Improve app/policies coverage (#32426)

spec/policies/account_moderation_note_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe AccountModerationNotePolicy do
   subject { described_class }
@@ -12,13 +11,13 @@ RSpec.describe AccountModerationNotePolicy do
   permissions :create? do
     context 'when staff' do
       it 'grants to create' do
-        expect(subject).to permit(admin, described_class)
+        expect(subject).to permit(admin, AccountModerationNote)
       end
     end
 
     context 'when not staff' do
       it 'denies to create' do
-        expect(subject).to_not permit(john, described_class)
+        expect(subject).to_not permit(john, AccountModerationNote)
       end
     end
   end

spec/policies/account_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe AccountPolicy do
   subject { described_class }
@@ -24,7 +23,7 @@ RSpec.describe AccountPolicy do
     end
   end
 
-  permissions :show?, :unsilence?, :unsensitive?, :remove_avatar?, :remove_header? do
+  permissions :show?, :unsilence?, :unsensitive?, :remove_avatar?, :remove_header?, :sensitive?, :warn? do
     context 'when staff' do
       it 'permits' do
         expect(subject).to permit(admin, alice)

spec/policies/account_warning_policy_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe AccountWarningPolicy do
+  subject { described_class }
+
+  let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:account) { Fabricate(:account) }
+
+  permissions :show? do
+    context 'with an admin' do
+      it { is_expected.to permit(admin, AccountWarning.new) }
+    end
+
+    context 'with a non-admin' do
+      context 'when account is not target' do
+        it { is_expected.to_not permit(account, AccountWarning.new) }
+      end
+
+      context 'when account is target' do
+        it { is_expected.to permit(account, AccountWarning.new(target_account_id: account.id)) }
+      end
+    end
+  end
+
+  permissions :appeal? do
+    context 'when account is not target' do
+      it { is_expected.to_not permit(account, AccountWarning.new) }
+    end
+
+    context 'when account is target' do
+      context 'when record is appealable' do
+        it { is_expected.to permit(account, AccountWarning.new(target_account_id: account.id, created_at: Appeal::MAX_STRIKE_AGE.ago + 1.hour)) }
+      end
+
+      context 'when record is not appealable' do
+        it { is_expected.to_not permit(account, AccountWarning.new(target_account_id: account.id, created_at: Appeal::MAX_STRIKE_AGE.ago - 1.hour)) }
+      end
+    end
+  end
+end

spec/policies/account_warning_preset_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe AccountWarningPresetPolicy do
   let(:policy) { described_class }
@@ -11,13 +10,13 @@ RSpec.describe AccountWarningPresetPolicy do
   permissions :index?, :create?, :update?, :destroy? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, AccountWarningPreset)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, AccountWarningPreset)
       end
     end
   end

spec/policies/admin/status_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe Admin::StatusPolicy do
   let(:policy) { described_class }
@@ -13,13 +12,13 @@ RSpec.describe Admin::StatusPolicy do
   permissions :index?, :update?, :review?, :destroy? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, Status)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, Status)
       end
     end
   end

spec/policies/announcement_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe AnnouncementPolicy do
   let(:policy) { described_class }
@@ -11,13 +10,13 @@ RSpec.describe AnnouncementPolicy do
   permissions :index?, :create?, :update?, :destroy? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, Announcement)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, Announcement)
       end
     end
   end

spec/policies/appeal_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe AppealPolicy do
   let(:policy) { described_class }
@@ -12,18 +11,18 @@ RSpec.describe AppealPolicy do
   permissions :index? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, Appeal)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, Appeal)
       end
     end
   end
 
-  permissions :reject? do
+  permissions :reject?, :approve? do
     context 'with an admin' do
       context 'with a pending appeal' do
         before { allow(appeal).to receive(:pending?).and_return(true) }

spec/policies/audit_log_policy_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe AuditLogPolicy do
+  subject { described_class }
+
+  let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:account) { Fabricate(:account) }
+
+  permissions :index? do
+    context 'with an admin' do
+      it { is_expected.to permit(admin, nil) }
+    end
+
+    context 'with a non-admin' do
+      it { is_expected.to_not permit(account, nil) }
+    end
+  end
+end

spec/policies/backup_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe BackupPolicy do
   subject { described_class }

spec/policies/canonical_email_block_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe CanonicalEmailBlockPolicy do
   let(:policy) { described_class }
@@ -11,13 +10,13 @@ RSpec.describe CanonicalEmailBlockPolicy do
   permissions :index?, :show?, :test?, :create?, :destroy? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, CanonicalEmailBlock)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, CanonicalEmailBlock)
       end
     end
   end

