X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/8bd001f1282b7a33a71c0565504e160dbe567d5d..9af32c9ad4c92e1132fc391965bc84defa5e9577:/test/controllers/user_preferences_controller_test.rb
diff --git a/test/controllers/user_preferences_controller_test.rb b/test/controllers/user_preferences_controller_test.rb
index 3e5cbb369..99b40d5f0 100644
--- a/test/controllers/user_preferences_controller_test.rb
+++ b/test/controllers/user_preferences_controller_test.rb
@@ -96,8 +96,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try a put without auth
assert_no_difference "UserPreference.count" do
- content ""
- put :update
+ put :update, :body => ""
end
assert_response :unauthorized, "should be authenticated"
assert_equal "value", UserPreference.find([user.id, "key"]).v
@@ -111,8 +110,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try the put again
assert_no_difference "UserPreference.count" do
- content ""
- put :update
+ put :update, :body => ""
end
assert_response :success
assert_equal "text/plain", @response.content_type
@@ -125,8 +123,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try a put with duplicate keys
assert_no_difference "UserPreference.count" do
- content ""
- put :update
+ put :update, :body => ""
end
assert_response :bad_request
assert_equal "text/plain", @response.content_type
@@ -135,8 +132,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try a put with invalid content
assert_no_difference "UserPreference.count" do
- content "nonsense"
- put :update
+ put :update, :body => "nonsense"
end
assert_response :bad_request
end
@@ -149,8 +145,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try a put without auth
assert_no_difference "UserPreference.count" do
- content "new_value"
- put :update_one, :params => { :preference_key => "new_key" }
+ put :update_one, :params => { :preference_key => "new_key" }, :body => "new_value"
end
assert_response :unauthorized, "should be authenticated"
assert_raises ActiveRecord::RecordNotFound do
@@ -162,8 +157,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try adding a new preference
assert_difference "UserPreference.count", 1 do
- content "new_value"
- put :update_one, :params => { :preference_key => "new_key" }
+ put :update_one, :params => { :preference_key => "new_key" }, :body => "new_value"
end
assert_response :success
assert_equal "text/plain", @response.content_type
@@ -172,8 +166,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try changing the value of a preference
assert_no_difference "UserPreference.count" do
- content "newer_value"
- put :update_one, :params => { :preference_key => "new_key" }
+ put :update_one, :params => { :preference_key => "new_key" }, :body => "newer_value"
end
assert_response :success
assert_equal "text/plain", @response.content_type
@@ -217,4 +210,35 @@ class UserPreferencesControllerTest < ActionController::TestCase
UserPreference.find([user.id, "key"])
end
end
+
+ # Ensure that a valid access token with correct capabilities can be used to
+ # read preferences
+ def test_read_one_using_token
+ user = create(:user)
+ token = create(:access_token, :user => user, :allow_read_prefs => true)
+ create(:user_preference, :user => user, :k => "key", :v => "value")
+
+ # Hack together an oauth request - an alternative would be to sign the request properly
+ @request.env["oauth.version"] = 1
+ @request.env["oauth.strategies"] = [:token]
+ @request.env["oauth.token"] = token
+
+ get :read_one, :params => { :preference_key => "key" }
+ assert_response :success
+ end
+
+ # Ensure that a valid access token with incorrect capabilities can't be used
+ # to read preferences even, though the owner of that token could read them
+ # by other methods.
+ def test_read_one_using_token_fail
+ user = create(:user)
+ token = create(:access_token, :user => user, :allow_read_prefs => false)
+ create(:user_preference, :user => user, :k => "key", :v => "value")
+ @request.env["oauth.version"] = 1
+ @request.env["oauth.strategies"] = [:token]
+ @request.env["oauth.token"] = token
+
+ get :read_one, :params => { :preference_key => "key" }
+ assert_response :forbidden
+ end
end