin/banners_controller_spec.rb b/spec/controllers/admin/banners_controller_spec.rb index 702e73a4b2a..6d94356aade 100644 --- a/spec/controllers/admin/banners_controller_spec.rb +++ b/spec/controllers/admin/banners_controller_spec.rb @@ -50,7 +50,7 @@ end it_behaves_like "only authorized admins are allowed", - authorized_roles: %w[superadmin board communications development_and_membership support] + authorized_roles: %w[superadmin board board_assistants_team communications development_and_membership support] end describe "GET #show" do @@ -61,7 +61,7 @@ end it_behaves_like "only authorized admins are allowed", - authorized_roles: %w[superadmin board communications development_and_membership support] + authorized_roles: %w[superadmin board board_assistants_team communications development_and_membership support] end describe "GET #new" do @@ -72,7 +72,7 @@ end it_behaves_like "only authorized admins are allowed", - authorized_roles: %w[superadmin board communications support] + authorized_roles: %w[superadmin board board_assistants_team communications support] end describe "POST #create" do @@ -83,7 +83,7 @@ end it_behaves_like "only authorized admins are allowed", - authorized_roles: %w[superadmin board communications support] + authorized_roles: %w[superadmin board board_assistants_team communications support] end describe "GET #edit" do @@ -94,7 +94,7 @@ end it_behaves_like "only authorized admins are allowed", - authorized_roles: %w[superadmin board communications development_and_membership support] + authorized_roles: %w[superadmin board board_assistants_team communications development_and_membership support] end describe "PUT #update" do @@ -106,7 +106,7 @@ end it_behaves_like "only authorized admins are allowed", - authorized_roles: %w[superadmin board communications development_and_membership support] + authorized_roles: %w[superadmin board board_assistants_team communications development_and_membership support] end describe "GET #confirm_delete" do @@ -117,7 +117,7 @@ end it_behaves_like "only authorized admins are allowed", - authorized_roles: %w[superadmin board communications support] + authorized_roles: %w[superadmin board board_assistants_team communications support] end describe "DELETE #destroy" do @@ -129,6 +129,6 @@ end it_behaves_like "only authorized admins are allowed", - authorized_roles: %w[superadmin board communications support] + authorized_roles: %w[superadmin board board_assistants_team communications support] end end diff --git a/spec/controllers/admin_posts_controller_spec.rb b/spec/controllers/admin_posts_controller_spec.rb index 6287c888f25..6f750491e44 100644 --- a/spec/controllers/admin_posts_controller_spec.rb +++ b/spec/controllers/admin_posts_controller_spec.rb @@ -21,42 +21,77 @@ end describe "POST #create" do - before { fake_login_admin(create(:admin, roles: ["communications"])) } - let(:base_params) { { title: "AdminPost Title", content: "AdminPost content long enough to pass validation" } } - context "when admin post is valid" do - it "redirects to post with notice" do - post :create, params: { admin_post: base_params } - it_redirects_to_with_notice(admin_post_path(assigns[:admin_post]), "Admin Post was successfully created.") - end - end + authorized_roles = %w[superadmin board board_assistants_team communications support translation] + unauthorized_roles = Admin::VALID_ROLES - authorized_roles + + context "when admin does not have correct authorization" do + let(:admin) { create(:admin) } - context "when admin post is invalid" do - context "with invalid translated post id" do - it "renders the new template with error message" do - post :create, params: { admin_post: { translated_post_id: 0 } }.merge(base_params) + unauthorized_roles.each do |admin_role| + context "with #{admin_role}" do + it "redirects with error" do + admin.update!(roles: [admin_role]) + fake_login_admin(admin) + post :create, params: { admin_post: base_params } - expect(response).to render_template(:new) - expect(assigns[:admin_post].errors.full_messages).to include("Translated post does not exist") + it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + end end + end - it "doesn't create new tags" do - post :create, params: { admin_post: { translated_post_id: 0, tag_list: "badtag" } }.merge(base_params) - expect(AdminPostTag.find_by(name: "badtag")).to be_nil + context "with no role" do + it "redirects with error" do + admin.update!