From 0fee6e9dcc0001e7f432d2e7c96907a74632b977 Mon Sep 17 00:00:00 2001
From: Finn Bacall <finn.bacall@manchester.ac.uk>
Date: Fri, 22 Nov 2024 13:01:05 +0000
Subject: [PATCH] Ensure collaborators can see private collections

---
 app/policies/collection_policy.rb             |  2 +-
 .../collections_controller_test.rb            | 20 ++++++++++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/app/policies/collection_policy.rb b/app/policies/collection_policy.rb
index 58a01e296..82bd0b038 100644
--- a/app/policies/collection_policy.rb
+++ b/app/policies/collection_policy.rb
@@ -5,7 +5,7 @@ def update?
   end
 
   def show?
-    (!@record.from_unverified_or_rejected? && @record.public?) || manage?
+    (!@record.from_unverified_or_rejected? && @record.public?) || update?
   end
 
   def curate?
diff --git a/test/controllers/collections_controller_test.rb b/test/controllers/collections_controller_test.rb
index 1cc740b4e..1fe200d6e 100644
--- a/test/controllers/collections_controller_test.rb
+++ b/test/controllers/collections_controller_test.rb
@@ -12,6 +12,7 @@ class CollectionsControllerTest < ActionController::TestCase
       description: 'New description'
     }
   end
+
   #INDEX TESTS
   test 'should get index' do
     get :index
@@ -81,6 +82,14 @@ class CollectionsControllerTest < ActionController::TestCase
     assert_response :success
   end
 
+  test 'should get edit for collection collaborator' do
+    collaborator = users(:another_regular_user)
+    @collection.collaborators << collaborator
+    sign_in collaborator
+    get :edit, params: { id: @collection }
+    assert_response :success
+  end
+
   test 'should get edit for admin' do
     #Owner of collection logged in = SUCCESS
     sign_in users(:admin)
@@ -507,12 +516,21 @@ class CollectionsControllerTest < ActionController::TestCase
     assert_response :forbidden
   end
 
-  test 'should allow access to private collections if privileged' do
+  test 'should allow access to private collections if privileged as owner' do
     sign_in users(:regular_user)
     get :show, params: { id: collections(:secret_collection) }
     assert_response :success
   end
 
+  test 'should allow access to private collections if privileged as collaborator' do
+    collection = collections(:secret_collection)
+    collaborator = users(:another_regular_user)
+    collection.collaborators << collaborator
+    sign_in collaborator
+    get :show, params: { id: collection }
+    assert_response :success
+  end
+
   test 'should hide private collections from index' do
     get :index
     assert_response :success