Less confusing example of authorization

Currently, the route `payments#index` exists but is disallowed to all users. This is probably in order to provide a context to the authorization spec, but I think it's confusing. Now that we have an authentication mechanism, we can use this to provide a clearer (I hope) authorization spec and a less confusing app.
thoughtbot · Jun 17, 2021 · 6ebced6 · 6ebced6
1 parent 8e77e8f
commit 6ebced6
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 10 deletions.
diff --git a/spec/example_app/app/policies/payment_policy.rb b/spec/example_app/app/policies/payment_policy.rb
@@ -1,6 +1,6 @@
 class PaymentPolicy < ApplicationPolicy
   def index?
-    false
+    user.admin?
   end
 
   def create?

diff --git a/spec/features/authorization_spec.rb b/spec/features/authorization_spec.rb
@@ -22,16 +22,25 @@ def show?
     Product.policy_class = @original_product_policy
   end
 
-  it "shows link to resource for which index? is authorized" do
-    visit admin_customers_path
-    navigation = find(".navigation")
-    expect(navigation).to have_link("Products")
-  end
+  describe "navigation" do
+    def navigation
+      visit admin_customers_path
+      find(".navigation")
+    end
+
+    def become_user(customer)
+      visit become_admin_customer_path(customer)
+    end
 
-  it "hides link to resource for which index? is not authorized" do
-    visit admin_customers_path
-    navigation = find(".navigation")
-    expect(navigation).not_to have_link("Payments")
+    it "shows links to sections with authorized index" do
+      expect(navigation).to have_link("Payments")
+    end
+
+    it "hides links to sections without authorized index" do
+      customer = create(:customer, name: "Non Admin")
+      become_user(customer)
+      expect(navigation).not_to have_link("Payments")
+    end
   end
 
   it "renders all results yielded by the scope" do