Merge pull request #13734 from opf/fix/meeting-contract-permissions

Add meeting contract permission specs

modules/meeting/app/contracts/meeting_agenda_items/create_contract.rb

@@ -28,5 +28,15 @@
 
 module MeetingAgendaItems
   class CreateContract < BaseContract
+    validate :user_allowed_to_add
+
+    ##
+    # Meeting agenda items can currently be only created
+    # through the project permission :edit_meetings
+    def user_allowed_to_add
+      unless user.allowed_to?(:edit_meetings, model.project)
+        errors.add :base, :error_unauthorized
+      end
+    end
   end
 end

modules/meeting/app/contracts/meeting_agenda_items/update_contract.rb

@@ -28,5 +28,15 @@
 
 module MeetingAgendaItems
   class UpdateContract < BaseContract
+    validate :user_allowed_to_edit
+
+    ##
+    # Meeting agenda items can currently be only edited
+    # through the project permission :edit_meetings
+    def user_allowed_to_edit
+      unless user.allowed_to?(:edit_meetings, model.project)
+        errors.add :base, :error_unauthorized
+      end
+    end
   end
 end

modules/meeting/app/models/meeting_agenda_item.rb

@@ -36,7 +36,6 @@ class MeetingAgendaItem < ApplicationRecord
   acts_as_list scope: :meeting
   default_scope { order(:position) }
 
-  validates :author_id, presence: true
   validates :meeting_id, presence: true
   validates :title, presence: true, if: Proc.new { |item| item.work_package_id.blank? }
   validates :work_package_id, presence: true, if: Proc.new { |item| item.title.blank? }

modules/meeting/spec/contracts/meeting_agenda_items/create_contract_spec.rb

@@ -30,9 +30,34 @@
 
 require 'spec_helper'
 require 'contracts/shared/model_contract_shared_context'
-require_relative './shared_contract_examples'
 
 RSpec.describe MeetingAgendaItems::CreateContract do
   include_context 'ModelContract shared context'
-  include_examples 'meeting is not readable'
+
+  shared_let(:project) { create(:project) }
+  shared_let(:meeting) { create(:structured_meeting, project:) }
+  let(:item) { build(:meeting_agenda_item, meeting:) }
+  let(:contract) { described_class.new(item, user) }
+
+  context 'with permission' do
+    let(:user) do
+      create(:user, member_in_project: project, member_with_permissions: [:edit_meetings])
+    end
+
+    it_behaves_like 'contract is valid'
+
+    context 'when :meeting is not editable' do
+      before do
+        meeting.update_column(:state, :closed)
+      end
+
+      it_behaves_like 'contract is invalid', base: I18n.t(:text_meeting_not_editable_anymore)
+    end
+  end
+
+  context 'without permission' do
+    let(:user) { build_stubbed(:user) }
+
+    it_behaves_like 'contract is invalid', base: :error_unauthorized
+  end
 end

modules/meeting/spec/contracts/meeting_agenda_items/delete_contract_spec.rb

@@ -30,14 +30,13 @@
 
 require 'spec_helper'
 require 'contracts/shared/model_contract_shared_context'
-require_relative 'shared_contract_examples'
 
 RSpec.describe MeetingAgendaItems::DeleteContract do
   include_context 'ModelContract shared context'
 
-  let(:project) { create(:project) }
-  let(:meeting) { create(:structured_meeting, project:) }
-  let(:item) { create(:meeting_agenda_item, meeting:) }
+  shared_let(:project) { create(:project) }
+  shared_let(:meeting) { create(:structured_meeting, project:) }
+  shared_let(:item) { create(:meeting_agenda_item, meeting:) }
   let(:contract) { described_class.new(item, user) }
 
   context 'with permission' do
@@ -46,7 +45,14 @@
     end
 
     it_behaves_like 'contract is valid'
-    include_examples 'meeting is not readable'
+
+    context 'when :meeting is not editable' do
+      before do
+        meeting.update_column(:state, :closed)
+      end
+
+      it_behaves_like 'contract is invalid', base: I18n.t(:text_meeting_not_editable_anymore)
+    end
   end
 
   context 'without permission' do

modules/meeting/spec/contracts/meeting_agenda_items/update_contract_spec.rb

@@ -30,9 +30,34 @@
 
 require 'spec_helper'
 require 'contracts/shared/model_contract_shared_context'
-require_relative './shared_contract_examples'
 
 RSpec.describe MeetingAgendaItems::UpdateContract do
   include_context 'ModelContract shared context'
-  include_examples 'meeting is not readable'
+
+  shared_let(:project) { create(:project) }
+  shared_let(:meeting) { create(:structured_meeting, project:) }
+  shared_let(:item) { create(:meeting_agenda_item, meeting:) }
+  let(:contract) { described_class.new(item, user) }
+
+  context 'with permission' do
+    let(:user) do
+      create(:user, member_in_project: project, member_with_permissions: [:edit_meetings])
+    end
+
+    it_behaves_like 'contract is valid'
+
+    context 'when :meeting is not editable' do
+      before do
+        meeting.update_column(:state, :closed)
+      end
+
+      it_behaves_like 'contract is invalid', base: I18n.t(:text_meeting_not_editable_anymore)
+    end
+  end
+
+  context 'without permission' do
+    let(:user) { build_stubbed(:user) }
+
+    it_behaves_like 'contract is invalid', base: :error_unauthorized
+  end
 end