#465: Update specs for Api::V1::RepositoriesController, Api::V1::SearchController, Api::V1::UsersController

This commit is contained in:
Vokhmin Alexey V 2015-04-02 00:34:14 +03:00
parent d23e62e8cc
commit c15dfb9b2a
13 changed files with 142 additions and 133 deletions

View File

@ -3,17 +3,13 @@ class Api::V1::RepositoriesController < Api::V1::BaseController
before_action :authenticate_user!
skip_before_action :authenticate_user!, only: [:show, :projects] if APP_CONFIG['anonymous_access']
before_action :load_platform
before_action :load_repository
def show
respond_to :json
end
def projects
@projects = @repository.projects.recent.paginate(paginate_params)
respond_to :json
end
def update
@ -33,7 +29,6 @@ class Api::V1::RepositoriesController < Api::V1::BaseController
end
def key_pair
respond_to :json
end
# Only one request per 15 minutes for each platform
@ -113,14 +108,9 @@ class Api::V1::RepositoriesController < Api::V1::BaseController
private
# Private: before_action hook which loads Platform.
def load_platform
authorize @platform = Platform.find_cached(params[:platform_id]), :show?
end
# Private: before_action hook which loads Repository.
def load_repository
authorize @repository = @platform.repositories.find(params[:id]) if params[:id]
authorize @repository = Repository.find(params[:id])
end
end

View File

@ -1,14 +1,12 @@
class Api::V1::SearchController < Api::V1::BaseController
before_action :authenticate_user! unless APP_CONFIG['anonymous_access']
def index
search = Search.new(params[:query], current_ability, paginate_params)
authorize :search
search = Search.new(params[:query], current_user, paginate_params)
types = Search::TYPES.find{ |t| t == params[:type] } || Search::TYPES
@results = {}
[types].flatten.each do |type|
@results[type] = search.send(type)
end
respond_to :json
end
end

View File

@ -2,18 +2,15 @@ class Api::V1::UsersController < Api::V1::BaseController
before_action :authenticate_user!
skip_before_action :authenticate_user!, only: [:show] if APP_CONFIG['anonymous_access']
load_and_authorize_resource :user, only: :show
before_action :load_user, only: %i(show)
before_action :set_current_user, except: :show
def show
@user = User.opened.find params[:id] # dont show system users
respond_to :json
end
def show_current_user
respond_to do |format|
format.json { render :show }
end
render :show
end
def update
@ -37,15 +34,18 @@ class Api::V1::UsersController < Api::V1::BaseController
else
render_json_response @user, error_message(@user.notifier, 'User notification settings have not been updated'), 422
end
else
respond_to :json
end
end
protected
def set_current_user
@user = current_user
authorize @user = current_user
end
# Private: before_action hook which loads User.
def load_user
authorize @user = User.find(params[:id])
end
end

View File

@ -23,14 +23,14 @@ class ApplicationController < ActionController::Base
helper_method :get_owner
unless Rails.env.development?
rescue_from Exception, with: :render_500
rescue_from ActiveRecord::RecordNotFound,
# ActionController::RoutingError, # see: config/routes.rb:<last line>
ActionController::UnknownController,
ActionController::UnknownFormat,
AbstractController::ActionNotFound, with: :render_404
end
# unless Rails.env.development?
# rescue_from Exception, with: :render_500
# rescue_from ActiveRecord::RecordNotFound,
# # ActionController::RoutingError, # see: config/routes.rb:<last line>
# ActionController::UnknownController,
# ActionController::UnknownFormat,
# AbstractController::ActionNotFound, with: :render_404
# end
rescue_from Pundit::NotAuthorizedError do |exception|
redirect_to forbidden_url, alert: t("flash.exception_message")

View File

@ -1,4 +1,4 @@
class Search < Struct.new(:query, :ability, :paginate_params)
class Search < Struct.new(:query, :user, :paginate_params)
include ActiveModel::Conversion
extend ActiveModel::Naming
@ -18,7 +18,10 @@ class Search < Struct.new(:query, :ability, :paginate_params)
if type == 'users'
User.opened
else
type.classify.constantize.accessible_by(ability, :show)
klass = type.classify.constantize
# scope_policy(type.classify.constantize).accessible_by(ability, :show)
"#{klass}Policy::Scope".classify.constantize.new(user, klass).show
# policy_scope(type.classify.constantize).show
end
scope.search(query).
search_order.

