From f63b881a987a218dbfa8315f877692b70b2436b7 Mon Sep 17 00:00:00 2001 From: Greg Cobb Date: Tue, 13 Aug 2024 16:02:46 -0700 Subject: [PATCH] Refactor permisions can_read_route? - Use role_applies? with the existing roles constant, rather than querying the user's org and space membership - Remove duplicate tests --- lib/cloud_controller/permissions.rb | 6 +- .../lib/cloud_controller/permissions_spec.rb | 76 ------------------- 2 files changed, 2 insertions(+), 80 deletions(-) diff --git a/lib/cloud_controller/permissions.rb b/lib/cloud_controller/permissions.rb index 59e41b778a..918fa1d01f 100644 --- a/lib/cloud_controller/permissions.rb +++ b/lib/cloud_controller/permissions.rb @@ -240,11 +240,9 @@ def readable_space_scoped_spaces_query def can_read_route?(space_id) return true if can_read_globally? - space = VCAP::CloudController::Space.where(id: space_id).first + org_id = VCAP::CloudController::Space.where(id: space_id).get(:organization_id) - space.has_member?(@user) || space.has_supporter?(@user) || - @user.managed_organizations.map(&:id).include?(space.organization_id) || - @user.audited_organizations.map(&:id).include?(space.organization_id) + membership.role_applies?(ROLES_FOR_ROUTE_READING, space_id, org_id) end def space_guids_with_readable_routes_query diff --git a/spec/unit/lib/cloud_controller/permissions_spec.rb b/spec/unit/lib/cloud_controller/permissions_spec.rb index 5ee1627b72..49b5c925e1 100644 --- a/spec/unit/lib/cloud_controller/permissions_spec.rb +++ b/spec/unit/lib/cloud_controller/permissions_spec.rb @@ -1028,82 +1028,6 @@ module VCAP::CloudController end end - describe '#can_read_route?' do - it 'returns true if user is an admin' do - set_current_user(user, { admin: true }) - expect(permissions.can_read_route?(space.id)).to be true - end - - it 'returns true if user is a read-only admin' do - set_current_user(user, { admin_read_only: true }) - expect(permissions.can_read_route?(space.id)).to be true - end - - it 'returns true if user is a global auditor' do - set_current_user_as_global_auditor - expect(permissions.can_read_route?(space.id)).to be true - end - - it 'returns true for space developer' do - org.add_user(user) - space.add_developer(user) - - expect(permissions.can_read_route?(space.id)).to be true - end - - it 'returns true for space manager' do - org.add_user(user) - space.add_manager(user) - - expect(permissions.can_read_route?(space.id)).to be true - end - - it 'returns true for space auditor' do - org.add_user(user) - space.add_auditor(user) - - expect(permissions.can_read_route?(space.id)).to be true - end - - it 'returns true for space supporter' do - org.add_user(user) - space.add_supporter(user) - - expect(permissions.can_read_route?(space.id)).to be true - end - - it 'returns true for org manager' do - org.add_user(user) - org.add_manager(user) - - expect(permissions.can_read_route?(space.id)).to be true - end - - it 'returns true for org auditor' do - org.add_user(user) - org.add_auditor(user) - - expect(permissions.can_read_route?(space.id)).to be true - end - - it 'returns false for org billing manager' do - org.add_user(user) - org.add_billing_manager(user) - - expect(permissions.can_read_route?(space.id)).to be false - end - - it 'returns false for regular org user' do - org.add_user(user) - - expect(permissions.can_read_route?(space.id)).to be false - end - - it 'returns false for other user' do - expect(permissions.can_read_route?(space.id)).to be false - end - end - describe '#readable_app_guids' do it 'returns all the app guids for admins' do user = set_current_user_as_admin