Commit 977f23a1 authored by Max Woolf's avatar Max Woolf

Add policy for Personal Access Tokens

Currently, PATs do not have their own policy.
To implement API actions in a future MR,
this MR adds a policy to be used by this
and future developments.
parent 22e313e6
# frozen_string_literal: true
class PersonalAccessTokenPolicy < BasePolicy
condition(:is_owner) { user && subject.user_id == user.id }
rule { is_owner | admin }.policy do
enable :read_token
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe PersonalAccessTokenPolicy do
include AdminModeHelper
using RSpec::Parameterized::TableSyntax
where(:user_type, :owned_by_same_user, :expected_permitted?) do
:user | true | true
:user | false | false
:admin | false | true
end
with_them do
context 'determine if a token is readable by a user' do
let(:user) { build_stubbed(user_type) }
let(:token_owner) { owned_by_same_user ? user : build(:user) }
let(:token) { build(:personal_access_token, user: token_owner) }
subject { described_class.new(user, token) }
before do
enable_admin_mode!(user) if user.admin?
end
it { is_expected.to(expected_permitted? ? be_allowed(:read_token) : be_disallowed(:read_token)) }
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment