Add comprehensive tests for all Pundit policies

Adds test coverage for all 11 authorization policy files that were
previously untested. Policies control access to admin functions and
sensitive data, making this coverage critical for security.

Test Coverage Results:
- 62 new policy tests (all passing)
- 10 of 11 policies: 100% coverage
- ApplicationPolicy: 92.59% (base class)
- Overall project: 95.22% coverage (up from 95.08%)

Policies Tested:
- AdminPortalPolicy (2 tests)
- ApplicationPolicy (6 tests)
- ChapterPolicy (12 tests)
- ContactPolicy (2 tests)
- EventPolicy (4 tests)
- GroupPolicy (4 tests)
- MemberNotePolicy (2 tests)
- OrganiserPolicy (6 tests)
- SponsorPolicy (10 tests)
- TestimonialPolicy (2 tests)
- WorkshopPolicy (12 tests)

Testing Pattern:
Each policy test follows a consistent pattern testing authorization
boundaries with happy path (admin succeeds) and sad path (regular
member denied) scenarios. Tests use Fabrication for test data and
Rolify for role assignment, matching existing codebase patterns.

Author: mroderick

spec/policies/admin_portal_policy_spec.rb

@@ -0,0 +1,24 @@
+RSpec.describe AdminPortalPolicy do
+  subject { described_class.new(user, :admin_portal) }
+
+  let(:admin) { Fabricate(:member).tap { |m| m.add_role(:admin) } }
+  let(:regular_member) { Fabricate(:member) }
+
+  describe '#index?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.index?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.index?).to be false
+      end
+    end
+  end
+end

spec/policies/application_policy_spec.rb

@@ -0,0 +1,55 @@
+RSpec.describe ApplicationPolicy do
+  subject { described_class.new(user, record) }
+
+  let(:record) { double('record') }
+  let(:admin) { Fabricate(:member).tap { |m| m.add_role(:admin) } }
+  let(:regular_member) { Fabricate(:member) }
+
+  describe '#index?' do
+    let(:user) { admin }
+
+    it 'denies access by default' do
+      expect(subject.index?).to be false
+    end
+  end
+
+  describe '#create?' do
+    let(:user) { admin }
+
+    it 'denies access by default' do
+      expect(subject.create?).to be false
+    end
+  end
+
+  describe '#new?' do
+    let(:user) { admin }
+
+    it 'delegates to create?' do
+      expect(subject.new?).to eq(subject.create?)
+    end
+  end
+
+  describe '#update?' do
+    let(:user) { admin }
+
+    it 'denies access by default' do
+      expect(subject.update?).to be false
+    end
+  end
+
+  describe '#edit?' do
+    let(:user) { admin }
+
+    it 'delegates to update?' do
+      expect(subject.edit?).to eq(subject.update?)
+    end
+  end
+
+  describe '#destroy?' do
+    let(:user) { admin }
+
+    it 'denies access by default' do
+      expect(subject.destroy?).to be false
+    end
+  end
+end

spec/policies/chapter_policy_spec.rb

@@ -0,0 +1,115 @@
+RSpec.describe ChapterPolicy do
+  subject { described_class.new(user, chapter) }
+
+  let(:chapter) { Fabricate(:chapter) }
+  let(:admin) { Fabricate(:member).tap { |m| m.add_role(:admin) } }
+  let(:regular_member) { Fabricate(:member) }
+
+  describe '#index?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.index?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.index?).to be false
+      end
+    end
+  end
+
+  describe '#create?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.create?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.create?).to be false
+      end
+    end
+  end
+
+  describe '#show?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.show?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.show?).to be false
+      end
+    end
+  end
+
+  describe '#edit?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.edit?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.edit?).to be false
+      end
+    end
+  end
+
+  describe '#update?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.update?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.update?).to be false
+      end
+    end
+  end
+
+  describe '#members?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.members?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.members?).to be false
+      end
+    end
+  end
+end

spec/policies/contact_policy_spec.rb

@@ -0,0 +1,25 @@
+RSpec.describe ContactPolicy do
+  subject { described_class.new(user, contact) }
+
+  let(:contact) { Fabricate(:contact) }
+  let(:admin) { Fabricate(:member).tap { |m| m.add_role(:admin) } }
+  let(:regular_member) { Fabricate(:member) }
+
+  describe '#index?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.index?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.index?).to be false
+      end
+    end
+  end
+end

spec/policies/event_policy_spec.rb

@@ -0,0 +1,43 @@
+RSpec.describe EventPolicy do
+  subject { described_class.new(user, event) }
+
+  let(:event) { Fabricate(:event) }
+  let(:admin) { Fabricate(:member).tap { |m| m.add_role(:admin) } }
+  let(:regular_member) { Fabricate(:member) }
+
+  describe '#invite?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.invite?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.invite?).to be false
+      end
+    end
+  end
+
+  describe '#show?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.show?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.show?).to be false
+      end
+    end
+  end
+end

spec/policies/group_policy_spec.rb

@@ -0,0 +1,43 @@
+RSpec.describe GroupPolicy do
+  subject { described_class.new(user, group) }
+
+  let(:group) { Fabricate(:group) }
+  let(:admin) { Fabricate(:member).tap { |m| m.add_role(:admin) } }
+  let(:regular_member) { Fabricate(:member) }
+
+  describe '#create?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.create?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.create?).to be false
+      end
+    end
+  end
+
+  describe '#show?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.show?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.show?).to be false
+      end
+    end
+  end
+end

spec/policies/member_note_policy_spec.rb

@@ -0,0 +1,25 @@
+RSpec.describe MemberNotePolicy do
+  subject { described_class.new(user, member_note) }
+
+  let(:member_note) { Fabricate(:member_note) }
+  let(:admin) { Fabricate(:member).tap { |m| m.add_role(:admin) } }
+  let(:regular_member) { Fabricate(:member) }
+
+  describe '#create?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.create?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.create?).to be false
+      end
+    end
+  end
+end

spec/policies/organiser_policy_spec.rb

@@ -0,0 +1,61 @@
+RSpec.describe OrganiserPolicy do
+  subject { described_class.new(user, organiser) }
+
+  let(:organiser) { Fabricate(:member) }
+  let(:admin) { Fabricate(:member).tap { |m| m.add_role(:admin) } }
+  let(:regular_member) { Fabricate(:member) }
+
+  describe '#index?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.index?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.index?).to be false
+      end
+    end
+  end
+
+  describe '#create?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.create?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.create?).to be false
+      end
+    end
+  end
+
+  describe '#destroy?' do
+    context 'when user is admin' do
+      let(:user) { admin }
+
+      it 'permits access' do
+        expect(subject.destroy?).to be true
+      end
+    end
+
+    context 'when user is regular member' do
+      let(:user) { regular_member }
+
+      it 'denies access' do
+        expect(subject.destroy?).to be false
+      end
+    end
+  end
+end