Rename Voter to AccessControl

src/test/kotlin/unit/security/ArticleAccessControlTest.kt

@@ -0,0 +1,160 @@
+package unit.security
+
+import fr.dcproject.component.article.ArticleAccessControl
+import fr.dcproject.component.article.ArticleForView
+import fr.dcproject.component.auth.User
+import fr.dcproject.component.auth.UserI
+import fr.dcproject.component.citizen.CitizenCart
+import fr.dcproject.component.citizen.CitizenI
+import fr.dcproject.security.AccessDecision.DENIED
+import fr.dcproject.security.AccessDecision.GRANTED
+import fr.postgresjson.connexion.Paginated
+import io.mockk.every
+import io.mockk.mockk
+import org.amshove.kluent.`should be`
+import org.joda.time.DateTime
+import org.junit.jupiter.api.Tag
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.TestInstance
+import org.junit.jupiter.api.parallel.Execution
+import org.junit.jupiter.api.parallel.ExecutionMode.CONCURRENT
+import java.util.UUID
+import fr.dcproject.component.article.ArticleRepository as ArticleRepo
+
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@Execution(CONCURRENT)
+@Tag("security")
+internal class ArticleAccessControlTest {
+    private val tesla = CitizenCart(
+        id = UUID.fromString("e6efc288-4283-4729-a268-6debb18de1a0"),
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        name = CitizenI.Name("Nicolas", "Tesla")
+    )
+    private val einstein = CitizenCart(
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        name = CitizenI.Name("Albert", "Einstein")
+    )
+
+    private fun getRepo(article: ArticleForView): ArticleRepo {
+        return mockk {
+            every { findVersionsByVersionId(1, 1, any()) } returns Paginated(listOf(article), 0, 1, 1)
+        }
+    }
+
+    @Test
+    fun `creator can be view the article`() {
+        val article = getArticle(tesla).copy(draft = true)
+        ArticleAccessControl(getRepo(article))
+            .canView(article, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `other user can be view the article`() {
+        val article = getArticle(tesla)
+        ArticleAccessControl(getRepo(article))
+            .canView(article, einstein)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `other user can be view the article list`(): Unit = listOf(ArticleAccessControl(mockk())).run {
+        val article = getArticle(tesla)
+        val article2 = getArticle(tesla)
+
+        ArticleAccessControl(getRepo(article))
+            .canView(listOf(article, article2), einstein)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `the no creator can not be view the article on draft`() {
+        val article = getArticle(tesla).copy(draft = true)
+        ArticleAccessControl(getRepo(article))
+            .canView(article, einstein)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `the no creator can not be view list of articles if one is on draft`() {
+        val article = getArticle(tesla)
+        val article2 = getArticle(tesla).copy(draft = true)
+
+        ArticleAccessControl(getRepo(article))
+            .canView(listOf(article, article2), einstein)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can not view deleted article`() {
+        val article = getArticle(tesla).copy(deletedAt = DateTime.now())
+        ArticleAccessControl(getRepo(article))
+            .canView(article, tesla)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can delete article if owner`() {
+        val article = getArticle(tesla)
+        ArticleAccessControl(getRepo(article))
+            .canDelete(article, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not delete article if not owner`() {
+        val article = getArticle(tesla).copy(deletedAt = DateTime.now())
+        ArticleAccessControl(getRepo(article))
+            .canDelete(article, einstein)
+            .code `should be` "article.delete.notYours"
+    }
+
+    @Test
+    fun `can create article if logged`() {
+        val article = getArticle(tesla)
+        ArticleAccessControl(getRepo(article))
+            .canUpsert(article, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not create article if not logged`() {
+        val article = getArticle(tesla)
+        ArticleAccessControl(getRepo(article))
+            .canUpsert(article, null)
+            .code `should be` "article.create.notConnected"
+    }
+
+    @Test
+    fun `can update article if yours`() {
+        val article = getArticle(tesla)
+        ArticleAccessControl(getRepo(article))
+            .canUpsert(article, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not update article if not yours`() {
+        val article = getArticle(tesla)
+        ArticleAccessControl(getRepo(article))
+            .canUpsert(article, einstein)
+            .code `should be` "article.update.notYours"
+    }
+
+    private fun getArticle(createdBy: CitizenCart = tesla) = ArticleForView(
+        id = UUID.randomUUID(),
+        title = "Hello world",
+        content = "Super",
+        description = "I Rocks",
+        createdBy = createdBy,
+        opinions = mapOf(),
+        versionId = UUID.randomUUID(),
+        versionNumber = 1
+    )
+}

