Description
The role system has specs for Role::User, Role::Admin, Role::Account::User, Role::Account::Admin, and Role::Account::Observer. However, reviewing the permission checks called in controllers (e.g., can_edit_health_checks!, can_create_deployments!, can_see_account!) against the role specs, many combinations are not tested.
For example:
- Can an Account::Observer trigger a manual check run? (Should not be able to.)
- Can an Account::User edit steps belonging to a check they can see?
- What happens when a user belongs to two accounts with different roles?
- Does
Account::Locked correctly deny all write operations?
The method_missing delegation pattern means that a permission method with a typo in the controller silently grants access rather than raising an error.
Suggested approach
Create a permission matrix spec:
# spec/models/role/permission_matrix_spec.rb
RSpec.describe 'Permission matrix' do
ACTIONS = %w[can_edit_health_checks? can_create_deployments? can_see_health_check? ...].freeze
ROLES = [Role::Account::User, Role::Account::Admin, Role::Account::Observer].freeze
# test each role × action combination
end
Effort: medium
Description
The role system has specs for
Role::User,Role::Admin,Role::Account::User,Role::Account::Admin, andRole::Account::Observer. However, reviewing the permission checks called in controllers (e.g.,can_edit_health_checks!,can_create_deployments!,can_see_account!) against the role specs, many combinations are not tested.For example:
Account::Lockedcorrectly deny all write operations?The
method_missingdelegation pattern means that a permission method with a typo in the controller silently grants access rather than raising an error.Suggested approach
Create a permission matrix spec:
Effort: medium