##
# test adding tags to a node
def test_duplicate_tags
+ existing = create(:node_tag, :node => current_nodes(:public_visible_node))
# setup auth
basic_authorization(users(:public_user).email, "test")
# add an identical tag to the node
tag_xml = XML::Node.new("tag")
- tag_xml["k"] = current_node_tags(:public_v_t1).k
- tag_xml["v"] = current_node_tags(:public_v_t1).v
+ tag_xml["k"] = existing.k
+ tag_xml["v"] = existing.v
# add the tag into the existing xml
node_xml = current_nodes(:public_visible_node).to_xml
put :update, :id => current_nodes(:public_visible_node).id
assert_response :bad_request,
"adding duplicate tags to a node should fail with 'bad request'"
- assert_equal "Element node/#{current_nodes(:public_visible_node).id} has duplicate tags with key #{current_node_tags(:t1).k}", @response.body
+ assert_equal "Element node/#{current_nodes(:public_visible_node).id} has duplicate tags with key #{existing.k}", @response.body
end
# test whether string injection is possible
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
content "<osm><node lat='0' lon='0' changeset='#{changeset_id}'>" +
- '<tag k="#{@user.inspect}" v="0"/>' +
- "</node></osm>"
+ '<tag k="#{@user.inspect}" v="0"/>' +
+ "</node></osm>"
put :create
assert_require_public_data "Shouldn't be able to create with non-public user"
# try and put something into a string that the API might
# use unquoted and therefore allow code injection...
content "<osm><node lat='0' lon='0' changeset='#{changeset_id}'>" +
- '<tag k="#{@user.inspect}" v="0"/>' +
- "</node></osm>"
+ '<tag k="#{@user.inspect}" v="0"/>' +
+ "</node></osm>"
put :create
assert_response :success
nodeid = @response.body
assert apinode.tags.include?("\#{@user.inspect}")
end
- def basic_authorization(user, pass)
- @request.env["HTTP_AUTHORIZATION"] = "Basic %s" % Base64.encode64("#{user}:#{pass}")
- end
-
- def content(c)
- @request.env["RAW_POST_DATA"] = c.to_s
- end
-
##
# update the changeset_id of a node element
def update_changeset(xml, changeset_id)