From 3b1e632ab74c4ee9177aa5f30b0e693d3317bc38 Mon Sep 17 00:00:00 2001 From: Martin Lensment Date: Fri, 19 Dec 2014 13:45:17 +0200 Subject: [PATCH] Lock down the controllers --- Gemfile | 5 +- Gemfile.lock | 8 ++- app/controllers/admin/contacts_controller.rb | 1 + .../admin/dashboards_controller.rb | 5 ++ .../admin/delayed_jobs_controller.rb | 2 + .../admin/domain_versions_controller.rb | 2 + app/controllers/admin/domains_controller.rb | 1 + app/controllers/admin/epp_users_controller.rb | 1 + .../admin/registrars_controller.rb | 1 + app/controllers/admin/settings_controller.rb | 1 + app/controllers/admin/users_controller.rb | 3 +- .../admin/zonefile_settings_controller.rb | 1 + app/controllers/admin/zonefiles_controller.rb | 3 +- app/controllers/admin_controller.rb | 6 +- app/controllers/application_controller.rb | 6 ++ app/controllers/sessions_controller.rb | 8 --- app/models/ability.rb | 55 +++++++++---------- app/models/role.rb | 6 ++ app/views/admin/dashboards/show.haml | 0 app/views/admin/domains/index.haml | 2 +- app/views/admin/users/_form.haml | 9 ++- app/views/admin/users/index.haml | 7 ++- app/views/admin/users/show.haml | 7 ++- app/views/admin/zonefiles/index.haml | 9 --- app/views/layouts/application.haml | 29 +++++----- app/views/layouts/login.haml | 9 ++- config/locales/en.yml | 4 ++ config/routes.rb | 2 + db/migrate/20141218154829_populate_roles.rb | 12 ++++ db/schema.rb | 7 +-- spec/fabricators/role_fabricator.rb | 3 + spec/fabricators/user_fabricator.rb | 2 +- spec/features/sessions_spec.rb | 3 +- spec/features/setting_management_spec.rb | 3 +- spec/models/user_spec.rb | 38 +++++++++++++ spec/support/feature.rb | 2 +- 36 files changed, 166 insertions(+), 97 deletions(-) create mode 100644 app/controllers/admin/dashboards_controller.rb create mode 100644 app/views/admin/dashboards/show.haml delete mode 100644 app/views/admin/zonefiles/index.haml create mode 100644 db/migrate/20141218154829_populate_roles.rb create mode 100644 spec/fabricators/role_fabricator.rb diff --git a/Gemfile b/Gemfile index c1cdf9228..976c4e2cd 100644 --- a/Gemfile +++ b/Gemfile @@ -53,7 +53,7 @@ gem 'kaminari', '~> 0.16.1' gem 'ransack', '~> 1.3.0' # for rights -gem 'cancan', '~> 1.6.10' +gem 'cancancan', '~> 1.9.2' # for login gem 'devise', '~> 3.3.0' @@ -135,6 +135,9 @@ group :development, :test do # faster dev load time gem 'unicorn' + + # for opening browser automatically + gem 'launchy', '~> 2.4.3' end group :development do diff --git a/Gemfile.lock b/Gemfile.lock index 37efdb558..53f75e730 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -29,6 +29,7 @@ GEM minitest (~> 5.1) thread_safe (~> 0.1) tzinfo (~> 1.1) + addressable (2.3.6) arel (5.0.1.20140414130214) ast (2.0.0) astrolabe (1.3.0) @@ -64,7 +65,7 @@ GEM bundler-audit (0.3.1) bundler (~> 1.2) thor (~> 0.18) - cancan (1.6.10) + cancancan (1.9.2) capybara (2.4.3) mime-types (>= 1.16) nokogiri (>= 1.3.3) @@ -161,6 +162,8 @@ GEM actionpack (>= 3.0.0) activesupport (>= 3.0.0) kgio (2.9.2) + launchy (2.4.3) + addressable (~> 2.3) libv8 (3.16.14.7) libxml-ruby (2.7.0) listen (2.7.11) @@ -376,7 +379,7 @@ DEPENDENCIES brakeman (~> 2.6.2) bullet (~> 4.14.0) bundler-audit - cancan (~> 1.6.10) + cancancan (~> 1.9.2) capybara (~> 2.4.1) coffee-rails (~> 4.0.0) daemons @@ -395,6 +398,7 @@ DEPENDENCIES jbuilder (~> 2.0) jquery-rails kaminari (~> 0.16.1) + launchy (~> 2.4.3) mina (~> 0.3.1) nokogiri (~> 1.6.2.1) nprogress-rails (~> 0.1.3.1) diff --git a/app/controllers/admin/contacts_controller.rb b/app/controllers/admin/contacts_controller.rb index 8dd1f4ec9..5135f2c7f 100644 --- a/app/controllers/admin/contacts_controller.rb +++ b/app/controllers/admin/contacts_controller.rb @@ -1,4 +1,5 @@ class Admin::ContactsController < AdminController + load_and_authorize_resource before_action :set_contact, only: [:show] def index diff --git a/app/controllers/admin/dashboards_controller.rb b/app/controllers/admin/dashboards_controller.rb new file mode 100644 index 000000000..3ff70e8e0 --- /dev/null +++ b/app/controllers/admin/dashboards_controller.rb @@ -0,0 +1,5 @@ +class Admin::DashboardsController < AdminController + authorize_resource class: false + + def show; end +end diff --git a/app/controllers/admin/delayed_jobs_controller.rb b/app/controllers/admin/delayed_jobs_controller.rb index 88e5b9afe..a879c7db8 100644 --- a/app/controllers/admin/delayed_jobs_controller.rb +++ b/app/controllers/admin/delayed_jobs_controller.rb @@ -1,4 +1,6 @@ class Admin::DelayedJobsController < AdminController + authorize_resource class: false + def index @jobs = Delayed::Job.all end diff --git a/app/controllers/admin/domain_versions_controller.rb b/app/controllers/admin/domain_versions_controller.rb index 71a063417..dd8696d4a 100644 --- a/app/controllers/admin/domain_versions_controller.rb +++ b/app/controllers/admin/domain_versions_controller.rb @@ -1,4 +1,6 @@ class Admin::DomainVersionsController < AdminController + load_and_authorize_resource + def index @q = DomainVersion.deleted.search(params[:q]) @domains = @q.result.page(params[:page]) diff --git a/app/controllers/admin/domains_controller.rb b/app/controllers/admin/domains_controller.rb index f0bbd3abf..e282a9ef1 100644 --- a/app/controllers/admin/domains_controller.rb +++ b/app/controllers/admin/domains_controller.rb @@ -1,4 +1,5 @@ class Admin::DomainsController < AdminController + load_and_authorize_resource before_action :set_domain, only: [:show, :edit, :update, :zonefile] def index diff --git a/app/controllers/admin/epp_users_controller.rb b/app/controllers/admin/epp_users_controller.rb index c2d68d7f0..196a82edf 100644 --- a/app/controllers/admin/epp_users_controller.rb +++ b/app/controllers/admin/epp_users_controller.rb @@ -1,4 +1,5 @@ class Admin::EppUsersController < AdminController + load_and_authorize_resource before_action :set_epp_user, only: [:show, :edit, :update, :destroy] def index diff --git a/app/controllers/admin/registrars_controller.rb b/app/controllers/admin/registrars_controller.rb index 4059e1dcb..2bd15550f 100644 --- a/app/controllers/admin/registrars_controller.rb +++ b/app/controllers/admin/registrars_controller.rb @@ -1,4 +1,5 @@ class Admin::RegistrarsController < AdminController + load_and_authorize_resource before_action :set_registrar, only: [:show, :edit, :update, :destroy] def search render json: Registrar.search_by_query(params[:q]) diff --git a/app/controllers/admin/settings_controller.rb b/app/controllers/admin/settings_controller.rb index b8e6048aa..c421781cd 100644 --- a/app/controllers/admin/settings_controller.rb +++ b/app/controllers/admin/settings_controller.rb @@ -1,4 +1,5 @@ class Admin::SettingsController < AdminController + load_and_authorize_resource before_action :set_setting_group, only: [:show, :update] def index diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index b5d9e3265..9fc95229a 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -1,4 +1,5 @@ class Admin::UsersController < AdminController + load_and_authorize_resource before_action :set_user, only: [:show, :edit, :update, :destroy] def index @@ -54,6 +55,6 @@ class Admin::UsersController < AdminController def user_params params.require(:user).permit(:username, :password, :identity_code, :email, - :admin, :country_id) + :role_id, :country_id) end end diff --git a/app/controllers/admin/zonefile_settings_controller.rb b/app/controllers/admin/zonefile_settings_controller.rb index da4c8a557..72030ebdf 100644 --- a/app/controllers/admin/zonefile_settings_controller.rb +++ b/app/controllers/admin/zonefile_settings_controller.rb @@ -1,4 +1,5 @@ class Admin::ZonefileSettingsController < ApplicationController + load_and_authorize_resource before_action :set_zonefile_setting, only: [:update, :edit] def index @zonefile_settings = ZonefileSetting.all diff --git a/app/controllers/admin/zonefiles_controller.rb b/app/controllers/admin/zonefiles_controller.rb index d99494ee5..9977d30b6 100644 --- a/app/controllers/admin/zonefiles_controller.rb +++ b/app/controllers/admin/zonefiles_controller.rb @@ -1,8 +1,7 @@ class Admin::ZonefilesController < ApplicationController + authorize_resource class: false # TODO: Refactor this # rubocop:disable Metrics/MethodLength - def index - end def create if ZonefileSetting.pluck(:origin).include?(params[:origin]) diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index f1834a20a..19f70495d 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -1,7 +1,3 @@ class AdminController < ApplicationController - # before_action :verify_admin - - def verify_admin - redirect_to client_root_path unless current_user.try(:admin?) - end + check_authorization end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index bae69e876..ba39047af 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -14,3 +14,9 @@ class ApplicationController < ActionController::Base admin_root_path end end + +class ApplicationController < ActionController::Base + rescue_from CanCan::AccessDenied do |exception| + redirect_to admin_dashboard_path, alert: exception.message + end +end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index cdefd70ae..66ea1425f 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -8,8 +8,6 @@ class SessionsController < Devise::SessionsController return redirect_to :back, alert: 'No user' if @user.blank? - session[:current_user_registrar_id] = Registrar.first.id if @user.admin? - flash[:notice] = I18n.t('shared.welcome') sign_in_and_redirect @user, event: :authentication # end @@ -18,10 +16,4 @@ class SessionsController < Devise::SessionsController def login render 'layouts/login', layout: false end - - def switch_registrar - authorize! :switch, :registrar - session[:current_user_registrar_id] = params[:registrar_id] - redirect_to client_root_path - end end diff --git a/app/models/ability.rb b/app/models/ability.rb index f26b3022b..c9e558299 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -8,38 +8,33 @@ class Ability user ||= User.new - if Rails.env.production? - case REGISTRY_ENV - when :eedirekt - can :view, :eedirekt - can :create, :session - admin = false - when :registrar - can :view, :registrar - can :create, :session - admin = false - when :admin - can :create, :admin_session - admin = user.admin? - end - else - can :create, :session - can :create, :admin_session - admin = user.admin? + admin_role = (user.role.try(:code) == 'admin') + user_role = (user.role.try(:code) == 'user') + customer_service_role = (user.role.try(:code) == 'customer_service') + no_role = user.role.nil? + + if admin_role + can :manage, Domain + can :manage, Contact + can :manage, Registrar + can :manage, Setting + can :manage, ZonefileSetting + can :manage, DomainVersion + can :manage, User + can :manage, EppUser + can :index, :delayed_job + can :create, :zonefile + can :access, :settings_menu + elsif customer_service_role + can :manage, Domain + can :manage, Contact + can :manage, Registrar + elsif user_role + elsif no_role + can :show, :dashboard end - if admin - can :manage, Domain - can :switch, :registrar - can :crud, DomainTransfer - can :approve_as_client, DomainTransfer, status: DomainTransfer::PENDING - elsif user.persisted? - can :manage, Domain, registrar_id: user.registrar.id - can :read, DomainTransfer, transfer_to_id: user.registrar.id - can :read, DomainTransfer, transfer_from_id: user.registrar.id - can :approve_as_client, DomainTransfer, - transfer_from_id: user.registrar.id, status: DomainTransfer::PENDING - end + can :show, :dashboard if