spec/policies/custom_emoji_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe CustomEmojiPolicy do
   subject { described_class }

spec/policies/dashboard_policy_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe DashboardPolicy do
+  subject { described_class }
+
+  let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:account) { Fabricate(:account) }
+
+  permissions :index? do
+    context 'with an admin' do
+      it { is_expected.to permit(admin, nil) }
+    end
+
+    context 'with a non-admin' do
+      it { is_expected.to_not permit(account, nil) }
+    end
+  end
+end

spec/policies/delivery_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe DeliveryPolicy do
   let(:policy) { described_class }
@@ -11,13 +10,13 @@ RSpec.describe DeliveryPolicy do
   permissions :clear_delivery_errors?, :restart_delivery?, :stop_delivery? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, nil)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, nil)
       end
     end
   end

spec/policies/domain_allow_policy_spec.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe DomainAllowPolicy do
+  subject { described_class }
+
+  let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:john)    { Fabricate(:account) }
+
+  permissions :index?, :show?, :create?, :destroy? do
+    context 'when admin' do
+      it 'permits' do
+        expect(subject).to permit(admin, DomainAllow)
+      end
+    end
+
+    context 'when not admin' do
+      it 'denies' do
+        expect(subject).to_not permit(john, DomainAllow)
+      end
+    end
+  end
+end

spec/policies/domain_block_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe DomainBlockPolicy do
   subject { described_class }
@@ -9,7 +8,7 @@ RSpec.describe DomainBlockPolicy do
   let(:admin)   { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
   let(:john)    { Fabricate(:account) }
 
-  permissions :index?, :show?, :create?, :destroy? do
+  permissions :index?, :show?, :create?, :destroy?, :update? do
     context 'when admin' do
       it 'permits' do
         expect(subject).to permit(admin, DomainBlock)

spec/policies/email_domain_block_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe EmailDomainBlockPolicy do
   subject { described_class }

spec/policies/follow_recommendation_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe FollowRecommendationPolicy do
   let(:policy) { described_class }
@@ -11,13 +10,13 @@ RSpec.describe FollowRecommendationPolicy do
   permissions :show?, :suppress?, :unsuppress? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, FollowRecommendation)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, FollowRecommendation)
       end
     end
   end

spec/policies/instance_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe InstancePolicy do
   subject { described_class }

spec/policies/invite_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe InvitePolicy do
   subject { described_class }

spec/policies/ip_block_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe IpBlockPolicy do
   let(:policy) { described_class }
@@ -11,13 +10,13 @@ RSpec.describe IpBlockPolicy do
   permissions :index?, :show?, :create?, :update?, :destroy? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, IpBlock)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, IpBlock)
       end
     end
   end

spec/policies/poll_policy_spec.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe PollPolicy do
+  subject { described_class }
+
+  let(:account) { Fabricate(:account) }
+  let(:poll) { Fabricate :poll }
+
+  permissions :vote? do
+    context 'when account cannot view status' do
+      before { poll.status.update(visibility: :private) }
+
+      it { is_expected.to_not permit(account, poll) }
+    end
+
+    context 'when account can view status' do
+      context 'when accounts do not block each other' do
+        it { is_expected.to permit(account, poll) }
+      end
+
+      context 'when view blocks poll creator' do
+        before { Fabricate :block, account: account, target_account: poll.account }
+
+        it { is_expected.to_not permit(account, poll) }
+      end
+
+      context 'when poll creator blocks viewer' do
+        before { Fabricate :block, account: poll.account, target_account: account }
+
+        it { is_expected.to_not permit(account, poll) }
+      end
+    end
+  end
+end

spec/policies/preview_card_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe PreviewCardPolicy do
   let(:policy) { described_class }
@@ -11,13 +10,13 @@ RSpec.describe PreviewCardPolicy do
   permissions :index?, :review? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, PreviewCard)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, PreviewCard)
       end
     end
   end

spec/policies/preview_card_provider_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe PreviewCardProviderPolicy do
   let(:policy) { described_class }
@@ -11,13 +10,13 @@ RSpec.describe PreviewCardProviderPolicy do
   permissions :index?, :review? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, PreviewCardProvider)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, PreviewCardProvider)
       end
     end
   end

spec/policies/relay_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe RelayPolicy do
   subject { described_class }

