Add comprehensive tests for all Pundit policies#2457
Merged
olleolleolle merged 1 commit intocodebar:masterfrom Feb 2, 2026
Merged
Add comprehensive tests for all Pundit policies#2457olleolleolle merged 1 commit intocodebar:masterfrom
olleolleolle merged 1 commit intocodebar:masterfrom
Conversation
mroderick
force-pushed
the
policy-tests
branch
from
63ad333 to
0c8075e
Compare
Adds test coverage for all 11 authorization policy files that were previously untested. Policies control access to admin functions and sensitive data, making this coverage critical for security. Test Coverage Results: - 62 new policy tests (all passing) - 10 of 11 policies: 100% coverage - ApplicationPolicy: 92.59% (base class) - Overall project: 95.22% coverage (up from 95.08%) Policies Tested: - AdminPortalPolicy (2 tests) - ApplicationPolicy (6 tests) - ChapterPolicy (12 tests) - ContactPolicy (2 tests) - EventPolicy (4 tests) - GroupPolicy (4 tests) - MemberNotePolicy (2 tests) - OrganiserPolicy (6 tests) - SponsorPolicy (10 tests) - TestimonialPolicy (2 tests) - WorkshopPolicy (12 tests) Testing Pattern: Each policy test follows a consistent pattern testing authorization boundaries with happy path (admin succeeds) and sad path (regular member denied) scenarios. Tests use Fabrication for test data and Rolify for role assignment, matching existing codebase patterns.
mroderick
force-pushed
the
policy-tests
branch
from
0c8075e to
66734f1
Compare
olleolleolle
reviewed
Feb 2, 2026
| @@ -0,0 +1,24 @@ | |||
| RSpec.describe AdminPortalPolicy do | |||
| subject { described_class.new(user, :admin_portal) } | |||
Collaborator
There was a problem hiding this comment.
Suggested change
| subject { described_class.new(user, :admin_portal) } | |
| subject(:policy) { described_class.new(user, :admin_portal) } |
RSpec lets use name subjects, which improves the legibility of the individual tests, while preserving the possibility to use RSpec shared examples, and the like.
Let's call this feedback minor, not a blocker to merging.
Contributor
This line is weird. What does it mean? Is it saying that ten policies have 100% coverage and the 11th policy has ... something else? Or is it mistakenly saying that 10/11 = 100% (rather than 91%)? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds test coverage for all 11 authorization policy files that were previously untested. Policies control access to admin functions and sensitive data, making this coverage critical for security.
Test Coverage Results
Policies Tested
Testing Pattern
Each policy test follows a consistent pattern testing authorization boundaries:
Tests use Fabrication for test data and Rolify for role assignment, matching existing codebase patterns.
Verification
Run policy tests:
bundle exec rspec spec/policies/Expected: 62 examples, 0 failures
Security Impact
This PR establishes test coverage for security-critical authorization logic. Before this PR, policy bugs could allow unauthorized access to admin functions or sensitive member data without being caught by tests.