(roles: []) + fake_login_admin(admin) + post :create, params: { admin_post: base_params } + + it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") end end end - context "when translated post has same language id" do - let(:admin_post) { create(:admin_post) } + context "when admin has correct authorization" do + authorized_roles.each do |admin_role| + context "with #{admin_role} role" do + before { fake_login_admin(create(:admin, roles: [admin_role])) } - it "renders the new template with error message" do - post :create, params: { admin_post: { translated_post_id: admin_post.id, language_id: admin_post.language_id } }.merge(base_params) + context "when admin post is valid" do + it "redirects to post with notice" do + post :create, params: { admin_post: base_params } + it_redirects_to_with_notice(admin_post_path(assigns[:admin_post]), "Admin Post was successfully created.") + end + end + + context "when admin post is invalid" do + context "with invalid translated post id" do + it "renders the new template with error message" do + post :create, params: { admin_post: { translated_post_id: 0 } }.merge(base_params) - expect(response).to render_template(:new) - expect(assigns[:admin_post].errors.full_messages).to include("Translated post cannot be same language as original post") + expect(response).to render_template(:new) + expect(assigns[:admin_post].errors.full_messages).to include("Translated post does not exist") + end + + it "doesn't create new tags" do + post :create, params: { admin_post: { translated_post_id: 0, tag_list: "badtag" } }.merge(base_params) + expect(AdminPostTag.find_by(name: "badtag")).to be_nil + end + end + end + + context "when translated post has same language id" do + let(:admin_post) { create(:admin_post) } + + it "renders the new template with error message" do + post :create, params: { admin_post: { translated_post_id: admin_post.id, language_id: admin_post.language_id } }.merge(base_params) + + expect(response).to render_template(:new) + expect(assigns[:admin_post].errors.full_messages).to include("Translated post cannot be same language as original post") + end + end + end end end end @@ -65,22 +100,39 @@ let(:admin) { create(:admin) } let(:post) { create(:admin_post) } + authorized_roles = %w[superadmin board board_assistants_team communications support translation] + unauthorized_roles = Admin::VALID_ROLES - authorized_roles + context "when admin does not have correct authorization" do - it "redirects with error" do - admin.update(roles: []) - fake_login_admin(admin) - put :update, params: { id: post.id, admin_post: { admin_id: admin.id } } + unauthorized_roles.each do |admin_role| + context "with the role #{admin_role}" do + it "redirects with error" do + admin.update!(roles: [admin_role]) + fake_login_admin(admin) + put :update, params: { id: post.id, admin_post: { admin_id: admin.id } } - it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + end + end + end + + context "with no role" do + it "redirects with error" do + admin.update!(roles: []) + fake_login_admin(admin) + put :update, params: { id: post.id, admin_post: { admin_id: admin.id } } + + it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + end end end context "when admin has correct authorization" do - %w[superadmin board communications support translation].each do |admin_role| + authorized_roles.each do |admin_role| context "with #{admin_role} role" do context "with valid title" do it "updates title and redirects with notice" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :update, params: { id: post.id, admin_post: { admin_id: admin.id, title: "Modified Title of Post" } } @@ -91,7 +143,7 @@ context "with invalid translated_post_id" do it "renders the edit template with error message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :update, params: { id: post.id, admin_post: { admin_id: admin.id, translated_post_id: 0 } } @@ -105,7 +157,7 @@ context "with valid comment_permissions" do it "does not change comment_permissions and redirects with notice" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) expect do put :update, params: { @@ -124,7 +176,7 @@ context "with invalid translated_post language" do it "renders the edit template with error message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :update, params: { id: translation.id, admin_post: { language_id:post.language_id } } expect(response).to render_template(:edit) @@ -140,22 +192,38 @@ describe "GET #edit" do let(:admin) { create(:admin) } let(:post) { create(:admin_post) } + authorized_roles = %w[superadmin board board_assistants_team communications support translation] + unauthorized_roles = Admin::VALID_ROLES - authorized_roles context "when admin does not have correct authorization" do - it "redirects with error" do - admin.update(roles: []) - fake_login_admin(admin) - get :edit, params: { id: post.id } + unauthorized_roles.each do |admin_role| + context "with the role #{admin_role}" do + it "redirects with error" do + admin.update!(roles: [admin_role]) + fake_login_admin(admin) + get :edit, params: { id: post.id } + + it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + end + end + end + + context "with no role" do + it "redirects with error" do + admin.update!(roles: []) + fake_login_admin(admin) + get :edit, params: { id: post.id } - it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + end end end context "when admin has correct authorization" do - %w[superadmin board communications support translation].each do |admin_role| + authorized_roles.each do |admin_role| context "with #{admin_role} role" do it "renders edit template" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) get :edit, params: { id: post.id } @@ -169,22 +237,38 @@ describe "GET #new" do let(:admin) { create(:admin) } let(:post) { create(:admin_post) } + authorized_roles = %w[superadmin board board_assistants_team communications support translation] + unauthorized_roles = Admin::VALID_ROLES - authorized_roles context "when admin does not have correct authorization" do - it "redirects with error" do - admin.update(roles: []) - fake_login_admin(admin) - get :edit, params: { id: post.id } + unauthorized_roles.each do |admin_role| + context "with the role #{admin_role}" do + it "redirects with error" do + admin.update!(roles: [admin_role]) + fake_login_admin(admin) + get :edit, params: { id: post.id } - it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + end + end + end + + context "with no role" do + it "redirects with error" do + admin.update!(roles: []) + fake_login_admin(admin) + get :edit, params: { id: post.id } + + it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + end end end context "when admin has correct authorization" do - %w[superadmin board communications support translation].each do |admin_role| + authorized_roles.each do |admin_role| context "with #{admin_role} role" do it "renders new template" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) get :new, params: { id: post.id } @@ -198,22 +282,38 @@ describe "DELETE #destroy" do let(:admin) { create(:admin) } let(:post) { create(:admin_post) } + authorized_roles = %w[superadmin board board_assistants_team communications support translation] + unauthorized_roles = Admin::VALID_ROLES - authorized_roles context "when admin does not have correct authorization" do - it "redirects with error" do - admin.update(roles: []) - fake_login_admin(admin) - delete :destroy, params: { id: post.id } + unauthorized_roles.each do |admin_role| + context "with the role #{admin_role}" do + it "redirects with error" do + admin.update!(roles: [admin_role]) + fake_login_admin(admin) + delete :destroy, params: { id: post.id } - it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + end + end + end + + context "with no role" do + it "redirects with error" do + admin.update!(roles: []) + fake_login_admin(admin) + delete :destroy, params: { id: post.id } + + it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + end end end context "when admin has correct authorization" do - %w[superadmin board communications support translation].each do |admin_role| + authorized_roles.each do |admin_role| context "with #{admin_role} role" do it "deletes post and redirects without notice" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) delete :destroy, params: { id: post.id } @@ -225,7 +325,7 @@ let!