Move users granting access integration tests

... to new structure, which improves consistency between account and users namespaces and tests each role/condition more thoroughly
alphagov · Sep 4, 2024 · a150632 · a150632
1 parent d7bc908
commit a150632
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 93 deletions.
diff --git a/test/integration/users/access_and_permissions_test.rb b/test/integration/users/access_and_permissions_test.rb
@@ -10,16 +10,6 @@ class Users::AccessAndPermissionsTest < ActionDispatch::IntegrationTest
       signin_with(admin)
     end
 
-    should "support granting signin permissions" do
-      app = create(:application, name: "MyApp")
-
-      visit edit_user_path(@user)
-      click_link "Manage permissions"
-      click_button "Grant access to MyApp"
-
-      assert @user.has_access_to?(app)
-    end
-
     should "support removing signin permissions" do
       app = create(:application, name: "MyApp")
       @user.grant_application_signin_permission(app)
@@ -96,16 +86,6 @@ class Users::AccessAndPermissionsTest < ActionDispatch::IntegrationTest
       signin_with(admin)
     end
 
-    should "support granting signin permissions" do
-      app = create(:application, name: "MyApp")
-
-      visit edit_user_path(@user)
-      click_link "Manage permissions"
-      click_button "Grant access to MyApp"
-
-      assert @user.has_access_to?(app)
-    end
-
     should "support removing signin permissions" do
       app = create(:application, name: "MyApp")
       @user.grant_application_signin_permission(app)
@@ -182,36 +162,6 @@ class Users::AccessAndPermissionsTest < ActionDispatch::IntegrationTest
       signin_with(@super_org_admin)
     end
 
-    should "support granting access to apps with a delegatable signin permission and to which the super organisation admin has access" do
-      app = create(:application, name: "MyApp", with_delegatable_supported_permissions: [SupportedPermission::SIGNIN_NAME])
-      @super_org_admin.grant_application_signin_permission(app)
-
-      visit edit_user_path(@user)
-      click_link "Manage permissions"
-      click_button "Grant access to MyApp"
-
-      assert @user.reload.has_access_to?(app)
-    end
-
-    should "not support granting access to apps without a delegatable signin permission" do
-      app = create(:application, name: "MyApp")
-      @super_org_admin.grant_application_signin_permission(app)
-
-      visit edit_user_path(@user)
-      click_link "Manage permissions"
-
-      assert page.has_no_button? "Grant access to MyApp?"
-    end
-
-    should "not support granting access to apps to which the super organisation admin doesn't have access" do
-      create(:application, name: "MyApp", with_delegatable_supported_permissions: [SupportedPermission::SIGNIN_NAME])
-
-      visit edit_user_path(@user)
-      click_link "Manage permissions"
-
-      assert page.has_no_button? "Grant access to MyApp?"
-    end
-
     should "support granting app-specific permissions" do
       app = create(
         :application,
@@ -281,36 +231,6 @@ class Users::AccessAndPermissionsTest < ActionDispatch::IntegrationTest
       signin_with(@organisation_admin)
     end
 
-    should "support granting access to apps with a delegatable signin permission and to which the organisation admin has access" do
-      app = create(:application, name: "MyApp", with_delegatable_supported_permissions: [SupportedPermission::SIGNIN_NAME])
-      @organisation_admin.grant_application_signin_permission(app)
-
-      visit edit_user_path(@user)
-      click_link "Manage permissions"
-      click_button "Grant access to MyApp"
-
-      assert @user.reload.has_access_to?(app)
-    end
-
-    should "not support granting access to apps without a delegatable signin permission" do
-      app = create(:application, name: "MyApp")
-      signin_permission = app.signin_permission
-      signin_permission.update!(delegatable: false)
-      @organisation_admin.grant_application_signin_permission(app)
-
-      visit edit_user_path(@user)
-      click_link "Manage permissions"
-      assert page.has_no_field? "Has access to MyApp?"
-    end
-
-    should "not support granting access to apps to which the super organisation admin doesn't have access" do
-      create(:application, name: "MyApp", with_delegatable_supported_permissions: [SupportedPermission::SIGNIN_NAME])
-
-      visit edit_user_path(@user)
-      click_link "Manage permissions"
-      assert page.has_no_field? "Has access to MyApp?"
-    end
-
     should "support granting app-specific permissions" do
       app = create(
         :application,

diff --git a/test/integration/users/granting_access_test.rb b/test/integration/users/granting_access_test.rb
@@ -1,66 +1,126 @@
 require "test_helper"
 