View File

@ -39,4 +39,10 @@ class GroupPolicy < ApplicationPolicy
!user.guest?
end
class Scope < Scope
def show
scope
end
end
end

View File

@ -118,6 +118,7 @@ class ProjectPolicy < ApplicationPolicy
)
SQL
end
alias_method :show, :read
protected

View File

@ -8,28 +8,28 @@ class RepositoryPolicy < ApplicationPolicy
alias_method :read?, :show?
def reader?
local_reader?(record.platform)
is_admin? || local_reader?(record.platform)
end
def write?
local_writer?(record.platform)
is_admin? || local_writer?(record.platform)
end
def update?
local_admin?(record.platform)
is_admin? || local_admin?(record.platform)
end
alias_method :manage_members?, :update?
alias_method :regenerate_metadata?, :update?
alias_method :signatures?, :update?
def create?
return false if record.platform.personal? && name == 'main'
local_admin?(record.platform)
return false if record.platform.personal? && record.name == 'main'
is_admin? || owner?(record.platform) || local_admin?(record.platform)
end
alias_method :destroy?, :create?
def packages?
record.platform.main? && local_admin?(record.platform)
record.platform.main? && ( is_admin? || local_admin?(record.platform) )
end
alias_method :remove_member?, :packages?
alias_method :remove_members?, :packages?
@ -37,21 +37,25 @@ class RepositoryPolicy < ApplicationPolicy
alias_method :sync_lock_file?, :packages?
def add_project?
local_admin?(record.platform) || repository_user_ids.include?(user.id)
is_admin? || local_admin?(record.platform) || repository_user_ids.include?(user.id)
end
alias_method :remove_project?, :add_project?
def destroy?
owner?(record.platform)
return false if record.platform.personal? && record.name == 'main'
is_admin? || owner?(record.platform) || local_admin?(record.platform)
end
def settings?
is_admin? || owner?(record.platform) || local_admin?(record.platform)
end
alias_method :settings?, :destroy?
def key_pair?
user.system?
end
def add_repo_lock_file?
user.system? || ( record.platform.main? && local_admin?(record.platform) )
is_admin? || user.system? || ( record.platform.main? && local_admin?(record.platform) )
end
alias_method :remove_repo_lock_file?, :add_repo_lock_file?

View File

@ -0,0 +1,7 @@
class SearchPolicy < ApplicationPolicy
def index?
APP_CONFIG['anonymous_access'] || !user.guest?
end
end

View File

@ -7,13 +7,14 @@ class UserPolicy < ApplicationPolicy
def update?
is_admin? || record == user
end
alias_method :notifiers?, :update?
alias_method :show_current_user?, :update?
alias_method :write?, :update?
def write?
is_admin? || record == user
class Scope < Scope
def show
scope
end
def update?
is_admin? || record == user
end
end