(:translation) { create(:admin_post, translated_post_id: post.id, language_id: create(:language).id) } it "deletes translations of post along with post" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) delete :destroy, params: { id: post.id } diff --git a/spec/controllers/comments_controller_spec.rb b/spec/controllers/comments_controller_spec.rb index 7fa5dccfc2e..86aad5df5b5 100644 --- a/spec/controllers/comments_controller_spec.rb +++ b/spec/controllers/comments_controller_spec.rb @@ -888,69 +888,102 @@ describe "PUT #approve" do before { comment.update_column(:approved, false) } - context "when logged-in as admin without a role" do - before { fake_login_admin(create(:admin)) } - + shared_examples "a comment that can only be approved by an authorized admin" do it "leaves the comment marked as spam and redirects with an error" do put :approve, params: { id: comment.id } expect(comment.reload.approved).to be_falsey - it_redirects_to_with_error( - root_path, - "Sorry, only an authorized admin can access the page you were trying to reach." - ) + it_redirects_to_with_error(root_path, "Sorry, only an authorized admin can access the page you were trying to reach.") end end - context "when logged-in as admin with authorized role" do - before { fake_login_admin(create(:superadmin)) } - - it "marks the comment as not spam" do + shared_examples "a comment the logged-in user can't approve" do + it "doesn't mark the comment as spam and redirects with an error" do put :approve, params: { id: comment.id } - expect(flash[:error]).to be_nil - expect(response).to redirect_to(work_path(comment.ultimate_parent, - show_comments: true, - anchor: "comments")) - expect(comment.reload.approved).to be_truthy + expect(comment.reload.approved).to be_falsey + it_redirects_to_with_error(root_path, "Sorry, you don't have permission to moderate that comment.") end end - context "when logged-in as the work's creator" do - before { fake_login_known_user(comment.ultimate_parent.users.first) } + context "when ultimate parent is an AdminPost" do + let(:admin) { create(:admin) } + let(:comment) { create(:comment, :on_admin_post) } + authorized_roles = %w[superadmin board board_assistants_team communications elections policy_and_abuse support] + unauthorized_roles = Admin::VALID_ROLES - authorized_roles + + authorized_roles.each do |role| + context "when logged-in as admin with the role #{role}" do + it "marks the comment as not spam" do + fake_login_admin(create(:admin, roles: [role])) + put :approve, params: { id: comment.id } + expect(flash[:error]).to be_nil + expect(response).to redirect_to(admin_post_path(comment.ultimate_parent, + show_comments: true, + anchor: "comments")) + expect(comment.reload.approved).to be_truthy + end + end + end - it "leaves the comment marked as spam and redirects with an error" do - put :approve, params: { id: comment.id } - expect(comment.reload.approved).to be_falsey - it_redirects_to_with_error( - root_path, - "Sorry, only an authorized admin can access the page you were trying to reach." - ) + unauthorized_roles.each do |role| + context "when logged-in as admin with the role #{role}" do + before { fake_login_admin(create(:admin, roles: [role])) } + + it_behaves_like "a comment that can only be approved by an authorized admin" + end + end + end + + context "when ultimate parent is a Work" do + let(:admin) { create(:admin) } + authorized_roles = %w[superadmin board policy_and_abuse support] + unauthorized_roles = Admin::VALID_ROLES - authorized_roles + + authorized_roles.each do |role| + context "when logged-in as admin with the role #{role}" do + before { fake_login_admin(create(:admin, roles: [role])) } + + it "marks the comment as not spam" do + put :approve, params: { id: comment.id } + expect(flash[:error]).to be_nil + expect(response).to redirect_to(work_path(comment.ultimate_parent, + show_comments: true, + anchor: "comments")) + expect(comment.reload.approved).to be_truthy + end + end + end + + unauthorized_roles.each do |role| + context "when logged-in as admin with the role #{role}" do + before { fake_login_admin(create(:admin, roles: [role])) } + + it_behaves_like "a comment that can only be approved by an authorized admin" + end + + context "when logged-in as admin with no role" do + before { fake_login_admin(create(:admin)) } + + it_behaves_like "a comment that can only be approved by an authorized admin" + end + end + + context "when logged-in as the work's creator" do + before { fake_login_known_user(comment.ultimate_parent.users.first) } + + it_behaves_like "a comment that can only be approved by an authorized admin" end end context "when logged-in as the comment writer" do before { fake_login_known_user(comment.pseud.user) } - it "leaves the comment marked as spam and redirects with an error" do - put :approve, params: { id: comment.id } - expect(comment.reload.approved).to be_falsey - it_redirects_to_with_error( - root_path, - "Sorry, you don't have permission to moderate that comment." - ) - end + it_behaves_like "a comment the logged-in user can't approve" end context "when logged-in as a random user" do before { fake_login } - it "leaves the comment marked as spam and redirects with an error" do - put :approve, params: { id: comment.id } - expect(comment.reload.approved).to be_falsey - it_redirects_to_with_error( - root_path, - "Sorry, you don't have permission to moderate that comment." - ) - end + it_behaves_like "a comment the logged-in user can't approve" end context "when not logged-in" do @@ -968,66 +1001,124 @@ end describe "PUT #reject" do + shared_examples "a comment that can only be rejected by an authorized admin" do + it "doesn't mark the comment as spam and redirects with an error" do + put :reject, params: { id: comment.id } + expect(comment.reload.approved).to be_truthy + it_redirects_to_with_error(root_path, "Sorry, only an authorized admin can access the page you were trying to reach.") + end + end + + shared_examples "a comment the logged-in user can't reject" do + it "doesn't mark the comment as spam and redirects with an error" do + put :reject, params: { id: comment.id } + expect(comment.reload.approved).to be_truthy + it_redirects_to_with_error(root_path, "Sorry, you don't have permission to moderate that comment.") + end + end + shared_examples "marking a comment spam" do - context "when logged-in as admin" do - let(:admin) { create(:admin) } + context "when ultimate parent is an AdminPost" do + let(:admin_post) { create(:admin_post) } + authorized_roles = %w[superadmin board board_assistants_team communications elections policy_and_abuse support] + unauthorized_roles = Admin::VALID_ROLES - authorized_roles - it "fails to mark the comment as spam if admin does not have correct role" do - admin.update(roles: []) - fake_login_admin(admin) - put :reject, params: { id: comment.id } - it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") + before do + comment.commentable = admin_post + comment.parent = admin_post + comment.save + comment.reload + end + + authorized_roles.each do |role| + context "when logged-in as admin with the role #{role}" do + before { fake_login_admin(create(:admin, roles: [role])) } + + it "marks the comment as spam" do + put :reject, params: { id: comment.id } + expect(flash[:error]).to be_nil + expect(response).to redirect_to(admin_post_path(comment.ultimate_parent, + show_comments: true, + anchor: "comments")) + expect(comment.reload.approved).to be_falsey + end + end end - it "marks the comment as spam when admin has correct role" do - admin.update(roles: ["policy_and_abuse"]) - fake_login_admin(admin) - put :reject, params: { id: comment.id } - expect(flash[:error]).to be_nil - expect(response).to redirect_to(work_path(comment.ultimate_parent, - show_comments: true, - anchor: "comments")) - expect(comment.reload.approved).to be_falsey + unauthorized_roles.each do |role| + context "when logged-in as admin with the role #{role}" do + before { fake_login_admin(create(:admin, roles: [role])) } + + it_behaves_like "a comment that can only be rejected by an authorized admin" + end + + context "when logged-in as admin with no role" do + before { fake_login_admin(create(:admin, roles: [role])) } + + it_behaves_like "a comment that can only be rejected by an authorized admin" + end end end - context "when logged-in as the work's creator" do - before { fake_login_known_user(comment.ultimate_parent.users.first) } + context "when ultimate parent is a Work" do + context "when logged-in as admin" do + authorized_roles = %w[superadmin board policy_and_abuse support] + unauthorized_roles = Admin::VALID_ROLES - authorized_roles + + authorized_roles.each do |role| + context "with the role #{role}" do + before { fake_login_admin(create(:admin, roles: [role])) } + + it "marks the comment as spam" do + put :reject, params: { id: comment.id } + expect(flash[:error]).to be_nil + expect(response).to redirect_to(work_path(comment.ultimate_parent, + show_comments: true, + anchor: "comments")) + expect(comment.reload.approved).to be_falsey + end + end + end - it "marks the comment as spam" do - put :reject, params: { id: comment.id } - expect(flash[:error]).to be_nil - expect(response).to redirect_to(work_path(comment.ultimate_parent, - show_comments: true, - anchor: "comments")) - expect(comment.reload.approved).to be_falsey + unauthorized_roles.each do |role| + context "with the role #{role}" do + before { fake_login_admin(create(:admin, roles: [role])) } + + it_behaves_like "a comment that can only be rejected by an authorized admin" + end + end + + context "with no role" do + before { fake_login_admin(create(:admin)) } + + it_behaves_like "a comment that can only be rejected by an authorized admin" + end + end + + context "when logged-in as the work's creator" do + before { fake_login_known_user(comment.ultimate_parent.users.first) } + + it "marks the comment as spam" do + put :reject, params: { id: comment.id } + expect(flash[:error]).to be_nil + expect(response).to redirect_to(work_path(comment.ultimate_parent, + show_comments: true, + anchor: "comments")) + expect(comment.reload.approved).to be_falsey + end end end context "when logged-in as the comment writer" do before { fake_login_known_user(comment.pseud.user) } - it "doesn't mark the comment as spam and redirects with an error" do - put :reject, params: { id: comment.id } - expect(comment.reload.approved).to be_truthy - it_redirects_to_with_error( - root_path, - "Sorry, you don't have permission to moderate that comment." - ) - end + it_behaves_like "a comment the logged-in user can't reject" end context "when logged-in as a random user" do before { fake_login } - it "doesn't mark the comment as spam and redirects with an error" do - put :reject, params: { id: comment.id } - expect(comment.reload.approved).to be_truthy - it_redirects_to_with_error( - root_path, - "Sorry, you don't have permission to moderate that comment." - ) - end + it_behaves_like "a comment the logged-in user can't reject" end context "when not logged-in" do @@ -1129,7 +1220,7 @@ context "with no role" do it "doesn't freeze comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :freeze, params: { id: comment.id } @@ -1141,7 +1232,7 @@ %w[superadmin tag_wrangling].each do |admin_role| context "with the #{admin_role} role" do it "freezes comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :freeze, params: { id: comment.id } @@ -1195,7 +1286,7 @@ context "with no role" do it "doesn't freeze comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :freeze, params: { id: comment.id } @@ -1207,7 +1298,7 @@ %w[superadmin policy_and_abuse].each do |admin_role| context "with the #{admin_role} role" do it "freezes comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :freeze, params: { id: comment.id } @@ -1400,7 +1491,7 @@ context "with no role" do it "leaves comment frozen and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :freeze, params: { id: comment.id } @@ -1412,7 +1503,7 @@ %w[superadmin tag_wrangling].each do |admin_role| context "with the #{admin_role} role" do it "leaves comment frozen and redirects with error" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :freeze, params: { id: comment.id } @@ -1466,7 +1557,7 @@ context "with no role" do it "leaves comment frozen and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :freeze, params: { id: comment.id } @@ -1478,7 +1569,7 @@ %w[superadmin policy_and_abuse].each do |admin_role| context "with the #{admin_role} role" do it "leaves comment frozen and redirects with error" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :freeze, params: { id: comment.id } @@ -1653,7 +1744,7 @@ context "with no role" do it "leaces comment unfrozen and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :unfreeze, params: { id: comment.id } @@ -1665,7 +1756,7 @@ %w[superadmin tag_wrangling].each do |admin_role| context "with the #{admin_role} role" do it "leaves comment unfrozen and redirects with error" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :unfreeze, params: { id: comment.id } @@ -1719,7 +1810,7 @@ context "with no role" do it "leaves comment unfrozen and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :unfreeze, params: { id: comment.id } @@ -1731,7 +1822,7 @@ %w[superadmin policy_and_abuse].each do |admin_role| context "with the #{admin_role} role" do it "leaves comment unfrozen and redirects with error" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :unfreeze, params: { id: comment.id } @@ -1904,7 +1995,7 @@ context "with no role" do it "doesn't unfreeze comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :unfreeze, params: { id: comment.id } @@ -1916,7 +2007,7 @@ %w[superadmin tag_wrangling].each do |admin_role| context "with the #{admin_role} role" do it "unfreezes comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :unfreeze, params: { id: comment.id } @@ -1970,7 +2061,7 @@ context "with no role" do it "doesn't unfreeze comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :unfreeze, params: { id: comment.id } @@ -1982,7 +2073,7 @@ %w[superadmin policy_and_abuse].each do |admin_role| context "with the #{admin_role} role" do it "unfreezes comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :unfreeze, params: { id: comment.id } @@ -2177,7 +2268,7 @@ context "with no role" do it "doesn't hide comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :hide, params: { id: comment.id } @@ -2189,7 +2280,7 @@ %w[superadmin tag_wrangling].each do |admin_role| context "with the #{admin_role} role" do it "hides comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :hide, params: { id: comment.id } @@ -2243,7 +2334,7 @@ context "with no role" do it "doesn't hide comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :hide, params: { id: comment.id } @@ -2255,7 +2346,7 @@ %w[superadmin policy_and_abuse].each do |admin_role| context "with the #{admin_role} role" do it "hides comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :hide, params: { id: comment.id } @@ -2347,7 +2438,7 @@ context "with no role" do it "leaves comment hidden and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :hide, params: { id: comment.id } @@ -2359,7 +2450,7 @@ %w[superadmin tag_wrangling].each do |admin_role| context "with the #{admin_role} role" do it "leaves comment hidden and redirects with error" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :hide, params: { id: comment.id } @@ -2413,7 +2504,7 @@ context "with no role" do it "leaves comment hidden and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :hide, params: { id: comment.id } @@ -2425,7 +2516,7 @@ %w[superadmin policy_and_abuse].each do |admin_role| context "with the #{admin_role} role" do it "leaves comment hidden and redirects with error" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :hide, params: { id: comment.id } @@ -2519,7 +2610,7 @@ context "with no role" do it "doesn't unhide comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :unhide, params: { id: comment.id } @@ -2531,7 +2622,7 @@ %w[superadmin tag_wrangling].each do |admin_role| context "with the #{admin_role} role" do it "unhides comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :unhide, params: { id: comment.id } @@ -2585,7 +2676,7 @@ context "with no role" do it "doesn't unhide comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :unhide, params: { id: comment.id } @@ -2597,7 +2688,7 @@ %w[superadmin policy_and_abuse].each do |admin_role| context "with the #{admin_role} role" do it "unhides comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :unhide, params: { id: comment.id } @@ -2689,7 +2780,7 @@ context "with no role" do it "leaves comment unhidden and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :unhide, params: { id: comment.id } @@ -2701,7 +2792,7 @@ %w[superadmin tag_wrangling].each do |admin_role| context "with the #{admin_role} role" do it "leaves comment unhidden and redirects with error" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :unhide, params: { id: comment.id } @@ -2755,7 +2846,7 @@ context "with no role" do it "leaves comment unhidden and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :unhide, params: { id: comment.id } @@ -2767,7 +2858,7 @@ %w[superadmin policy_and_abuse].each do |admin_role| context "with the #{admin_role} role" do it "leaves comment unhidden and redirects with error" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :unhide, params: { id: comment.id } @@ -2976,7 +3067,7 @@ it "deletes the reply and redirects with success message" do admin = create(:admin) - admin.update(roles: ["superadmin"]) + admin.update!