X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/ac7c45bca036db2c5bfd692d77ff7f1da526955f..9af32c9ad4c92e1132fc391965bc84defa5e9577:/test/controllers/user_preferences_controller_test.rb?ds=sidebyside
diff --git a/test/controllers/user_preferences_controller_test.rb b/test/controllers/user_preferences_controller_test.rb
index 1a51779ed..99b40d5f0 100644
--- a/test/controllers/user_preferences_controller_test.rb
+++ b/test/controllers/user_preferences_controller_test.rb
@@ -35,7 +35,6 @@ class UserPreferencesControllerTest < ActionController::TestCase
# authenticate as a user with no preferences
basic_authorization create(:user).email, "test"
- grant_oauth_token :allow_read_prefs
# try the read again
get :read
@@ -76,7 +75,6 @@ class UserPreferencesControllerTest < ActionController::TestCase
# authenticate as a user with preferences
basic_authorization user.email, "test"
- grant_oauth_token :allow_read_prefs
# try the read again
get :read_one, :params => { :preference_key => "key" }
@@ -98,8 +96,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try a put without auth
assert_no_difference "UserPreference.count" do
- content ""
- put :update
+ put :update, :body => ""
end
assert_response :unauthorized, "should be authenticated"
assert_equal "value", UserPreference.find([user.id, "key"]).v
@@ -110,12 +107,10 @@ class UserPreferencesControllerTest < ActionController::TestCase
# authenticate as a user with preferences
basic_authorization user.email, "test"
- grant_oauth_token :allow_write_prefs
# try the put again
assert_no_difference "UserPreference.count" do
- content ""
- put :update
+ put :update, :body => ""
end
assert_response :success
assert_equal "text/plain", @response.content_type
@@ -128,8 +123,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try a put with duplicate keys
assert_no_difference "UserPreference.count" do
- content ""
- put :update
+ put :update, :body => ""
end
assert_response :bad_request
assert_equal "text/plain", @response.content_type
@@ -138,8 +132,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try a put with invalid content
assert_no_difference "UserPreference.count" do
- content "nonsense"
- put :update
+ put :update, :body => "nonsense"
end
assert_response :bad_request
end
@@ -152,8 +145,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try a put without auth
assert_no_difference "UserPreference.count" do
- content "new_value"
- put :update_one, :params => { :preference_key => "new_key" }
+ put :update_one, :params => { :preference_key => "new_key" }, :body => "new_value"
end
assert_response :unauthorized, "should be authenticated"
assert_raises ActiveRecord::RecordNotFound do
@@ -162,12 +154,10 @@ class UserPreferencesControllerTest < ActionController::TestCase
# authenticate as a user with preferences
basic_authorization user.email, "test"
- grant_oauth_token :allow_write_prefs
# try adding a new preference
assert_difference "UserPreference.count", 1 do
- content "new_value"
- put :update_one, :params => { :preference_key => "new_key" }
+ put :update_one, :params => { :preference_key => "new_key" }, :body => "new_value"
end
assert_response :success
assert_equal "text/plain", @response.content_type
@@ -176,8 +166,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
# try changing the value of a preference
assert_no_difference "UserPreference.count" do
- content "newer_value"
- put :update_one, :params => { :preference_key => "new_key" }
+ put :update_one, :params => { :preference_key => "new_key" }, :body => "newer_value"
end
assert_response :success
assert_equal "text/plain", @response.content_type
@@ -200,7 +189,6 @@ class UserPreferencesControllerTest < ActionController::TestCase
# authenticate as a user with preferences
basic_authorization user.email, "test"
- grant_oauth_token :allow_write_prefs
# try the delete again
assert_difference "UserPreference.count", -1 do
@@ -222,4 +210,35 @@ class UserPreferencesControllerTest < ActionController::TestCase
UserPreference.find([user.id, "key"])
end
end
+
+ # Ensure that a valid access token with correct capabilities can be used to
+ # read preferences
+ def test_read_one_using_token
+ user = create(:user)
+ token = create(:access_token, :user => user, :allow_read_prefs => true)
+ create(:user_preference, :user => user, :k => "key", :v => "value")
+
+ # Hack together an oauth request - an alternative would be to sign the request properly
+ @request.env["oauth.version"] = 1
+ @request.env["oauth.strategies"] = [:token]
+ @request.env["oauth.token"] = token
+
+ get :read_one, :params => { :preference_key => "key" }
+ assert_response :success
+ end
+
+ # Ensure that a valid access token with incorrect capabilities can't be used
+ # to read preferences even, though the owner of that token could read them
+ # by other methods.
+ def test_read_one_using_token_fail
+ user = create(:user)
+ token = create(:access_token, :user => user, :allow_read_prefs => false)
+ create(:user_preference, :user => user, :k => "key", :v => "value")
+ @request.env["oauth.version"] = 1
+ @request.env["oauth.strategies"] = [:token]
+ @request.env["oauth.token"] = token
+
+ get :read_one, :params => { :preference_key => "key" }
+ assert_response :forbidden
+ end
end