X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/6f2f9221ef230142bc8c28b3942e306a13ce206b..9af32c9ad4c92e1132fc391965bc84defa5e9577:/test/controllers/user_preferences_controller_test.rb diff --git a/test/controllers/user_preferences_controller_test.rb b/test/controllers/user_preferences_controller_test.rb index ddd7e2a40..99b40d5f0 100644 --- a/test/controllers/user_preferences_controller_test.rb +++ b/test/controllers/user_preferences_controller_test.rb @@ -210,4 +210,35 @@ class UserPreferencesControllerTest < ActionController::TestCase UserPreference.find([user.id, "key"]) end end + + # Ensure that a valid access token with correct capabilities can be used to + # read preferences + def test_read_one_using_token + user = create(:user) + token = create(:access_token, :user => user, :allow_read_prefs => true) + create(:user_preference, :user => user, :k => "key", :v => "value") + + # Hack together an oauth request - an alternative would be to sign the request properly + @request.env["oauth.version"] = 1 + @request.env["oauth.strategies"] = [:token] + @request.env["oauth.token"] = token + + get :read_one, :params => { :preference_key => "key" } + assert_response :success + end + + # Ensure that a valid access token with incorrect capabilities can't be used + # to read preferences even, though the owner of that token could read them + # by other methods. + def test_read_one_using_token_fail + user = create(:user) + token = create(:access_token, :user => user, :allow_read_prefs => false) + create(:user_preference, :user => user, :k => "key", :v => "value") + @request.env["oauth.version"] = 1 + @request.env["oauth.strategies"] = [:token] + @request.env["oauth.token"] = token + + get :read_one, :params => { :preference_key => "key" } + assert_response :forbidden + end end