user.persisted? # Define abilities for the passed in user here. For example: # diff --git a/app/models/role.rb b/app/models/role.rb index c2a1d26d2..f886c2e23 100644 --- a/app/models/role.rb +++ b/app/models/role.rb @@ -3,4 +3,10 @@ class Role < ActiveRecord::Base # rubocop: disable Rails/HasAndBelongsToMany has_and_belongs_to_many :rights # rubocop: enbale Rails/HasAndBelongsToMany + + validates :code, uniqueness: true + + def to_s + code + end end diff --git a/app/views/admin/dashboards/show.haml b/app/views/admin/dashboards/show.haml new file mode 100644 index 000000000..e69de29bb diff --git a/app/views/admin/domains/index.haml b/app/views/admin/domains/index.haml index dc27ba247..fc3eab342 100644 --- a/app/views/admin/domains/index.haml +++ b/app/views/admin/domains/index.haml @@ -33,7 +33,7 @@ - @domains.each do |x| %tr %td= link_to(x, admin_domain_path(x)) - %td= link_to(x.registrar, root_path) if x.registrar + %td= link_to(x.registrar, admin_registrar_path(x.registrar)) if x.registrar %td= link_to(x.owner_contact, [:admin, x.owner_contact]) %td= l(x.valid_to, format: :short) .row diff --git a/app/views/admin/users/_form.haml b/app/views/admin/users/_form.haml index 811121767..c3818109f 100644 --- a/app/views/admin/users/_form.haml +++ b/app/views/admin/users/_form.haml @@ -21,15 +21,14 @@ = f.label :identity_code = f.text_field(:identity_code, class: 'form-control') - .col-md-6.text-left + .col-md-6 .form-group = f.label :email = f.text_field(:email, class: 'form-control') .form-group - .checkbox - %label{for: 'user_admin'} - = f.check_box(:admin, class: 'js-admin') - = t('shared.admin') + = f.label :role_id + = f.select(:role_id, Role.all.map {|x| [t(x.code), x.id] }, {}, { class: 'form-control selectize' }) + %hr .row .col-md-12.text-right diff --git a/app/views/admin/users/index.haml b/app/views/admin/users/index.haml index 697bf8f16..f5030f35d 100644 --- a/app/views/admin/users/index.haml +++ b/app/views/admin/users/index.haml @@ -18,14 +18,17 @@ %th{class: 'col-xs-2'} = sort_link(@q, 'identity_code', t('shared.identity_code')) %th{class: 'col-xs-2'} - = sort_link(@q, 'admin', t('shared.admin')) + = sort_link(@q, 'role', t('role')) %tbody - @users.each do |x| %tr %td= link_to(x, [:admin, x]) %td= x.email %td= x.identity_code - %td= x.admin + - if x.role + %td= t(x.role) + - else + %td .row .col-md-12 = paginate @users diff --git a/app/views/admin/users/show.haml b/app/views/admin/users/show.haml index c82e71c70..b9661ee0f 100644 --- a/app/views/admin/users/show.haml +++ b/app/views/admin/users/show.haml @@ -39,5 +39,8 @@ %dt= t('shared.email') %dd= @user.email - %dt= t('shared.admin') - %dd= @user.admin + %dt= t('role') + - if @user.role + %dd= t(@user.role) + - else + %dd diff --git a/app/views/admin/zonefiles/index.haml b/app/views/admin/zonefiles/index.haml deleted file mode 100644 index bbd11577f..000000000 --- a/app/views/admin/zonefiles/index.haml +++ /dev/null @@ -1,9 +0,0 @@ -.row - .col-sm-12 - %h2.text-center-xs - = "#{t('zonefile')}" -%hr -.row - .col-md-12 - = preserve do - %pre= @zonefile diff --git a/app/views/layouts/application.haml b/app/views/layouts/application.haml index ff3bba9ff..a2c66e5ea 100644 --- a/app/views/layouts/application.haml +++ b/app/views/layouts/application.haml @@ -26,21 +26,22 @@ %li= link_to t('shared.domains'), admin_domains_path %li= link_to t('shared.contacts'), admin_contacts_path %li= link_to t('shared.registrars'), admin_registrars_path - %li.dropdown - %a.dropdown-toggle{"data-toggle" => "dropdown", href: "#"} - = t('shared.settings') - %span.caret - %ul.dropdown-menu{role: "menu"} - %li.dropdown-header= t('shared.system') - %li= link_to t('shared.settings'), admin_settings_path - %li= link_to t('zonefile'), admin_zonefile_settings_path - %li= link_to t(:domains_history), admin_domain_versions_path - %li= link_to t(:background_jobs), admin_delayed_jobs_path + - if can?