Merge pull request #1057 from ElixirTeSS/collection-policy-fix

Ensure collaborators can see private collections

app/policies/collection_policy.rb

@@ -5,7 +5,7 @@ def update?
   end
 
   def show?
-    (!@record.from_unverified_or_rejected? && @record.public?) || manage?
+    (!@record.from_unverified_or_rejected? && @record.public?) || update?
   end
 
   def curate?

test/controllers/collections_controller_test.rb

@@ -12,6 +12,7 @@ class CollectionsControllerTest < ActionController::TestCase
       description: 'New description'
     }
   end
+
   #INDEX TESTS
   test 'should get index' do
     get :index
@@ -81,6 +82,14 @@ class CollectionsControllerTest < ActionController::TestCase
     assert_response :success
   end
 
+  test 'should get edit for collection collaborator' do
+    collaborator = users(:another_regular_user)
+    @collection.collaborators << collaborator
+    sign_in collaborator
+    get :edit, params: { id: @collection }
+    assert_response :success
+  end
+
   test 'should get edit for admin' do
     #Owner of collection logged in = SUCCESS
     sign_in users(:admin)
@@ -507,12 +516,21 @@ class CollectionsControllerTest < ActionController::TestCase
     assert_response :forbidden
   end
 
-  test 'should allow access to private collections if privileged' do
+  test 'should allow access to private collections if privileged as owner' do
     sign_in users(:regular_user)
     get :show, params: { id: collections(:secret_collection) }
     assert_response :success
   end
 
+  test 'should allow access to private collections if privileged as collaborator' do
+    collection = collections(:secret_collection)
+    collaborator = users(:another_regular_user)
+    collection.collaborators << collaborator
+    sign_in collaborator
+    get :show, params: { id: collection }
+    assert_response :success
+  end
+
   test 'should hide private collections from index' do
     get :index
     assert_response :success