diff --git a/spec/policies/account_policy_spec.rb b/spec/policies/account_policy_spec.rb
index 0f23fd97e288098e8b78bd77b9a2eb80b40f8b9a..d961532332865bd4d48a6dccda7222e2293ac679 100644
--- a/spec/policies/account_policy_spec.rb
+++ b/spec/policies/account_policy_spec.rb
@@ -116,4 +116,44 @@ RSpec.describe AccountPolicy do
end
end
end
+
+ permissions :review? do
+ context 'admin' do
+ it 'permits' do
+ expect(subject).to permit(admin)
+ end
+ end
+
+ context 'not admin' do
+ it 'denies' do
+ expect(subject).to_not permit(john)
+ end
+ end
+ end
+
+ permissions :destroy? do
+ context 'admin' do
+ context 'with a temporarily suspended account' do
+ before { allow(alice).to receive(:suspended_temporarily?).and_return(true) }
+
+ it 'permits' do
+ expect(subject).to permit(admin, alice)
+ end
+ end
+
+ context 'with a not temporarily suspended account' do
+ before { allow(alice).to receive(:suspended_temporarily?).and_return(false) }
+
+ it 'denies' do
+ expect(subject).to_not permit(admin, alice)
+ end
+ end
+ end
+
+ context 'not admin' do
+ it 'denies' do
+ expect(subject).to_not permit(john, alice)
+ end
+ end
+ end
end
diff --git a/spec/policies/account_warning_preset_policy_spec.rb b/spec/policies/account_warning_preset_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..63bf33de249948046f81ccb8d4966723075826ea
--- /dev/null
+++ b/spec/policies/account_warning_preset_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe AccountWarningPresetPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+
+ permissions :index?, :create?, :update?, :destroy? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+end
diff --git a/spec/policies/admin/status_policy_spec.rb b/spec/policies/admin/status_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..9e81a4f5f1a7a2dfa6a1fdbda0294aebdc05af2e
--- /dev/null
+++ b/spec/policies/admin/status_policy_spec.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe Admin::StatusPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+ let(:status) { Fabricate(:status) }
+
+ permissions :index?, :update?, :review?, :destroy? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+
+ permissions :show? do
+ context 'with an admin' do
+ context 'with a public visible status' do
+ before { allow(status).to receive(:public_visibility?).and_return(true) }
+
+ it 'permits' do
+ expect(policy).to permit(admin, status)
+ end
+ end
+
+ context 'with a not public visible status' do
+ before { allow(status).to receive(:public_visibility?).and_return(false) }
+
+ it 'denies' do
+ expect(policy).to_not permit(admin, status)
+ end
+ end
+ end
+
+ context 'with a non admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, status)
+ end
+ end
+ end
+end
diff --git a/spec/policies/announcement_policy_spec.rb b/spec/policies/announcement_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..3d230b3cb46179933c01d9df40ecde3e77228794
--- /dev/null
+++ b/spec/policies/announcement_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe AnnouncementPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+
+ permissions :index?, :create?, :update?, :destroy? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+end
diff --git a/spec/policies/appeal_policy_spec.rb b/spec/policies/appeal_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..d7498eb9f09eaeaeb12769c9278cc9b241321adf
--- /dev/null
+++ b/spec/policies/appeal_policy_spec.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe AppealPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+ let(:appeal) { Fabricate(:appeal) }
+
+ permissions :index? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+
+ permissions :reject? do
+ context 'with an admin' do
+ context 'with a pending appeal' do
+ before { allow(appeal).to receive(:pending?).and_return(true) }
+
+ it 'permits' do
+ expect(policy).to permit(admin, appeal)
+ end
+ end
+
+ context 'with a not pending appeal' do
+ before { allow(appeal).to receive(:pending?).and_return(false) }
+
+ it 'denies' do
+ expect(policy).to_not permit(admin, appeal)
+ end
+ end
+ end
+
+ context 'with a non admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, appeal)
+ end
+ end
+ end
+end
diff --git a/spec/policies/canonical_email_block_policy_spec.rb b/spec/policies/canonical_email_block_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..0e55febfa90fa479d318e84bc030d9b79c61b20e
--- /dev/null
+++ b/spec/policies/canonical_email_block_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe CanonicalEmailBlockPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+
+ permissions :index?, :show?, :test?, :create?, :destroy? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+end
diff --git a/spec/policies/delivery_policy_spec.rb b/spec/policies/delivery_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..fbcbf390d733124ee651d7e0e75c83d33c92c867
--- /dev/null
+++ b/spec/policies/delivery_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe DeliveryPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+
+ permissions :clear_delivery_errors?, :restart_delivery?, :stop_delivery? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+end
diff --git a/spec/policies/email_domain_block_policy_spec.rb b/spec/policies/email_domain_block_policy_spec.rb
index 913075c3d28e11b23f554f690db986aacb8f348d..e7c455907a2b748841691991db039db7592d806a 100644
--- a/spec/policies/email_domain_block_policy_spec.rb
