# authenticate as a user with no preferences
basic_authorization create(:user).email, "test"
- grant_oauth_token :allow_read_prefs
# try the read again
get :read
# authenticate as a user with preferences
basic_authorization user.email, "test"
- grant_oauth_token :allow_read_prefs
# try the read again
get :read_one, :params => { :preference_key => "key" }
# try a put without auth
assert_no_difference "UserPreference.count" do
- content "<osm><preferences><preference k='key' v='new_value'/><preference k='new_key' v='value'/></preferences></osm>"
- put :update
+ put :update, :body => "<osm><preferences><preference k='key' v='new_value'/><preference k='new_key' v='value'/></preferences></osm>"
end
assert_response :unauthorized, "should be authenticated"
assert_equal "value", UserPreference.find([user.id, "key"]).v
# authenticate as a user with preferences
basic_authorization user.email, "test"
- grant_oauth_token :allow_write_prefs
# try the put again
assert_no_difference "UserPreference.count" do
- content "<osm><preferences><preference k='key' v='new_value'/><preference k='new_key' v='value'/></preferences></osm>"
- put :update
+ put :update, :body => "<osm><preferences><preference k='key' v='new_value'/><preference k='new_key' v='value'/></preferences></osm>"
end
assert_response :success
assert_equal "text/plain", @response.content_type
# try a put with duplicate keys
assert_no_difference "UserPreference.count" do
- content "<osm><preferences><preference k='key' v='value'/><preference k='key' v='newer_value'/></preferences></osm>"
- put :update
+ put :update, :body => "<osm><preferences><preference k='key' v='value'/><preference k='key' v='newer_value'/></preferences></osm>"
end
assert_response :bad_request
assert_equal "text/plain", @response.content_type
# try a put with invalid content
assert_no_difference "UserPreference.count" do
- content "nonsense"
- put :update
+ put :update, :body => "nonsense"
end
assert_response :bad_request
end
# try a put without auth
assert_no_difference "UserPreference.count" do
- content "new_value"
- put :update_one, :params => { :preference_key => "new_key" }
+ put :update_one, :params => { :preference_key => "new_key" }, :body => "new_value"
end
assert_response :unauthorized, "should be authenticated"
assert_raises ActiveRecord::RecordNotFound do
# authenticate as a user with preferences
basic_authorization user.email, "test"
- grant_oauth_token :allow_write_prefs
# try adding a new preference
assert_difference "UserPreference.count", 1 do
- content "new_value"
- put :update_one, :params => { :preference_key => "new_key" }
+ put :update_one, :params => { :preference_key => "new_key" }, :body => "new_value"
end
assert_response :success
assert_equal "text/plain", @response.content_type
# try changing the value of a preference
assert_no_difference "UserPreference.count" do
- content "newer_value"
- put :update_one, :params => { :preference_key => "new_key" }
+ put :update_one, :params => { :preference_key => "new_key" }, :body => "newer_value"
end
assert_response :success
assert_equal "text/plain", @response.content_type
# authenticate as a user with preferences
basic_authorization user.email, "test"
- grant_oauth_token :allow_write_prefs
# try the delete again
assert_difference "UserPreference.count", -1 do
UserPreference.find([user.id, "key"])
end
end
+
+ # Ensure that a valid access token with correct capabilities can be used to
+ # read preferences
+ def test_read_one_using_token
+ user = create(:user)
+ token = create(:access_token, :user => user, :allow_read_prefs => true)
+ create(:user_preference, :user => user, :k => "key", :v => "value")
+
+ # Hack together an oauth request - an alternative would be to sign the request properly
+ @request.env["oauth.version"] = 1
+ @request.env["oauth.strategies"] = [:token]
+ @request.env["oauth.token"] = token
+
+ get :read_one, :params => { :preference_key => "key" }
+ assert_response :success
+ end
+
+ # Ensure that a valid access token with incorrect capabilities can't be used
+ # to read preferences even, though the owner of that token could read them
+ # by other methods.
+ def test_read_one_using_token_fail
+ user = create(:user)
+ token = create(:access_token, :user => user, :allow_read_prefs => false)
+ create(:user_preference, :user => user, :k => "key", :v => "value")
+ @request.env["oauth.version"] = 1
+ @request.env["oauth.strategies"] = [:token]
+ @request.env["oauth.token"] = token
+
+ get :read_one, :params => { :preference_key => "key" }
+ assert_response :forbidden
+ end
end
projects / rails.git / blobdiff