src/test/kotlin/unit/security/CitizenAccessControlTest.kt

@@ -0,0 +1,100 @@
+package unit.security
+
+import fr.dcproject.component.auth.User
+import fr.dcproject.component.auth.UserI
+import fr.dcproject.component.citizen.CitizenAccessControl
+import fr.dcproject.component.citizen.CitizenBasic
+import fr.dcproject.component.citizen.CitizenI
+import fr.dcproject.security.AccessDecision.DENIED
+import fr.dcproject.security.AccessDecision.GRANTED
+import org.amshove.kluent.`should be`
+import org.joda.time.DateTime
+import org.junit.jupiter.api.Tag
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.TestInstance
+import org.junit.jupiter.api.parallel.Execution
+import org.junit.jupiter.api.parallel.ExecutionMode.CONCURRENT
+
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@Execution(CONCURRENT)
+@Tag("security")
+internal class CitizenAccessControlTest {
+    private val tesla = CitizenBasic(
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "tesla@best.com",
+        name = CitizenI.Name("Nicolas", "Tesla")
+    )
+    private val einstein = CitizenBasic(
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "einstein@best.com",
+        name = CitizenI.Name("Albert", "Einstein")
+    )
+
+    private val curie = CitizenBasic(
+        user = User(
+            username = "marie-curie",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "curie@best.com",
+        name = CitizenI.Name("Marie", "Curie"),
+        deletedAt = DateTime.now()
+    )
+
+    @Test
+    fun `can be view the citizen`() {
+        CitizenAccessControl()
+            .canView(subject = einstein, connectedCitizen = tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be view the citizen list`() {
+        CitizenAccessControl()
+            .canView(subjects = listOf(tesla, einstein), connectedCitizen = einstein)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not view deleted citizen`() {
+        CitizenAccessControl()
+            .canView(subject = curie, connectedCitizen = tesla)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can be update itself`() {
+        CitizenAccessControl()
+            .canUpdate(subject = einstein, connectedCitizen = einstein)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be update other citizen`() {
+        CitizenAccessControl()
+            .canUpdate(subject = tesla, connectedCitizen = einstein)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can be change password of itself`() {
+        CitizenAccessControl()
+            .canChangePassword(subject = einstein, connectedCitizen = einstein)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be change password of other citizen`() {
+        CitizenAccessControl()
+            .canChangePassword(subject = tesla, connectedCitizen = einstein)
+            .decision `should be` DENIED
+    }
+}

src/test/kotlin/unit/security/CommentAccessControlTest.kt

@@ -0,0 +1,155 @@
+package unit.security
+
+import fr.dcproject.component.article.ArticleForView
+import fr.dcproject.component.article.ArticleRef
+import fr.dcproject.component.auth.User
+import fr.dcproject.component.auth.UserI
+import fr.dcproject.component.citizen.Citizen
+import fr.dcproject.component.citizen.CitizenCart
+import fr.dcproject.component.citizen.CitizenI
+import fr.dcproject.component.comment.generic.CommentAccessControl
+import fr.dcproject.component.comment.generic.CommentForUpdate
+import fr.dcproject.component.comment.generic.CommentForView
+import fr.dcproject.security.AccessDecision.DENIED
+import fr.dcproject.security.AccessDecision.GRANTED
+import org.amshove.kluent.`should be`
+import org.joda.time.DateTime
+import org.junit.jupiter.api.Tag
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.TestInstance
+import org.junit.jupiter.api.parallel.Execution
+import org.junit.jupiter.api.parallel.ExecutionMode.CONCURRENT
+import java.util.UUID
+
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@Execution(CONCURRENT)
+@Tag("security")
+internal class CommentAccessControlTest {
+    private val tesla = Citizen(
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "tesla@best.com",
+        name = CitizenI.Name("Nicolas", "Tesla")
+    )
+    private val einstein = Citizen(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "einstein@best.com",
+        name = CitizenI.Name("Albert", "Einstein")
+    )
+
+    private val einstein2 = CitizenCart(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        name = CitizenI.Name("Albert", "Einstein")
+    )
+
+    private val article1 = ArticleForView(
+        content = "Hi",
+        createdBy = einstein2,
+        description = "blablabla",
+        title = "Super article"
+    )
+
+    private val comment1 = CommentForView(
+        content = "Hello",
+        createdBy = tesla,
+        target = article1
+    )
+
+    private val commentForUpdate = CommentForUpdate(
+        content = "Hello",
+        createdBy = tesla,
+        target = article1
+    )
+
+    private val comment2 = CommentForView(
+        content = "Hello2",
+        createdBy = einstein,
+        target = article1
+    )
+
+    private val commentTargetDeleted = CommentForView(
+        content = "Hello",
+        createdBy = tesla,
+        target = ArticleForView(
+            content = "Hi",
+            createdBy = einstein2,
+            description = "blablabla",
+            title = "Super article",
+            workgroup = null
+        ).copy(deletedAt = DateTime.now())
+    )
+
+    private val commentTargetNoUser = CommentForView(
+        content = "Hello",
+        createdBy = tesla,
+        target = ArticleRef()
+    )
+
+    @Test
+    fun `can be view the comment`() {
+        CommentAccessControl()
+            .canView(comment1, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be view the comment list`() {
+        CommentAccessControl()
+            .canView(listOf(comment1, comment2), einstein)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be update your comment`() {
+        CommentAccessControl()
+            .canUpdate(comment1, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be update other comment`() {
+        CommentAccessControl()
+            .canUpdate(comment1, einstein)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can be create a comment`() {
+        CommentAccessControl()
+            .canCreate(comment1, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be create a comment if target is deleted`() {
+        CommentAccessControl()
+            .canCreate(commentTargetDeleted, tesla)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can not be create a comment with other creator`() {
+        CommentAccessControl()
+            .canCreate(comment1, einstein)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can not be create a comment if not connected`() {
+        CommentAccessControl()
+            .canCreate(comment1, null)
+            .decision `should be` DENIED
+    }
+}