+++ b/spec/policies/email_domain_block_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe EmailDomainBlockPolicy do
let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
let(:john) { Fabricate(:account) }
- permissions :index?, :create?, :destroy? do
+ permissions :index?, :show?, :create?, :destroy? do
context 'admin' do
it 'permits' do
expect(subject).to permit(admin, EmailDomainBlock)
diff --git a/spec/policies/follow_recommendation_policy_spec.rb b/spec/policies/follow_recommendation_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..01f4da0be2929e9f0ac87526347a13e6bfef86c7
--- /dev/null
+++ b/spec/policies/follow_recommendation_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe FollowRecommendationPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+
+ permissions :show?, :suppress?, :unsuppress? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+end
diff --git a/spec/policies/ip_block_policy_spec.rb b/spec/policies/ip_block_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..3cfa85863ca7fe024988e1d98d583b288f74c912
--- /dev/null
+++ b/spec/policies/ip_block_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe IpBlockPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+
+ permissions :index?, :show?, :create?, :update?, :destroy? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+end
diff --git a/spec/policies/preview_card_policy_spec.rb b/spec/policies/preview_card_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..d6675c5b341ad26f39368a8ebd5246b1fc7a190f
--- /dev/null
+++ b/spec/policies/preview_card_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe PreviewCardPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+
+ permissions :index?, :review? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+end
diff --git a/spec/policies/preview_card_provider_policy_spec.rb b/spec/policies/preview_card_provider_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..8d3715de9552ff34ae90df6dfe757405e00be32c
--- /dev/null
+++ b/spec/policies/preview_card_provider_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe PreviewCardProviderPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+
+ permissions :index?, :review? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+end
diff --git a/spec/policies/rule_policy_spec.rb b/spec/policies/rule_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..0e45f6df02f9dab8b5f1e3b722adca78ce19c7a0
--- /dev/null
+++ b/spec/policies/rule_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe RulePolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+
+ permissions :index?, :create?, :update?, :destroy? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+end
diff --git a/spec/policies/settings_policy_spec.rb b/spec/policies/settings_policy_spec.rb
index e16ee51a4855285c67a03b5f23a6c3f95530216b..3268c162250e020e2b28c0ad1b160db51de1e48c 100644
--- a/spec/policies/settings_policy_spec.rb
+++ b/spec/policies/settings_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe SettingsPolicy do
let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
let(:john) { Fabricate(:account) }
- permissions :update?, :show? do
+ permissions :update?, :show?, :destroy? do
context 'admin?' do
it 'permits' do
expect(subject).to permit(admin, Settings)
diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb
index b88521708a13d876a277fa9c4f631cbfde0a9837..9ae54780eb45241338738f9217f2d19b5ef9f990 100644
--- a/spec/policies/status_policy_spec.rb
+++ b/spec/policies/status_policy_spec.rb
@@ -39,6 +39,14 @@ RSpec.describe StatusPolicy, type: :model do
expect(subject).to permit(alice, status)
end
+ it 'grants access when direct and non-owner viewer is mentioned and mentions are loaded' do
+ status.visibility = :direct
+ status.mentions = [Fabricate(:mention, account: bob)]
+ status.mentions.load
+
+ expect(subject).to permit(bob, status)
+ end
+
it 'denies access when direct and viewer is not mentioned' do
viewer = Fabricate(:account)
status.visibility = :direct
diff --git a/spec/policies/tag_policy_spec.rb b/spec/policies/tag_policy_spec.rb
index 9be7140fc2d9f54e085ae9da0f1e918242348896..fb09fdd3beb0b87d9c7051bd100e6cae0ff23689 100644
--- a/spec/policies/tag_policy_spec.rb
+++ b/spec/policies/tag_policy_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe TagPolicy do
let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
let(:john) { Fabricate(:account) }
- permissions :index?, :show?, :update? do
+ permissions :index?, :show?, :update?, :review? do
context 'staff?' do
it 'permits' do
expect(subject).to permit(admin, Tag)
diff --git a/spec/policies/webhook_policy_spec.rb b/spec/policies/webhook_policy_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..1eac8932d4aa592aa8e64e56650ca91ecb646cac
--- /dev/null
+++ b/spec/policies/webhook_policy_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+require 'pundit/rspec'
+
+describe WebhookPolicy do
+ let(:policy) { described_class }
+ let(:admin) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')).account }
+ let(:john) { Fabricate(:account) }
+
+ permissions :index?, :create?, :show?, :update?, :enable?, :disable?, :rotate_secret?, :destroy? do
+ context 'with an admin' do
+ it 'permits' do
+ expect(policy).to permit(admin, Tag)
+ end
+ end
+
+ context 'with a non-admin' do
+ it 'denies' do
+ expect(policy).to_not permit(john, Tag)
+ end
+ end
+ end
+end