(:access, :settings_menu) + %li.dropdown + %a.dropdown-toggle{"data-toggle" => "dropdown", href: "#"} + = t('shared.settings') + %span.caret + %ul.dropdown-menu{role: "menu"} + %li.dropdown-header= t('shared.system') + %li= link_to t('shared.settings'), admin_settings_path + %li= link_to t('zonefile'), admin_zonefile_settings_path + %li= link_to t(:domains_history), admin_domain_versions_path + %li= link_to t(:background_jobs), admin_delayed_jobs_path - %li.divider - %li.dropdown-header= t('shared.users') - %li= link_to t(:admin_users), admin_users_path - %li= link_to t(:epp_users), admin_epp_users_path + %li.divider + %li.dropdown-header= t('shared.users') + %li= link_to t(:admin_users), admin_users_path + %li= link_to t(:epp_users), admin_epp_users_path %ul.nav.navbar-nav.navbar-right %li= link_to t('shared.log_out', user: current_user), '/logout' diff --git a/app/views/layouts/login.haml b/app/views/layouts/login.haml index e516d6817..b3b2ab6e2 100644 --- a/app/views/layouts/login.haml +++ b/app/views/layouts/login.haml @@ -21,9 +21,8 @@ %h2.form-signin-heading.text-center Eesti Interneti SA %hr / TODO: Refactor this when ID card login is done - - if can? :create, :admin_session - = button_to 'ID card (user1)', 'sessions', - class: 'btn btn-lg btn-primary btn-block', name: 'user1' - = button_to 'ID card (user2)', 'sessions', - class: 'btn btn-lg btn-primary btn-block', name: 'user2' + = button_to 'ID card (user1)', 'sessions', + class: 'btn btn-lg btn-primary btn-block', name: 'user1' + = button_to 'ID card (user2)', 'sessions', + class: 'btn btn-lg btn-primary btn-block', name: 'user2' diff --git a/config/locales/en.yml b/config/locales/en.yml index fd503b4a3..aa4d36337 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -439,3 +439,7 @@ en: domains_history: Domains history admin_users: Admin users epp_users: EPP users + role: 'Role' + admin: 'Administrator' + user: 'User' + customer_service: 'Customer service' diff --git a/config/routes.rb b/config/routes.rb index 82dc72ae1..3a60e54b8 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -31,6 +31,8 @@ Rails.application.routes.draw do resources :delayed_jobs + resource :dashboard + root 'domains#index' end diff --git a/db/migrate/20141218154829_populate_roles.rb b/db/migrate/20141218154829_populate_roles.rb new file mode 100644 index 000000000..126b758d7 --- /dev/null +++ b/db/migrate/20141218154829_populate_roles.rb @@ -0,0 +1,12 @@ +class PopulateRoles < ActiveRecord::Migration + def change + rename_column :roles, :name, :code + remove_column :users, :admin, :boolean + + Role.create(code: 'admin') + Role.create(code: 'user') + Role.create(code: 'customer_service') + + User.update_all(role_id: Role.first.id) + end +end diff --git a/db/schema.rb b/db/schema.rb index 9d1215fe9..ae14d430a 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20141216133831) do +ActiveRecord::Schema.define(version: 20141218154829) do # These are extensions that must be enabled in order to support this database enable_extension "plpgsql" @@ -296,7 +296,7 @@ ActiveRecord::Schema.define(version: 20141216133831) do end create_table "roles", force: true do |t| - t.string "name" + t.string "code" t.datetime "created_at" t.datetime "updated_at" end @@ -319,12 +319,11 @@ ActiveRecord::Schema.define(version: 20141216133831) do t.datetime "created_at" t.datetime "updated_at" t.string "email" - t.integer "sign_in_count", default: 0, null: false + t.integer "sign_in_count", default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" t.inet "current_sign_in_ip" t.inet "last_sign_in_ip" - t.boolean "admin", default: false t.string "identity_code" t.integer "country_id" end diff --git a/spec/fabricators/role_fabricator.rb b/spec/fabricators/role_fabricator.rb