View File

@ -15,14 +15,14 @@ end
shared_examples_for 'api repository user without packages rights' do
it 'should not be able to perform packages action' do
get :packages, id: @repository.id, format: :csv
response.should_not be_success
expect(response).to_not be_success
end
end
shared_examples_for 'api repository user with packages rights' do
it 'should be able to perform packages action' do
get :packages, id: @repository.id, format: :csv
response.should be_success
expect(response).to be_success
end
end
@ -37,25 +37,25 @@ end
shared_examples_for "api repository user with show rights" do
it 'should be able to perform show action' do
get :show, id: @repository.id, format: :json
response.should render_template(:show)
expect(response).to render_template(:show)
end
it 'should be able to perform projects action' do
get :projects, id: @repository.id, format: :json
response.should render_template(:projects)
expect(response).to render_template(:projects)
end
end
shared_examples_for "api repository user without show rights" do
it 'should not be able to perform show action' do
get :show, id: @repository.id, format: :json
response.body.should == {"message" => "Access violation to this page!"}.to_json
expect(response.body).to eq({"message" => "Access violation to this page!"}.to_json)
end
end
shared_examples_for "api repository user without key_pair rights" do
it 'should not be able to perform key_pair action' do
get :key_pair, id: @repository.id, format: :json
response.should_not be_success
expect(response).to_not be_success
end
end
@ -67,11 +67,10 @@ shared_examples_for 'api repository user with writer rights' do
end
it 'should be able to perform update action' do
response.should be_success
expect(response).to be_success
end
it 'ensures that repository has been updated' do
@repository.reload
@repository.description.should == 'new description'
expect(@repository.reload.description).to eq 'new description'
end
end
@ -79,7 +78,7 @@ shared_examples_for 'api repository user with writer rights' do
[:add_repo_lock_file, :remove_repo_lock_file].each do |action|
it "should be able to perform #{action} action" do
put action, id: @repository.id, format: :json
response.should be_success
expect(response).to be_success
end
end
end
@ -91,10 +90,10 @@ shared_examples_for 'api repository user with writer rights' do
end
it 'should be able to perform add_member action' do
response.should be_success
expect(response).to be_success
end
it 'ensures that new member has been added to repository' do
@repository.members.should include(member)
expect(@repository.members).to include(member)
end
end
@ -106,39 +105,48 @@ shared_examples_for 'api repository user with writer rights' do
end
it 'should be able to perform remove_member action' do
response.should be_success
expect(response).to be_success
end
it 'ensures that member has been removed from repository' do
@repository.members.should_not include(member)
expect(@repository.members).to_not include(member)
end
end
context 'api repository user with destroy rights' do
it 'should be able to perform destroy action for main platform' do
delete :destroy, id: @repository.id, format: :json
response.should be_success
expect(response).to be_success
end
it 'ensures that repository of main platform has been destroyed' do
lambda { delete :destroy, id: @repository.id, format: :json }.should change{ Repository.count }.by(-1)
expect do
delete :destroy, id: @repository.id, format: :json
end.to change(Repository, :count).by(-1)
end
context 'repository with name "main" of personal platform' do
# hook for "ActiveRecord::ActiveRecordError: name is marked as readonly"
before { Repository.where(id: @personal_repository.id).update_all("name = 'main'") }
before do
Repository.where(id: @personal_repository).update_all(name: 'main')
end
it 'should not be able to perform destroy action' do
delete :destroy, id: @personal_repository.id, format: :json
response.should_not be_success
expect(response).to_not be_success
end
it 'ensures that repository has not been destroyed' do
lambda { delete :destroy, id: @personal_repository.id, format: :json }.should_not change{ Repository.count }
expect do
delete :destroy, id: @personal_repository.id, format: :json
end.to_not change(Repository, :count)
end
end
it 'should be able to perform destroy action for repository with name not "main" of personal platform' do
delete :destroy, id: @personal_repository.id, format: :json
response.should be_success
expect(response).to be_success
end
it 'ensures that repository with name not "main" of personal platform has been destroyed' do
lambda { delete :destroy, id: @personal_repository.id, format: :json }.should change{ Repository.count }.by(-1)
expect do
delete :destroy, id: @personal_repository.id, format: :json
end.to change(Repository, :count).by(-1)
end
end
@ -148,10 +156,10 @@ shared_examples_for 'api repository user with writer rights' do
put :signatures, id: @repository.id, repository: {public: kp.public, secret: kp.secret}, format: :json
end
it 'should be able to perform signatures action' do
response.should be_success
expect(response).to be_success
end
it 'ensures that signatures has been updated' do
@repository.key_pair.should_not be_nil
expect(@repository.key_pair).to_not be_nil
end
end
@ -162,10 +170,10 @@ shared_examples_for 'api repository user with project manage rights' do
context 'api repository user with add_project rights' do
before { put :add_project, id: @repository.id, project_id: @project.id, format: :json }
it 'should be able to perform add_project action' do
response.should be_success
expect(response).to be_success
end
it 'ensures that project has been added to repository' do
@repository.projects.should include(@project)
expect(@repository.projects).to include(@project)
