From 4aa73cebf0afc9ad92232f3baa769fb299b13de9 Mon Sep 17 00:00:00 2001 From: Justin Miller <16829344+jmilljr24@users.noreply.github.com> Date: Wed, 24 Jun 2026 15:15:18 -0400 Subject: [PATCH 1/3] add resource policy for download to match show --- app/controllers/resources_controller.rb | 2 +- app/policies/resource_policy.rb | 2 +- spec/policies/resource_policy_spec.rb | 50 ++++++++++++++++++++----- 3 files changed, 43 insertions(+), 11 deletions(-) diff --git a/app/controllers/resources_controller.rb b/app/controllers/resources_controller.rb index 994aa703e2..5920489f2c 100644 --- a/app/controllers/resources_controller.rb +++ b/app/controllers/resources_controller.rb @@ -1,7 +1,7 @@ class ResourcesController < ApplicationController include ExternallyRedirectable, AhoyTracking, TagAssignable, MentionableScopable - skip_before_action :authenticate_user!, only: [ :index, :show ] + skip_before_action :authenticate_user!, only: [ :index, :show, :download ] def index authorize! diff --git a/app/policies/resource_policy.rb b/app/policies/resource_policy.rb index 4a1adeccca..2cbf485bdd 100644 --- a/app/policies/resource_policy.rb +++ b/app/policies/resource_policy.rb @@ -18,7 +18,7 @@ def update? end def download? - true + show? end def filter_published? diff --git a/spec/policies/resource_policy_spec.rb b/spec/policies/resource_policy_spec.rb index 9fb7725073..388d44ad36 100644 --- a/spec/policies/resource_policy_spec.rb +++ b/spec/policies/resource_policy_spec.rb @@ -135,19 +135,51 @@ def policy_for(record:, user:) # ----------------------------------------- describe "#download?" do - it "allows admin" do - expect(policy_for(record: private_resource, user: admin_user)) - .to be_allowed_to(:download?) + context "admin" do + it "can download anything" do + expect(policy_for(record: private_resource, user: admin_user)) + .to be_allowed_to(:download?) + end end - it "allows regular user" do - expect(policy_for(record: private_resource, user: regular_user)) - .to be_allowed_to(:download?) + context "regular user" do + it "can download published resource" do + expect(policy_for(record: published_resource, user: regular_user)) + .to be_allowed_to(:download?) + end + + it "cannot download private resource" do + expect(policy_for(record: private_resource, user: regular_user)) + .not_to be_allowed_to(:download?) + end + + it "can download publicly visible resource" do + expect(policy_for(record: public_resource, user: regular_user)) + .to be_allowed_to(:download?) + end end - it "allows guest" do - expect(policy_for(record: private_resource, user: guest_user)) - .to be_allowed_to(:download?) + context "guest" do + it "can download publicly visible resource" do + expect(policy_for(record: public_resource, user: guest_user)) + .to be_allowed_to(:download?) + end + + it "cannot download published-only resource" do + expect(policy_for(record: published_resource, user: guest_user)) + .not_to be_allowed_to(:download?) + end + + it "can download a publicly visible resource that is hidden from search" do + hidden_public_resource = build_stubbed( + :resource, + published: false, + publicly_visible: true, + hidden_from_search: true + ) + expect(policy_for(record: hidden_public_resource, user: guest_user)) + .to be_allowed_to(:download?) + end end end From f894d9a91b5e6a00c9e901ae8eca0543a901e12d Mon Sep 17 00:00:00 2001 From: Justin Miller <16829344+jmilljr24@users.noreply.github.com> Date: Thu, 25 Jun 2026 13:07:52 -0400 Subject: [PATCH 2/3] remove unneed tests --- spec/policies/resource_policy_spec.rb | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/spec/policies/resource_policy_spec.rb b/spec/policies/resource_policy_spec.rb index 388d44ad36..cb437dbb85 100644 --- a/spec/policies/resource_policy_spec.rb +++ b/spec/policies/resource_policy_spec.rb @@ -94,16 +94,6 @@ def policy_for(record:, user:) .not_to be_allowed_to(:show?) end - it "can still reach a publicly visible resource that is hidden from search" do - hidden_public_resource = build_stubbed( - :resource, - published: false, - publicly_visible: true, - hidden_from_search: true - ) - expect(policy_for(record: hidden_public_resource, user: guest_user)) - .to be_allowed_to(:show?) - end end end @@ -170,16 +160,6 @@ def policy_for(record:, user:) .not_to be_allowed_to(:download?) end - it "can download a publicly visible resource that is hidden from search" do - hidden_public_resource = build_stubbed( - :resource, - published: false, - publicly_visible: true, - hidden_from_search: true - ) - expect(policy_for(record: hidden_public_resource, user: guest_user)) - .to be_allowed_to(:download?) - end end end From fae71c6be88e89d49e89e9ead2e93713a6d1007f Mon Sep 17 00:00:00 2001 From: Justin Miller <16829344+jmilljr24@users.noreply.github.com> Date: Thu, 25 Jun 2026 13:08:58 -0400 Subject: [PATCH 3/3] rubocop --- spec/policies/resource_policy_spec.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/spec/policies/resource_policy_spec.rb b/spec/policies/resource_policy_spec.rb index cb437dbb85..1c0cfef5bc 100644 --- a/spec/policies/resource_policy_spec.rb +++ b/spec/policies/resource_policy_spec.rb @@ -93,7 +93,6 @@ def policy_for(record:, user:) expect(policy_for(record: published_resource, user: guest_user)) .not_to be_allowed_to(:show?) end - end end @@ -159,7 +158,6 @@ def policy_for(record:, user:) expect(policy_for(record: published_resource, user: guest_user)) .not_to be_allowed_to(:download?) end - end end