spec/policies/report_note_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe ReportNotePolicy do
   subject { described_class }

spec/policies/report_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe ReportPolicy do
   subject { described_class }

spec/policies/rule_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe RulePolicy do
   let(:policy) { described_class }
@@ -11,13 +10,13 @@ RSpec.describe RulePolicy do
   permissions :index?, :create?, :update?, :destroy? do
     context 'with an admin' do
       it 'permits' do
-        expect(policy).to permit(admin, Tag)
+        expect(policy).to permit(admin, Rule)
       end
     end
 
     context 'with a non-admin' do
       it 'denies' do
-        expect(policy).to_not permit(john, Tag)
+        expect(policy).to_not permit(john, Rule)
       end
     end
   end

spec/policies/settings_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe SettingsPolicy do
   subject { described_class }

spec/policies/software_update_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe SoftwareUpdatePolicy do
   subject { described_class }

spec/policies/status_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe StatusPolicy, type: :model do
   subject { described_class }

spec/policies/tag_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe TagPolicy do
   subject { described_class }

spec/policies/user_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe UserPolicy do
   subject { described_class }
@@ -112,4 +111,42 @@ RSpec.describe UserPolicy do
       end
     end
   end
+
+  permissions :approve?, :reject? do
+    context 'when admin' do
+      context 'when user is approved' do
+        it { is_expected.to_not permit(admin, User.new(approved: true)) }
+      end
+
+      context 'when user is not approved' do
+        it { is_expected.to permit(admin, User.new(approved: false)) }
+      end
+    end
+
+    context 'when not admin' do
+      it { is_expected.to_not permit(john, User.new) }
+    end
+  end
+
+  permissions :change_role? do
+    context 'when not admin' do
+      it { is_expected.to_not permit(john, User.new) }
+    end
+
+    context 'when admin' do
+      let(:user) { User.new(role: role) }
+
+      context 'when role of admin overrides user role' do
+        let(:role) { UserRole.new(position: admin.user.role.position - 10, id: 123) }
+
+        it { is_expected.to permit(admin, user) }
+      end
+
+      context 'when role of admin does not override user role' do
+        let(:role) { UserRole.new(position: admin.user.role.position + 10, id: 123) }
+
+        it { is_expected.to_not permit(admin, user) }
+      end
+    end
+  end
 end

spec/policies/user_role_policy_spec.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe UserRolePolicy do
+  subject { described_class }
+
+  let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+  let(:account) { Fabricate(:account) }
+
+  permissions :index?, :create? do
+    context 'when admin' do
+      it { is_expected.to permit(admin, UserRole.new) }
+    end
+
+    context 'when not admin' do
+      it { is_expected.to_not permit(account, UserRole.new) }
+    end
+  end
+
+  permissions :update? do
+    context 'when admin' do
+      context 'when role of admin overrides relevant role' do
+        it { is_expected.to permit(admin, UserRole.new(position: admin.user.role.position - 10, id: 123)) }
+      end
+
+      context 'when role of admin does not override relevant role' do
+        it { is_expected.to_not permit(admin, UserRole.new(position: admin.user.role.position + 10, id: 123)) }
+      end
+    end
+
+    context 'when not admin' do
+      it { is_expected.to_not permit(account, UserRole.new) }
+    end
+  end
+
+  permissions :destroy? do
+    context 'when admin' do
+      context 'when role of admin overrides relevant role' do
+        it { is_expected.to permit(admin, UserRole.new(position: admin.user.role.position - 10)) }
+      end
+
+      context 'when role of admin does not override relevant role' do
+        it { is_expected.to_not permit(admin, UserRole.new(position: admin.user.role.position + 10)) }
+      end
+
+      context 'when everyone role' do
+        it { is_expected.to_not permit(admin, UserRole.everyone) }
+      end
+    end
+
+    context 'when not admin' do
+      it { is_expected.to_not permit(account, UserRole.new) }
+    end
+  end
+end

spec/policies/webhook_policy_spec.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rails_helper'
-require 'pundit/rspec'
 
 RSpec.describe WebhookPolicy do
   let(:policy) { described_class }

spec/rails_helper.rb

@@ -43,6 +43,7 @@ require 'paperclip/matchers'
 require 'capybara/rspec'
 require 'chewy/rspec'
 require 'email_spec/rspec'
+require 'pundit/rspec'
 require 'test_prof/recipes/rspec/before_all'
 
 Rails.root.glob('spec/support/**/*.rb').each { |f| require f }