end
end
@ -175,11 +183,10 @@ shared_examples_for 'api repository user with project manage rights' do
delete :remove_project, id: @repository.id, project_id: @project.id, format: :json
end
it 'should be able to perform remove_project action' do
response.should be_success
expect(response).to be_success
end
it 'ensures that project has been removed from repository' do
@repository.reload
@repository.projects.should_not include(@project)
expect(@repository.reload.projects).to_not include(@project)
end
end
@ -193,11 +200,10 @@ shared_examples_for 'api repository user without writer rights' do
end
it 'should not be able to perform update action' do
response.should_not be_success
expect(response).to_not be_success
end
it 'ensures that repository has not been updated' do
@repository.reload
@repository.description.should_not == 'new description'
expect(@repository.reload.description).to_not eq 'new description'
end
end
@ -205,7 +211,7 @@ shared_examples_for 'api repository user without writer rights' do
[:add_repo_lock_file, :remove_repo_lock_file].each do |action|
it "should not be able to perform #{action} action" do
put action, id: @repository.id, format: :json
response.should_not be_success
expect(response).to_not be_success
end
end
end
@ -217,10 +223,10 @@ shared_examples_for 'api repository user without writer rights' do
end
it 'should not be able to perform add_member action' do
response.should_not be_success
expect(response).to_not be_success
end
it 'ensures that new member has not been added to repository' do
@repository.members.should_not include(member)
expect(@repository.members).to_not include(member)
end
end
@ -232,27 +238,31 @@ shared_examples_for 'api repository user without writer rights' do
end
it 'should be able to perform update action' do
response.should_not be_success
expect(response).to_not be_success
end
it 'ensures that member has not been removed from repository' do
@repository.members.should include(member)
expect(@repository.members).to include(member)
end
end
context 'api repository user without destroy rights' do
it 'should not be able to perform destroy action for repository of main platform' do
delete :destroy, id: @repository.id, format: :json
response.should_not be_success
expect(response).to_not be_success
end
it 'ensures that repository of main platform has not been destroyed' do
lambda { delete :destroy, id: @repository.id, format: :json }.should_not change{ Repository.count }
expect do
delete :destroy, id: @repository.id, format: :json
end.to_not change(Repository, :count)
end
it 'should not be able to perform destroy action for repository of personal platform' do
delete :destroy, id: @personal_repository.id, format: :json
response.should_not be_success
expect(response).to_not be_success
end
it 'ensures that repository of personal platform has not been destroyed' do
lambda { delete :destroy, id: @personal_repository.id, format: :json }.should_not change{ Repository.count }
expect do
delete :destroy, id: @personal_repository.id, format: :json
end.to_not change(Repository, :count)
end
end
@ -262,10 +272,10 @@ shared_examples_for 'api repository user without writer rights' do
put :signatures, id: @repository.id, repository: {public: kp.public, secret: kp.secret}, format: :json
end
it 'should not be able to perform signatures action' do
response.should_not be_success
expect(response).to_not be_success
end
it 'ensures that signatures has not been updated' do
@repository.key_pair.should be_nil
expect(@repository.key_pair).to be_nil
end
end
@ -275,10 +285,10 @@ shared_examples_for 'api repository user without project manage rights' do
context 'api repository user without add_project rights' do
before { put :add_project, id: @repository.id, project_id: @project.id, format: :json }
it 'should not be able to perform add_project action' do
response.should_not be_success
expect(response).to_not be_success
end
it 'ensures that project has not been added to repository' do
@repository.projects.should_not include(@project)
expect(@repository.projects).to_not include(@project)
end
end
@ -288,11 +298,10 @@ shared_examples_for 'api repository user without project manage rights' do
delete :remove_project, id: @repository.id, project_id: @project.id, format: :json
end
it 'should not be able to perform remove_project action' do
response.should_not be_success
expect(response).to_not be_success
end
it 'ensures that project has not been removed from repository' do
@repository.reload
@repository.projects.should include(@project)
expect(@repository.reload.projects).to include(@project)
end
end
end
@ -312,7 +321,7 @@ describe Api::V1::RepositoriesController, type: :controller do
context 'for guest' do
it "should not be able to perform show action", :anonymous_access => false do
get :show, id: @repository.id, format: :json
response.status.should == 401
expect(response.status).to eq 401
end
if APP_CONFIG['anonymous_access']
@ -326,7 +335,7 @@ describe Api::V1::RepositoriesController, type: :controller do
it 'should not be able to perform projects action', anonymous_access: false do
get :projects, id: @repository.id, format: :json
response.should_not be_success
expect(response).to_not be_success
end
end
@ -400,13 +409,13 @@ describe Api::V1::RepositoriesController, type: :controller do
it 'should be able to perform key_pair action when repository has not keys' do
get :key_pair, id: @repository.id, format: :json
response.should be_success
expect(response).to be_success
end
it 'should be able to perform key_pair action when repository has keys' do
FactoryGirl.create(:key_pair, repository: @repository)
get :key_pair, id: @repository.id, format: :json
response.should be_success
expect(response).to be_success
end
end