src/test/kotlin/unit/security/FollowAccessControlTest.kt

@@ -0,0 +1,153 @@
+package unit.security
+
+import fr.dcproject.component.article.ArticleForView
+import fr.dcproject.component.auth.User
+import fr.dcproject.component.auth.UserI
+import fr.dcproject.component.citizen.Citizen
+import fr.dcproject.component.citizen.CitizenBasic
+import fr.dcproject.component.citizen.CitizenCart
+import fr.dcproject.component.citizen.CitizenI
+import fr.dcproject.component.follow.Follow
+import fr.dcproject.component.follow.FollowAccessControl
+import fr.dcproject.security.AccessDecision.DENIED
+import fr.dcproject.security.AccessDecision.GRANTED
+import org.amshove.kluent.`should be`
+import org.joda.time.DateTime
+import org.junit.jupiter.api.Tag
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.TestInstance
+import org.junit.jupiter.api.parallel.Execution
+import org.junit.jupiter.api.parallel.ExecutionMode.CONCURRENT
+import java.util.UUID
+
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@Execution(CONCURRENT)
+@Tag("security")
+internal class FollowAccessControlTest {
+    private val tesla = CitizenBasic(
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "tesla@best.com",
+        name = CitizenI.Name("Nicolas", "Tesla"),
+        followAnonymous = false
+    )
+    private val tesla2 = Citizen(
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "tesla@best.com",
+        name = CitizenI.Name("Nicolas", "Tesla"),
+        followAnonymous = false
+    )
+
+    private val einstein = CitizenBasic(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "einstein@best.com",
+        name = CitizenI.Name("Albert", "Einstein"),
+        followAnonymous = true
+    )
+
+    private val einstein2 = CitizenCart(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        name = CitizenI.Name("Albert", "Einstein")
+    )
+
+    private val einstein3 = Citizen(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "einstein@best.com",
+        name = CitizenI.Name("Albert", "Einstein"),
+        followAnonymous = true
+    )
+
+    private val article1 = ArticleForView(
+        content = "Hi",
+        createdBy = einstein2,
+        description = "blablabla",
+        title = "Super article"
+    )
+
+    private val follow1 = Follow(
+        createdBy = tesla,
+        target = article1
+    )
+
+    private val followAnon = Follow(
+        createdBy = einstein,
+        target = article1
+    )
+
+    @Test
+    fun `can be view the follow`() {
+        FollowAccessControl()
+            .canView(follow1, tesla2)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be view the follow list`() {
+        FollowAccessControl()
+            .canView(listOf(follow1), tesla2)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be view your anonymous follow`() {
+        FollowAccessControl()
+            .canView(followAnon, einstein3)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be view the anonymous follow of other`() {
+        FollowAccessControl()
+            .canView(followAnon, tesla2)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can be follow article`() {
+        FollowAccessControl()
+            .canCreate(follow1, tesla2)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be follow article if not connected`() {
+        FollowAccessControl()
+            .canCreate(follow1, null)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can be unfollow article`() {
+        FollowAccessControl()
+            .canDelete(follow1, tesla2)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be unfollow article if not connected`() {
+        FollowAccessControl()
+            .canDelete(follow1, null)
+            .decision `should be` DENIED
+    }
+}

