From abca7229161a305c8df7787e5cebae0a55153941 Mon Sep 17 00:00:00 2001 From: Zach Davis Date: Fri, 23 Feb 2024 14:38:07 -0800 Subject: [PATCH] [B] Allow unvalidated users to create private RG annotations --- api/app/authorizers/annotation_authorizer.rb | 5 ++++- .../authorizers/annotation_authorizer_spec.rb | 17 ++++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/api/app/authorizers/annotation_authorizer.rb b/api/app/authorizers/annotation_authorizer.rb index 3bbd04b68e..121963c08d 100644 --- a/api/app/authorizers/annotation_authorizer.rb +++ b/api/app/authorizers/annotation_authorizer.rb @@ -47,7 +47,10 @@ def readable_by?(user, _options = {}) # Only public annotations need reputation to create. def requires_reputation_to_create? - annotation_is_public? + return true if annotation_is_public? && !annotation_in_reading_group? + return true if annotation_in_reading_group? && !reading_group_is_private? + + false end def user_can_notate_text?(user) diff --git a/api/spec/authorizers/annotation_authorizer_spec.rb b/api/spec/authorizers/annotation_authorizer_spec.rb index 6dd67c68d8..8fcd950bb5 100644 --- a/api/spec/authorizers/annotation_authorizer_spec.rb +++ b/api/spec/authorizers/annotation_authorizer_spec.rb @@ -100,9 +100,24 @@ subject.clear_email_confirmation! end - abilities = { create: false, read: true, update: false, delete: false } + abilities = { create: true, read: true, update: false, delete: false } the_subject_behaves_like "instance abilities", Annotation, abilities + + context "when the subject is the resource creator" do + before do + FactoryBot.create(:reading_group_membership, reading_group: reading_group, user: creator) + + reading_group.reload + end + + let_it_be(:subject, refind: true) { creator } + + abilities = { create: true, read: true, update: true, delete: true } + + the_subject_behaves_like "instance abilities", Annotation, abilities + end + end end