Move towards new abilities

Author: amaierhofer

app/abilities/people_manager_ability.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+#  Copyright (c) 2024, Schweizer Alpen-Club. This file is part of
+#  hitobito and licensed under the Affero General Public License version 3
+#  or later. See the COPYING file at the top-level directory or at
+#  https://github.com/hitobito/hitobito_youth.
+
+class PeopleManagerAbility < AbilityDsl::Base
+  on(PeopleManager) do
+    class_side(:index).everybody
+    permission(:any).may(:new_managed, :new_manager).everybody
+    permission(:any).may(:create_managed, :destroy_managed).if_can_change_managed
+    permission(:any).may(:create_manager, :destroy_manager).if_can_change_manager
+  end
+
+  def if_can_change_manager
+    can?(:change_managers, subject.managed) || creating_new_managed_person?
+  end
+
+  def if_can_change_managed
+    can?(:update, subject.manager)
+  end
+
+  private
+
+  def creating_new_managed_person?
+    subject.managed&.new_record? &&
+      FeatureGate.enabled?('people.people_managers.self_service_managed_creation')
+  end
+
+  def can?(action, person)
+    ability.can?(action, person)
+  end
+
+  def ability
+    @ability ||= Ability.new(user)
+  end
+end

app/controllers/people_managers_controller.rb

@@ -36,11 +36,14 @@ def destroy
   private
 
   def authorize_action
-    authorize!(action_name.to_sym, entry)
+    kind = assoc.to_s.split("_").last.singularize
+    action_to_authorize = :"#{action_name}_#{kind}"
+
+    authorize!(action_to_authorize, entry)
   end
 
   def authorize_class
-    authorize!(action_name.to_sym, PeopleManager)
+    authorize!(:index, PeopleManager)
   end
 
   def assign_attributes

app/helpers/dropdown/add_people_manager.rb

@@ -11,6 +11,7 @@ def initialize(template, person, managers: true)
     end
 
     def to_s
+      return '' if @items.none?
       return single_action_button if @items.one?
 
       super
@@ -19,13 +20,13 @@ def to_s
     private
 
     def single_action_button
-      template.action_button(template.ti('link.add'), @items.first.url, :plus, class: 'btn-sm' )
+      template.action_button(@items.first.label, @items.first.url, :plus, class: 'btn-sm' )
     end
 
     def init_items
-      add_assign_manager_item if change_managers?
-      add_assign_managed_item
-      add_create_managed_item if create_managed?
+      add_assign_manager_item if create_manager?
+      add_assign_managed_item if create_managed?
+      add_create_managed_item if create_new_managed?
     end
 
     def add_assign_manager_item
@@ -41,12 +42,16 @@ def add_assign_managed_item
     end
 
     def create_managed?
-      cannot?(:lookup_manageds, Person) &&
-        FeatureGate.enabled?('people.people_managers.self_service_managed_creation')
+      can?(:create_managed, PeopleManager.new(manager: @person))
+    end
+
+    def create_manager?
+      can?(:create_manager, PeopleManager.new(managed: @person))
     end
 
-    def change_managers?
-      can?(:change_managers, @person) && @managers == true
+    def create_new_managed?
+      cannot?(:lookup_manageds, Person) &&
+        FeatureGate.enabled?('people.people_managers.self_service_managed_creation')
     end
 
     def t(key)

lib/hitobito_youth/wagon.rb

@@ -66,6 +66,8 @@ class Wagon < Rails::Engine
       PersonReadables.prepend(Youth::PersonReadables)
       PersonLayerWritables.prepend(Youth::PersonLayerWritables)
 
+      Ability.store.register PeopleManagerAbility
+
       # decorator
       PersonDecorator.include Youth::PersonDecorator
       Event::ParticipationDecorator.include Youth::Event::ParticipationDecorator

spec/abilities/people_manager_ability_spec.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+#  Copyright (c) 2024, Schweizer Alpen-Club. This file is part of
+#  hitobito and licensed under the Affero General Public License version 3
+#  or later. See the COPYING file at the top-level directory or at
+#  https://github.com/hitobito/hitobito_youth.
+
+require 'spec_helper'
+
+describe PeopleManagerAbility do
+
+  let(:top_leader) { people(:top_leader) }
+  let(:bottom_member) { people(:bottom_member) }
+
+  subject(:ability) { Ability.new(person) }
+
+  def build(managed: nil, manager: nil)
+    PeopleManager.new(managed: managed, manager: manager)
+  end
+
+  [:create_manager, :destroy_manager].each do |action|
+
+    context 'top leader' do
+      let(:person) { top_leader }
+
+      describe "#{action} manager" do
+        it 'may change manager of bottom_member' do
+          expect(ability).to be_able_to(action, build(managed: bottom_member))
+        end
+
+        it 'may not change his own manager' do
+          expect(ability).not_to be_able_to(action, build(managed: top_leader))
+        end
+
+        it 'may change manager of new record' do
+          expect(ability).to be_able_to(action, build(managed: Person.new))
+        end
+      end
+    end
+
+    context 'bottom member' do
+      let(:person) { bottom_member }
+
+      describe "#{action} manager" do
+        it 'may not change manager of top_leader' do
+          expect(ability).not_to be_able_to(action, build(managed: top_leader))
+        end
+
+        it 'may not change his own manager' do
+          expect(ability).not_to be_able_to(action, build(managed: bottom_member))
+        end
+
+        it 'may change manager of new record' do
+          expect(ability).to be_able_to(action, build(managed: Person.new))
+        end
+
+      end
+    end
+  end
+end

spec/helpers/dropdown/add_people_manager_spec.rb

@@ -24,18 +24,22 @@
     let(:person) { people(:top_leader) }
     it 'renders single button only to create new managed' do
       expect(html).to have_css('a', count: 1)
-      expect(html).to have_link('Erstellen', href: new_person_managed_path(person))
+      expect(html).to have_link('Kind zuweisen', href: new_person_managed_path(person))
     end
   end
 
-  context 'person without write permission' do
+  context 'when person with read permissions only' do
     let(:role) { Fabricate(Group::BottomGroup::Member.sti_name, group: groups(:bottom_group_one_one)) }
     let(:ability) { Ability.new(role.person) }
 
+    it 'renders nothing if creating person feature is disabled' do
+      allow(FeatureGate).to receive(:enabled?).and_return(false)
+      expect(dropdown.to_s).to be_blank
+    end
+
     it 'renders additional button cannot lookup people and create feature gate is enabled' do
       allow(FeatureGate).to receive(:enabled?).and_return(true)
-      expect(html).to have_css('a', count: 3)
-      expect(html).to have_link('Kind zuweisen', href: new_person_managed_path(person))
+      expect(html).to have_css('a', count: 1)
       expect(html).to have_link('Kind erfassen', href: new_person_managed_path(person, create: true))
     end
   end