src/test/kotlin/unit/security/OpinionAccessControlTest.kt

@@ -0,0 +1,123 @@
+package unit.security
+
+import fr.dcproject.component.article.ArticleForView
+import fr.dcproject.component.auth.User
+import fr.dcproject.component.auth.UserI
+import fr.dcproject.component.citizen.CitizenBasic
+import fr.dcproject.component.citizen.CitizenCart
+import fr.dcproject.component.citizen.CitizenI
+import fr.dcproject.component.opinion.OpinionAccessControl
+import fr.dcproject.component.opinion.entity.Opinion
+import fr.dcproject.component.opinion.entity.OpinionChoice
+import fr.dcproject.security.AccessDecision.DENIED
+import fr.dcproject.security.AccessDecision.GRANTED
+import org.amshove.kluent.`should be`
+import org.joda.time.DateTime
+import org.junit.jupiter.api.Tag
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.TestInstance
+import org.junit.jupiter.api.parallel.Execution
+import org.junit.jupiter.api.parallel.ExecutionMode.CONCURRENT
+import java.util.UUID
+
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@Execution(CONCURRENT)
+@Tag("security")
+internal class OpinionAccessControlTest {
+    private val tesla = CitizenBasic(
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "tesla@best.com",
+        name = CitizenI.Name("Nicolas", "Tesla"),
+        followAnonymous = false
+    )
+
+    private val einstein = CitizenBasic(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "einstein@best.com",
+        name = CitizenI.Name("Albert", "Einstein"),
+        followAnonymous = true
+    )
+
+    private val einstein2 = CitizenCart(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        name = CitizenI.Name("Albert", "Einstein")
+    )
+
+    private val article1 = ArticleForView(
+        content = "Hi",
+        createdBy = einstein2,
+        description = "blablabla",
+        title = "Super article"
+    )
+
+    private val opinion1 = Opinion(
+        createdBy = tesla,
+        target = article1,
+        choice = OpinionChoice(
+            name = "Opinion1",
+            target = listOf("article")
+        )
+    )
+
+    @Test
+    fun `can be view the opinion`() {
+        OpinionAccessControl()
+            .canView(opinion1, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be view the opinion list`() {
+        OpinionAccessControl()
+            .canView(listOf(opinion1), tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be opinion an article`() {
+        OpinionAccessControl()
+            .canCreate(opinion1, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be opinion if not connected`() {
+        OpinionAccessControl()
+            .canCreate(opinion1, null)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can be remove opinion`() {
+        OpinionAccessControl()
+            .canDelete(opinion1, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be remove opinion if not connected`() {
+        OpinionAccessControl()
+            .canDelete(opinion1, null)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can not be remove opinion of other user`() {
+        OpinionAccessControl()
+            .canDelete(opinion1, einstein)
+            .decision `should be` DENIED
+    }
+}

