From 84e5f3ead3b3ebd51e28e228e861d30988200a40 Mon Sep 17 00:00:00 2001 From: Vokhmin Alexey V Date: Thu, 18 Oct 2012 19:44:28 +0400 Subject: [PATCH] #698: updated specs, permission access --- .../api/v1/advisories_controller.rb | 15 +++- .../api/v1/advisories_controller_spec.rb | 79 ++++++++++++++++++- 2 files changed, 86 insertions(+), 8 deletions(-) diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb index 688b72ee8..9e90f748d 100644 --- a/app/controllers/api/v1/advisories_controller.rb +++ b/app/controllers/api/v1/advisories_controller.rb @@ -2,9 +2,9 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController before_filter :authenticate_user! skip_before_filter :authenticate_user!, :only => [:index, :show] if APP_CONFIG['anonymous_access'] - load_and_authorize_resource :advisory, :find_by => :advisory_id - load_and_authorize_resource :build_list, - :find_by => :build_list_id, :only => [:create, :update] + load_resource :advisory, :find_by => :advisory_id + before_filter :find_build_list, :only => [:create, :update] + authorize_resource :build_list, :only => [:create, :update] def index @advisories = @advisories.scoped(:include => :platforms). @@ -26,7 +26,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController end def update - if @build_list.status == BuildList::BUILD_PUBLISHED && + if @advisory && @build_list.status == BuildList::BUILD_PUBLISHED && @advisory.attach_build_list(@build_list) && @advisory.save && @build_list.save render_json_response @advisory, "Build list '#{@build_list.id}' has been attached to advisory successfully" @@ -35,4 +35,11 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController end end + protected + + def find_build_list + @build_list = BuildList.find params[:build_list_id] + authorize! :publish, @build_list + end + end diff --git a/spec/controllers/api/v1/advisories_controller_spec.rb b/spec/controllers/api/v1/advisories_controller_spec.rb index 061f27c19..cbac3a514 100644 --- a/spec/controllers/api/v1/advisories_controller_spec.rb +++ b/spec/controllers/api/v1/advisories_controller_spec.rb @@ -13,6 +13,74 @@ shared_examples_for 'api advisories user with show rights' do end end +shared_examples_for 'api advisories user with admin rights' do + context 'api advisories user with create rights' do + let(:params) { {:build_list_id => @build_list.id, :advisory => {:description => 'test'}} } + it 'should be able to perform create action' do + post :create, params, :format => :json + response.should be_success + end + it 'ensures that advisory has been created' do + lambda { post :create, params, :format => :json }.should change{ Advisory.count }.by(1) + end + it 'ensures that build_list has been associated with advisory' do + post :create, params, :format => :json + @build_list.reload + @build_list.advisory.should_not be_nil + end + end + + context 'api advisories user with update rights' do + let(:params) { {:id => @advisory.advisory_id, :build_list_id => @build_list.id} } + it 'should be able to perform update action' do + put :update, params, :format => :json + response.should be_success + end + it 'ensures that advisory has not been created' do + lambda { put :update, params, :format => :json }.should_not change{ Advisory.count } + end + it 'ensures that build_list has been associated with advisory' do + put :update, params, :format => :json + @build_list.reload + @build_list.advisory.should_not be_nil + end + end +end + +shared_examples_for 'api advisories user without admin rights' do + context 'api advisories user without create rights' do + let(:params) { {:build_list_id => @build_list.id, :advisory => {:description => 'test'}} } + it 'should not be able to perform create action' do + post :create, params, :format => :json + response.should_not be_success + end + it 'ensures that advisory has not been created' do + lambda { post :create, params, :format => :json }.should_not change{ Advisory.count } + end + it 'ensures that build_list has not been associated with advisory' do + post :create, params, :format => :json + @build_list.reload + @build_list.advisory.should be_nil + end + end + + context 'api advisories user without update rights' do + let(:params) { {:id => @advisory.advisory_id, :build_list_id => @build_list.id} } + it 'should not be able to perform update action' do + put :update, params, :format => :json + response.should_not be_success + end + it 'ensures that advisory has not been created' do + lambda { put :update, params, :format => :json }.should_not change{ Advisory.count } + end + it 'ensures that build_list has not been associated with advisory' do + put :update, params, :format => :json + @build_list.reload + @build_list.advisory.should be_nil + end + end +end + describe Api::V1::AdvisoriesController do before do @@ -20,7 +88,7 @@ describe Api::V1::AdvisoriesController do @advisory = FactoryGirl.create(:advisory) @build_list = FactoryGirl.create(:build_list_core) - @another_user = FactoryGirl.create(:user) + @build_list.update_column(:status, BuildList::BUILD_PUBLISHED) end context 'for guest' do @@ -38,7 +106,7 @@ describe Api::V1::AdvisoriesController do get :index, :format => :json response.should_not be_success end - + it_should_behave_like 'api advisories user without admin rights' end context 'for simple user' do @@ -47,7 +115,7 @@ describe Api::V1::AdvisoriesController do http_login(@user) end it_should_behave_like 'api advisories user with show rights' - + it_should_behave_like 'api advisories user without admin rights' end context 'for admin' do @@ -57,16 +125,19 @@ describe Api::V1::AdvisoriesController do end it_should_behave_like 'api advisories user with show rights' + it_should_behave_like 'api advisories user with admin rights' end context 'for user who has access to update build_list' do before do @user = FactoryGirl.create(:user) - @build_list.project.relations.create(:role => 'фвьшт', :actor => @user) + @build_list.project.relations.create(:role => 'admin', :actor => @user) + @build_list.save_to_platform.relations.create(:role => 'admin', :actor => @user) http_login(@user) end it_should_behave_like 'api advisories user with show rights' + it_should_behave_like 'api advisories user with admin rights' end end