X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/9408ed69466acd83d6c18f555d20eba41da9af2b..9af32c9ad4c92e1132fc391965bc84defa5e9577:/test/controllers/user_preferences_controller_test.rb?ds=sidebyside diff --git a/test/controllers/user_preferences_controller_test.rb b/test/controllers/user_preferences_controller_test.rb index 3e5cbb369..99b40d5f0 100644 --- a/test/controllers/user_preferences_controller_test.rb +++ b/test/controllers/user_preferences_controller_test.rb @@ -96,8 +96,7 @@ class UserPreferencesControllerTest < ActionController::TestCase # try a put without auth assert_no_difference "UserPreference.count" do - content "" - put :update + put :update, :body => "" end assert_response :unauthorized, "should be authenticated" assert_equal "value", UserPreference.find([user.id, "key"]).v @@ -111,8 +110,7 @@ class UserPreferencesControllerTest < ActionController::TestCase # try the put again assert_no_difference "UserPreference.count" do - content "" - put :update + put :update, :body => "" end assert_response :success assert_equal "text/plain", @response.content_type @@ -125,8 +123,7 @@ class UserPreferencesControllerTest < ActionController::TestCase # try a put with duplicate keys assert_no_difference "UserPreference.count" do - content "" - put :update + put :update, :body => "" end assert_response :bad_request assert_equal "text/plain", @response.content_type @@ -135,8 +132,7 @@ class UserPreferencesControllerTest < ActionController::TestCase # try a put with invalid content assert_no_difference "UserPreference.count" do - content "nonsense" - put :update + put :update, :body => "nonsense" end assert_response :bad_request end @@ -149,8 +145,7 @@ class UserPreferencesControllerTest < ActionController::TestCase # try a put without auth assert_no_difference "UserPreference.count" do - content "new_value" - put :update_one, :params => { :preference_key => "new_key" } + put :update_one, :params => { :preference_key => "new_key" }, :body => "new_value" end assert_response :unauthorized, "should be authenticated" assert_raises ActiveRecord::RecordNotFound do @@ -162,8 +157,7 @@ class UserPreferencesControllerTest < ActionController::TestCase # try adding a new preference assert_difference "UserPreference.count", 1 do - content "new_value" - put :update_one, :params => { :preference_key => "new_key" } + put :update_one, :params => { :preference_key => "new_key" }, :body => "new_value" end assert_response :success assert_equal "text/plain", @response.content_type @@ -172,8 +166,7 @@ class UserPreferencesControllerTest < ActionController::TestCase # try changing the value of a preference assert_no_difference "UserPreference.count" do - content "newer_value" - put :update_one, :params => { :preference_key => "new_key" } + put :update_one, :params => { :preference_key => "new_key" }, :body => "newer_value" end assert_response :success assert_equal "text/plain", @response.content_type @@ -217,4 +210,35 @@ class UserPreferencesControllerTest < ActionController::TestCase UserPreference.find([user.id, "key"]) end end + + # Ensure that a valid access token with correct capabilities can be used to + # read preferences + def test_read_one_using_token + user = create(:user) + token = create(:access_token, :user => user, :allow_read_prefs => true) + create(:user_preference, :user => user, :k => "key", :v => "value") + + # Hack together an oauth request - an alternative would be to sign the request properly + @request.env["oauth.version"] = 1 + @request.env["oauth.strategies"] = [:token] + @request.env["oauth.token"] = token + + get :read_one, :params => { :preference_key => "key" } + assert_response :success + end + + # Ensure that a valid access token with incorrect capabilities can't be used + # to read preferences even, though the owner of that token could read them + # by other methods. + def test_read_one_using_token_fail + user = create(:user) + token = create(:access_token, :user => user, :allow_read_prefs => false) + create(:user_preference, :user => user, :k => "key", :v => "value") + @request.env["oauth.version"] = 1 + @request.env["oauth.strategies"] = [:token] + @request.env["oauth.token"] = token + + get :read_one, :params => { :preference_key => "key" } + assert_response :forbidden + end end