src/test/kotlin/unit/security/OpinionChoiceAccessControlTest.kt

@@ -0,0 +1,71 @@
+package unit.security
+
+import fr.dcproject.component.article.ArticleForView
+import fr.dcproject.component.auth.User
+import fr.dcproject.component.auth.UserI
+import fr.dcproject.component.citizen.CitizenBasic
+import fr.dcproject.component.citizen.CitizenCart
+import fr.dcproject.component.citizen.CitizenI
+import fr.dcproject.component.opinion.OpinionChoiceAccessControl
+import fr.dcproject.component.opinion.entity.OpinionChoice
+import fr.dcproject.security.AccessDecision.GRANTED
+import org.amshove.kluent.`should be`
+import org.joda.time.DateTime
+import org.junit.jupiter.api.Tag
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.TestInstance
+import org.junit.jupiter.api.parallel.Execution
+import org.junit.jupiter.api.parallel.ExecutionMode.CONCURRENT
+import java.util.UUID
+
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@Execution(CONCURRENT)
+@Tag("security")
+internal class OpinionChoiceAccessControlTest {
+    private val tesla = CitizenBasic(
+        id = UUID.fromString("e6efc288-4283-4729-a268-6debb18de1a0"),
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "tesla@best.com",
+        name = CitizenI.Name("Nicolas", "Tesla"),
+        followAnonymous = false
+    )
+
+    private val tesla2 = CitizenCart(
+        id = UUID.fromString("e6efc288-4283-4729-a268-6debb18de1a0"),
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        name = CitizenI.Name("Nicolas", "Tesla")
+    )
+
+    private val article1 = ArticleForView(
+        content = "Hi",
+        createdBy = tesla2,
+        description = "blablabla",
+        title = "Super article"
+    )
+
+    private val choice1 = OpinionChoice(
+        name = "Opinion1",
+        target = listOf()
+    )
+
+    @Test
+    fun `can be view the opinion choice`() {
+        OpinionChoiceAccessControl()
+            .canView(choice1, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be view the opinion choice list`() {
+        OpinionChoiceAccessControl()
+            .canView(listOf(choice1), tesla)
+            .decision `should be` GRANTED
+    }
+}

src/test/kotlin/unit/security/VoteAccessControlTest.kt

@@ -0,0 +1,143 @@
+package unit.security
+
+import fr.dcproject.component.article.ArticleForView
+import fr.dcproject.component.auth.User
+import fr.dcproject.component.auth.UserI
+import fr.dcproject.component.citizen.Citizen
+import fr.dcproject.component.citizen.CitizenBasic
+import fr.dcproject.component.citizen.CitizenCart
+import fr.dcproject.component.citizen.CitizenI
+import fr.dcproject.component.vote.VoteAccessControl
+import fr.dcproject.component.vote.entity.VoteForUpdate
+import fr.dcproject.security.AccessDecision.DENIED
+import fr.dcproject.security.AccessDecision.GRANTED
+import org.amshove.kluent.`should be`
+import org.joda.time.DateTime
+import org.junit.jupiter.api.Tag
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.TestInstance
+import org.junit.jupiter.api.parallel.Execution
+import org.junit.jupiter.api.parallel.ExecutionMode.CONCURRENT
+import java.util.UUID
+import fr.dcproject.component.vote.entity.Vote as VoteEntity
+
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@Execution(CONCURRENT)
+@Tag("security")
+internal class VoteAccessControlTest {
+    private val tesla = Citizen(
+        id = UUID.fromString("a1e35c99-9d33-4fb4-9201-58d7071243bb"),
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "tesla@best.com",
+        name = CitizenI.Name("Nicolas", "Tesla"),
+        followAnonymous = false
+    )
+    private val tesla3 = CitizenBasic(
+        id = UUID.fromString("a1e35c99-9d33-4fb4-9201-58d7071243bb"),
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "tesla@best.com",
+        name = CitizenI.Name("Nicolas", "Tesla"),
+        followAnonymous = false
+    )
+
+    private val einstein = Citizen(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "einstein@best.com",
+        name = CitizenI.Name("Albert", "Einstein"),
+        followAnonymous = true
+    )
+
+    private val einstein2 = CitizenCart(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        name = CitizenI.Name("Albert", "Einstein")
+    )
+
+    private val article1 = ArticleForView(
+        content = "Hi",
+        createdBy = einstein2,
+        description = "blablabla",
+        title = "Super article"
+    )
+
+    private val vote1 = VoteEntity(
+        createdBy = tesla3,
+        target = article1,
+        note = 1
+    )
+
+    private val voteForUpdate = VoteForUpdate(
+        createdBy = tesla,
+        target = article1,
+        note = 1
+    )
+
+    private val voteOnDeleted = VoteForUpdate(
+        createdBy = tesla,
+        target = ArticleForView(
+            content = "Hi",
+            createdBy = einstein2,
+            description = "blablabla",
+            title = "Super article"
+        ).copy(deletedAt = DateTime.now()),
+        note = 1
+    )
+
+    @Test
+    fun `can be view your the vote`() {
+        VoteAccessControl()
+            .canView(vote1, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be view vote of other`() {
+        VoteAccessControl()
+            .canView(vote1, einstein)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can be view your votes list`() {
+        VoteAccessControl()
+            .canView(listOf(vote1), tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be vote an article`() {
+        VoteAccessControl()
+            .canCreate(voteForUpdate, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be vote if not connected`() {
+        VoteAccessControl()
+            .canCreate(voteForUpdate, null)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can not be vote an article if article is deleted`() {
+        VoteAccessControl()
+            .canCreate(voteOnDeleted, tesla)
+            .decision `should be` DENIED
+    }
+}

