assert_response :unauthorized, "node upload did not return unauthorized status"
## Now try with the user which doesn't have their data public
- basic_authorization(private_user.email, "test")
+ basic_authorization private_user.email, "test"
# create a minimal xml file
content("<osm><node lat='#{lat}' lon='#{lon}' changeset='#{private_changeset.id}'/></osm>")
assert_require_public_data "node create did not return forbidden status"
## Now try with the user that has the public data
- basic_authorization(user.email, "test")
+ basic_authorization user.email, "test"
# create a minimal xml file
content("<osm><node lat='#{lat}' lon='#{lon}' changeset='#{changeset.id}'/></osm>")
user = create(:user)
changeset = create(:changeset, :user => user)
- basic_authorization(user.email, "test")
+ basic_authorization user.email, "test"
lat = 3.434
lon = 3.23
assert_response :unauthorized
## now set auth for the non-data public user
- basic_authorization(private_user.email, "test")
+ basic_authorization private_user.email, "test"
# try to delete with an invalid (closed) changeset
content update_changeset(private_node.to_xml, private_user_closed_changeset.id)
changeset = create(:changeset, :user => user)
closed_changeset = create(:changeset, :closed, :user => user)
node = create(:node, :changeset => changeset)
- basic_authorization(user.email, "test")
+ basic_authorization user.email, "test"
# try to delete with an invalid (closed) changeset
content update_changeset(node.to_xml, closed_changeset.id)
## Second test with the private user
# setup auth
- basic_authorization(private_user.email, "test")
+ basic_authorization private_user.email, "test"
## trying to break changesets
assert_response :forbidden
# setup auth
- basic_authorization(user.email, "test")
+ basic_authorization user.email, "test"
## trying to break changesets
existing_tag = create(:node_tag)
assert_equal true, existing_tag.node.changeset.user.data_public
# setup auth
- basic_authorization(existing_tag.node.changeset.user.email, "test")
+ basic_authorization existing_tag.node.changeset.user.email, "test"
# add an identical tag to the node
tag_xml = XML::Node.new("tag")
changeset = create(:changeset, :user => user)
## First try with the non-data public user
- basic_authorization(private_user.email, "test")
+ basic_authorization private_user.email, "test"
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
- content "<osm><node lat='0' lon='0' changeset='#{private_changeset.id}'>" +
- '<tag k="#{@user.inspect}" v="0"/>' +
+ content "<osm><node lat='0' lon='0' changeset='#{private_changeset.id}'>" \
+ '<tag k="#{@user.inspect}" v="0"/>' \
"</node></osm>"
put :create
assert_require_public_data "Shouldn't be able to create with non-public user"
## Then try with the public data user
- basic_authorization(user.email, "test")
+ basic_authorization user.email, "test"
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
- content "<osm><node lat='0' lon='0' changeset='#{changeset.id}'>" +
- '<tag k="#{@user.inspect}" v="0"/>' +
+ content "<osm><node lat='0' lon='0' changeset='#{changeset.id}'>" \
+ '<tag k="#{@user.inspect}" v="0"/>' \
"</node></osm>"
put :create
assert_response :success
projects / rails.git / blobdiff