new file mode 100644 index 000000000..e084a0dcc --- /dev/null +++ b/spec/fabricators/role_fabricator.rb @@ -0,0 +1,3 @@ +Fabricator(:role) do + code 'admin' +end diff --git a/spec/fabricators/user_fabricator.rb b/spec/fabricators/user_fabricator.rb index 0a0091a23..57776f677 100644 --- a/spec/fabricators/user_fabricator.rb +++ b/spec/fabricators/user_fabricator.rb @@ -3,6 +3,6 @@ Fabricator(:user) do password 'ghyt9e4fu' email 'info@gitlab.eu' identity_code '37810013108' - admin true country + role end diff --git a/spec/features/sessions_spec.rb b/spec/features/sessions_spec.rb index 86474998a..b7484cc4a 100644 --- a/spec/features/sessions_spec.rb +++ b/spec/features/sessions_spec.rb @@ -6,8 +6,7 @@ feature 'Sessions', type: :feature do background do create_settings - Fabricate(:user, identity_code: '37810013261') - Fabricate(:user, username: 'zone', admin: false, identity_code: '37810013087') + Fabricate(:user, username: 'zone', identity_code: '37810013087') Fabricate.times(2, :domain, registrar: zone) Fabricate.times(2, :domain, registrar: elkdata) end diff --git a/spec/features/setting_management_spec.rb b/spec/features/setting_management_spec.rb index 5cedbfc1a..f53185d62 100644 --- a/spec/features/setting_management_spec.rb +++ b/spec/features/setting_management_spec.rb @@ -1,14 +1,13 @@ require 'rails_helper' feature 'Setting management', type: :feature do - let(:user) { Fabricate(:user, username: 'user1', admin: true, identity_code: '37810013087') } + let(:user) { Fabricate(:user, username: 'user1', identity_code: '37810013087') } background { create_settings } scenario 'User changes a setting' do sign_in user visit admin_settings_path - val_min = find_field('_settings_ns_min_count').value val_max = find_field('_settings_ns_max_count').value diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 2f99cf77d..e3a1dcf5a 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -1,5 +1,43 @@ require 'rails_helper' +require 'cancan/matchers' describe User do it { should belong_to(:role) } + + describe 'abilities' do + subject(:ability) { Ability.new(user) } + let(:user) { nil } + + context 'when user is admin' do + let(:user) { Fabricate(:user) } + + it { should be_able_to(:manage, Domain.new) } + it { should be_able_to(:manage, Contact.new) } + it { should be_able_to(:manage, Registrar.new) } + it { should be_able_to(:manage, Setting.new) } + it { should be_able_to(:manage, ZonefileSetting.new) } + it { should be_able_to(:manage, DomainVersion.new) } + it { should be_able_to(:manage, User.new) } + it { should be_able_to(:manage, EppUser.new) } + it { should be_able_to(:index, :delayed_job) } + it { should be_able_to(:create, :zonefile) } + it { should be_able_to(:access, :settings_menu) } + end + + context 'when user is customer service' do + let(:user) { Fabricate(:user, role: Role.new(code: 'customer_service')) } + + it { should be_able_to(:manage, Domain.new) } + it { should be_able_to(:manage, Contact.new) } + it { should be_able_to(:manage, Registrar.new) } + it { should_not be_able_to(:manage, Setting.new) } + it { should_not be_able_to(:manage, ZonefileSetting.new) } + it { should_not be_able_to(:manage, DomainVersion.new) } + it { should_not be_able_to(:manage, User.new) } + it { should_not be_able_to(:manage, EppUser.new) } + it { should_not be_able_to(:index, :delayed_job) } + it { should_not be_able_to(:create, :zonefile) } + it { should_not be_able_to(:access, :settings_menu) } + end + end end diff --git a/spec/support/feature.rb b/spec/support/feature.rb index f529e8bcf..1505aa217 100644 --- a/spec/support/feature.rb +++ b/spec/support/feature.rb @@ -1,7 +1,7 @@ module Feature def sign_in(user) visit '/logout' - click_on 'ID card (gitlab)' if user.username == 'gitlab' + click_on 'ID card (user1)' if user.username == 'user1' end end