src/test/kotlin/unit/security/WorkgroupAccessControlTest.kt

@@ -0,0 +1,150 @@
+package unit.security
+
+import fr.dcproject.component.auth.User
+import fr.dcproject.component.auth.UserI
+import fr.dcproject.component.citizen.CitizenBasic
+import fr.dcproject.component.citizen.CitizenCart
+import fr.dcproject.component.citizen.CitizenI
+import fr.dcproject.component.workgroup.WorkgroupAccessControl
+import fr.dcproject.component.workgroup.WorkgroupWithMembersI
+import fr.dcproject.security.AccessDecision.DENIED
+import fr.dcproject.security.AccessDecision.GRANTED
+import org.amshove.kluent.`should be`
+import org.joda.time.DateTime
+import org.junit.jupiter.api.Tag
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.TestInstance
+import org.junit.jupiter.api.parallel.Execution
+import org.junit.jupiter.api.parallel.ExecutionMode.CONCURRENT
+import java.util.UUID
+import fr.dcproject.component.workgroup.Workgroup as WorkgroupEntity
+
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@Execution(CONCURRENT)
+@Tag("security")
+internal class WorkgroupAccessControlTest {
+    private val tesla = CitizenBasic(
+        user = User(
+            username = "nicolas-tesla",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "tesla@best.com",
+        name = CitizenI.Name("Nicolas", "Tesla"),
+        followAnonymous = false
+    )
+
+    private val einstein = CitizenBasic(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        birthday = DateTime.now(),
+        email = "einstein@best.com",
+        name = CitizenI.Name("Albert", "Einstein"),
+        followAnonymous = true
+    )
+
+    private val einstein2 = CitizenCart(
+        id = UUID.fromString("319f1226-8f47-4df3-babd-2c7671ad0fbc"),
+        user = User(
+            username = "albert-einstein",
+            roles = listOf(UserI.Roles.ROLE_USER)
+        ),
+        name = CitizenI.Name("Albert", "Einstein")
+    )
+
+    private val workgroupPublic = WorkgroupEntity(
+        createdBy = tesla,
+        description = "Super desc",
+        name = "super name",
+        anonymous = false,
+        members = listOf(WorkgroupWithMembersI.Member(tesla, listOf(WorkgroupWithMembersI.Member.Role.MASTER)))
+    )
+
+    private val workgroupAnon = WorkgroupEntity(
+        createdBy = tesla,
+        description = "Super desc",
+        name = "super name",
+        members = listOf(WorkgroupWithMembersI.Member(tesla, listOf(WorkgroupWithMembersI.Member.Role.MASTER))),
+        anonymous = true
+    )
+
+    @Test
+    fun `can be view your workgroup`() {
+        WorkgroupAccessControl()
+            .canView(workgroupPublic, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be view your workgroup if is not public`() {
+        WorkgroupAccessControl()
+            .canView(workgroupAnon, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be view workgroup of other if is public`() {
+        WorkgroupAccessControl()
+            .canView(workgroupPublic, einstein)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be view workgroup of other if is not public`() {
+        WorkgroupAccessControl()
+            .canView(workgroupAnon, einstein)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can be view your workgroup list`() {
+        WorkgroupAccessControl()
+            .canView(listOf(workgroupPublic, workgroupAnon), tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can be create workgroup`() {
+        WorkgroupAccessControl()
+            .canCreate(workgroupPublic, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be create workgroup if not connected`() {
+        WorkgroupAccessControl()
+            .canCreate(workgroupPublic, null)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can be delete workgroup if owner`() {
+        WorkgroupAccessControl()
+            .canDelete(workgroupPublic, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be delete workgroup if not owner`() {
+        WorkgroupAccessControl()
+            .canDelete(workgroupPublic, einstein)
+            .decision `should be` DENIED
+    }
+
+    @Test
+    fun `can be update workgroup if owner`() {
+        WorkgroupAccessControl()
+            .canUpdate(workgroupPublic, tesla)
+            .decision `should be` GRANTED
+    }
+
+    @Test
+    fun `can not be update workgroup if not owner`() {
+        WorkgroupAccessControl()
+            .canUpdate(workgroupPublic, einstein)
+            .decision `should be` DENIED
+    }
+}