(roles: ["superadmin"]) fake_login_admin(admin) delete :destroy, params: { id: reply.id } @@ -3008,7 +3099,7 @@ context "with no role" do it "doesn't destroy comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) delete :destroy, params: { id: comment.id } @@ -3017,10 +3108,10 @@ end end - %w[superadmin board communications elections policy_and_abuse support].each do |admin_role| + %w[superadmin board board_assistants_team communications elections policy_and_abuse support].each do |admin_role| context "with role #{admin_role}" do it "destroys comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) delete :destroy, params: { id: comment.id } @@ -3073,7 +3164,7 @@ context "with no role" do it "doesn't destroy comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) delete :destroy, params: { id: comment.id } @@ -3085,7 +3176,7 @@ (Admin::VALID_ROLES - %w[superadmin board policy_and_abuse support]).each do |admin_role| context "with role #{admin_role}" do it "doesn't destroy comment and redirects with error" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) delete :destroy, params: { id: comment.id } @@ -3098,7 +3189,7 @@ %w[superadmin board policy_and_abuse support].each do |admin_role| context "with the #{admin_role} role" do it "destroys comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) delete :destroy, params: { id: comment.id } @@ -3191,7 +3282,7 @@ context "with no role" do it "doesn't destroy comment and redirects with error" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) delete :destroy, params: { id: comment.id } @@ -3203,7 +3294,7 @@ (Admin::VALID_ROLES - %w[superadmin board policy_and_abuse support]).each do |admin_role| context "with role #{admin_role}" do it "doesn't destroy comment and redirects with error" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) delete :destroy, params: { id: comment.id } @@ -3216,7 +3307,7 @@ %w[superadmin board policy_and_abuse support].each do |admin_role| context "with the #{admin_role} role" do it "destroys comment and redirects with success message" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) delete :destroy, params: { id: comment.id } @@ -3550,7 +3641,7 @@ end it "PUT #unfreeze successfully unfreezes the comment" do - comment.update(iced: true) + comment.update!(iced: true) put :unfreeze, params: { id: comment.id } it_redirects_to_with_comment_notice( work_path(comment.ultimate_parent, show_comments: true, anchor: :comments), @@ -3567,7 +3658,7 @@ context "DELETE #destroy" do it "does not permit deletion of the comment when admin has no role" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) delete :destroy, params: { id: comment.id } it_redirects_to_with_error(root_url, "Sorry, only an authorized admin can access the page you were trying to reach.") @@ -3575,7 +3666,7 @@ %w[superadmin board support policy_and_abuse].each do |admin_role| it "successfully deletes the comment when admin has #{admin_role} role" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) delete :destroy, params: { id: comment.id } expect(flash[:comment_notice]).to eq "Comment deleted." @@ -3628,7 +3719,7 @@ context "PUT #freeze" do it "does not permit freezing of the comment when admin has no role" do - admin.update(roles: []) + admin.update!(roles: []) fake_login_admin(admin) put :freeze, params: { id: comment.id } it_redirects_to_with_error("/where_i_came_from", "Sorry, you don't have permission to freeze that comment thread.") @@ -3636,7 +3727,7 @@ %w[superadmin policy_and_abuse].each do |admin_role| it "successfully freezes the comment when admin has #{admin_role} role" do - admin.update(roles: [admin_role]) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :freeze, params: { id: comment.id } it_redirects_to_with_comment_notice( @@ -3650,8 +3741,8 @@ context "PUT #unfreeze" do it "does not permit unfreezing of the comment when admin has no role" do - comment.update(iced: true) - admin.update(roles: []) + comment.update!(iced: true) + admin.update!(roles: []) fake_login_admin(admin) put :unfreeze, params: { id: comment.id } it_redirects_to_with_error("/where_i_came_from", "Sorry, you don't have permission to unfreeze that comment thread.") @@ -3659,8 +3750,8 @@ %w[superadmin policy_and_abuse].each do |admin_role| it "successfully unfreezes the comment when admin has #{admin_role} role" do - comment.update(iced: true) - admin.update(roles: [admin_role]) + comment.update!(iced: true) + admin.update!(roles: [admin_role]) fake_login_admin(admin) put :unfreeze, params: { id: comment.id } it_redirects_to_with_comment_notice(