View File

@ -3,14 +3,14 @@ require 'spec_helper'
shared_examples_for 'able search with api' do
it 'should be able to search' do
get :index, format: :json
response.should be_success
response.should render_template(:index)
expect(response).to be_success
expect(response).to render_template(:index)
end
end
shared_examples_for 'not able search with api' do
it 'should not be able to search' do
get :index, format: :json
response.code.should eq('401')
expect(response.code).to eq('401')
end
end

View File

@ -12,39 +12,35 @@ describe Api::V1::UsersController, type: :controller do
[:show_current_user, :notifiers].each do |action|
it "should not be able to perform #{ action } action for a current user" do
get action, format: :json
response.should_not be_success
expect(response).to_not be_success
end
end
it 'should be able to perform show action for a single user', :anonymous_access => true do
get :show, id: @user.id, format: :json
response.should render_template(:show)
expect(response).to render_template(:show)
end
it 'should not be able to perform show action for a single user', :anonymous_access => false do
get :show, id: @user.id, format: :json
response.should_not be_success
expect(response).to_not be_success
end
context 'should not be able to perform update action for a current user' do
before do
put :update, user: { company: 'test_company' }, format: :json
end
it { response.should_not be_success }
it 'ensures that user has not been updated' do
@user.reload
@user.company.should_not == 'test_company'
put :update, user: { company: 'test_company' }, format: :json
expect(response).to_not be_success
expect(@user.reload.company).to_not eq 'test_company'
end
end
context 'should not be able to perform notifiers action for a current user' do
before do
put :notifiers, notifiers: { can_notify: false }, format: :json
end
it { response.should_not be_success }
it 'ensures that user notification settings have not been updated' do
@user.reload
@user.notifier.can_notify.should be_truthy
put :notifiers, notifiers: { can_notify: false }, format: :json
expect(response).to_not be_success
expect(@user.reload.notifier.can_notify).to be_truthy
end
end
@ -58,34 +54,28 @@ describe Api::V1::UsersController, type: :controller do
[:show_current_user, :notifiers].each do |action|
it "should be able to perform #{ action } action for a current user" do
get action, format: :json
response.should be_success
expect(response).to be_success
end
end
it 'should be able to perform show action for a single user' do
get :show, id: @user.id, format: :json
response.should render_template(:show)
expect(response).to render_template(:show)
end
context 'should be able to perform update action for a current user' do
before do
put :update, user: { company: 'test_company' }, format: :json
end
it { response.should be_success }
it 'ensures that user has been updated' do
@user.reload
@user.company.should == 'test_company'
put :update, user: { company: 'test_company' }, format: :json
expect(response).to be_success
expect(@user.reload.company).to eq 'test_company'
end
end
context 'should be able to perform notifiers action for a current user' do
before do
put :notifiers, notifiers: {can_notify: false }, format: :json
end
it { response.should be_success }
it 'ensures that user notification settings have been updated' do
@user.reload
@user.notifier.can_notify.should be_falsy
put :notifiers, notifiers: {can_notify: false }, format: :json
expect(response).to be_success
expect(@user.reload.notifier.can_notify).to be_falsy
end
end