 class Users::GrantingAccessTest < ActionDispatch::IntegrationTest
+  setup do
+    @application = create(:application, with_delegatable_supported_permissions: [SupportedPermission::SIGNIN_NAME])
+    @granter = create(:user_in_organisation, with_signin_permissions_for: [@application])
+    @grantee = create(:user, organisation: @granter.organisation)
+  end
+
   context "when the signin permission is delegatable, the grantee is in the same organisation, and the granter has access" do
     %w[superadmin admin super_organisation_admin organisation_admin].each do |role|
       context "as a #{role}" do
-        should("be able to grant access") { skip }
+        setup do
+          @granter.update!(role:)
+          visit new_user_session_path
+          signin_with @granter
+        end
+
+        should("be able to grant access") { assert_grant_access_to_other_user(@application, @grantee) }
       end
     end
   end
 
   context "when the signin permission is not delegatable" do
+    setup { @application.signin_permission.update!(delegatable: false) }
+
     %w[superadmin admin].each do |admin_role|
       context "as a #{admin_role}" do
-        should("be able to grant access") { skip }
+        setup do
+          @granter.update!(role: admin_role)
+          visit new_user_session_path
+          signin_with @granter
+        end
+
+        should("be able to grant access") { assert_grant_access_to_other_user(@application, @grantee) }
       end
     end
 
     %w[super_organisation_admin organisation_admin].each do |publishing_manager_role|
       context "as a #{publishing_manager_role}" do
-        should("not be able to grant access") { skip }
+        setup do
+          @granter.update!(role: publishing_manager_role)
+          visit new_user_session_path
+          signin_with @granter
+        end
+
+        should("not be able to grant access") { refute_grant_access_to_other_user(@application, @grantee) }
       end
     end
   end
 
   context "when the grantee is not in the same organisation" do
+    setup { @grantee.update!(organisation: create(:organisation)) }
+
     %w[superadmin admin].each do |admin_role|
       context "as a #{admin_role}" do
-        should("be able to grant access") { skip }
+        setup do
+          @granter.update!(role: admin_role)
+          visit new_user_session_path
+          signin_with @granter
+        end
+
+        should("be able to grant access") { assert_grant_access_to_other_user(@application, @grantee) }
       end
     end
 
     context "as a super_organisation_admin" do
-      should "not be able to grant access" do
-        skip
+      setup do
+        @granter.update!(role: "super_organisation_admin")
+        visit new_user_session_path
+        signin_with @granter
       end
 
+      should("not be able to grant access") { refute_grant_access_to_other_user(@application, @grantee) }
+
       context "but the grantee's organisation is a child of the granter's" do
-        should("be able to grant access") { skip }
+        setup { @grantee.update!(organisation: create(:organisation, parent: @granter.organisation)) }
+
+        should("be able to grant access") { assert_grant_access_to_other_user(@application, @grantee) }
       end
     end
 
-    context "as an organisation_admin" do
-      should "not be able to grant access" do
-        skip
+    context "as a organisation_admin" do
+      setup do
+        @granter.update!(role: "organisation_admin")
+        visit new_user_session_path
+        signin_with @granter
       end
 
+      should("not be able to grant access") { refute_grant_access_to_other_user(@application, @grantee) }
+
       context "but the grantee's organisation is a child of the granter's" do
-        should("not be able to grant access") { skip }
+        setup { @grantee.update!(organisation: create(:organisation, parent: @granter.organisation)) }
+
+        should("not be able to grant access") { refute_grant_access_to_other_user(@application, @grantee) }
       end
     end
   end
 
   context "when the granter does not have access" do
+    setup { UserApplicationPermission.find_by(user: @granter, supported_permission: @application.signin_permission).destroy }
+
     %w[superadmin admin].each do |admin_role|
       context "as a #{admin_role}" do
-        should("be able to grant access") { skip }
+        setup do
+          @granter.update!(role: admin_role)
+          visit new_user_session_path
+          signin_with @granter
+        end
+
+        should("be able to grant access") { assert_grant_access_to_other_user(@application, @grantee) }
       end
     end
 
     %w[super_organisation_admin organisation_admin].each do |publishing_manager_role|
       context "as a #{publishing_manager_role}" do
-        should("not be able to grant access") { skip }
+        setup do
+          @granter.update!(role: publishing_manager_role)
+          visit new_user_session_path
+          signin_with @granter
+        end
+
+        should("not be able to grant access") { refute_grant_access_to_other_user(@application, @grantee) }
       end
     end
   end