Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

enhanced the site API + cleaned a little bit the API

  • Loading branch information...
commit 5038687ee1316fd583fe4c3328b831f5bf59d495 1 parent 761ef20
@did did authored
View
8 Gemfile.lock
@@ -238,7 +238,7 @@ GEM
rack (>= 0.4)
rack-ssl (1.3.2)
rack
- rack-test (0.6.1)
+ rack-test (0.6.2)
rack (>= 1.0)
rails (3.2.8)
actionmailer (= 3.2.8)
@@ -263,16 +263,16 @@ GEM
rake (0.9.2.2)
rdoc (3.12)
json (~> 1.4)
- responders (0.9.2)
+ responders (0.9.3)
railties (~> 3.1)
rmagick (2.12.2)
rspec (2.8.0)
rspec-core (~> 2.8.0)
rspec-expectations (~> 2.8.0)
rspec-mocks (~> 2.8.0)
- rspec-cells (0.1.2)
+ rspec-cells (0.1.4)
cells (~> 3.4)
- rails (~> 3.0)
+ railties (~> 3.0)
rspec-rails (~> 2.2)
rspec-core (2.8.0)
rspec-expectations (2.8.0)
View
9 app/controllers/locomotive/api/current_site_controller.rb
@@ -4,10 +4,17 @@ class CurrentSiteController < BaseController
def show
@site = current_site
- authorize! :show, @site
+ authorize! :show, @site if @site
respond_with(@site)
end
+ def update
+ @site = current_site
+ authorize! :update, @site if @site
+ @site.update_attributes(params[:site])
+ respond_with(@site)
+ end
+
end
end
end
View
3  app/controllers/locomotive/api/my_account_controller.rb
@@ -4,8 +4,7 @@ class MyAccountController < BaseController
skip_load_and_authorize_resource
- # FIXME: the auto-loaded site won't pass authorization for show, update, or destroy
- # skip_load_and_authorize_resource :only => [ :show, :update, :destroy ]
+ skip_before_filter :require_site, :set_locale, :set_current_thread_variables
def show
respond_with(current_locomotive_account)
View
22 app/controllers/locomotive/api/sites_controller.rb
@@ -2,39 +2,37 @@ module Locomotive
module Api
class SitesController < BaseController
+ skip_before_filter :require_site, :set_locale, :set_current_thread_variables
+
load_and_authorize_resource :class => Locomotive::Site
- # FIXME: the auto-loaded site won't pass authorization for show, update, or destroy
- skip_load_and_authorize_resource :only => [:show, :update, :destroy]
+ # We make an exception for the index action, we don't use the ability
+ # object, we just return the sites owned by the current account.
+ skip_load_and_authorize_resource :only => :index
def index
- @sites = Locomotive::Site.all
+ @sites = self.current_locomotive_account.sites.all
respond_with(@sites)
end
def show
- @site = Locomotive::Site.find(params[:id])
- authorize! :show, @site
respond_with(@site)
end
def create
- @site = Locomotive::Site.create(params[:site])
+ @site.memberships.build :account => self.current_locomotive_account, :role => 'admin'
+ @site.save
respond_with(@site)
end
def update
- @site = Locomotive::Site.find(params[:id])
- authorize! :update, @site
@site.update_attributes(params[:site])
- respond_with @site
+ respond_with(@site)
end
def destroy
- @site = Locomotive::Site.find(params[:id])
- authorize! :destroy, @site
@site.destroy
- respond_with @site
+ respond_with(@site)
end
end
View
2  app/controllers/locomotive/api/tokens_controller.rb
@@ -2,7 +2,7 @@ module Locomotive
module Api
class TokensController < Locomotive::Api::BaseController
- skip_before_filter :require_account
+ skip_before_filter :require_account, :require_site, :set_locale, :set_current_thread_variables
def create
begin
View
4 app/controllers/locomotive/sites_controller.rb
@@ -12,13 +12,13 @@ def new
def create
@site = Site.new(params[:site])
- @site.memberships.build :account => @current_locomotive_account, :role => 'admin'
+ @site.memberships.build :account => self.current_locomotive_account, :role => 'admin'
@site.save
respond_with @site, :location => edit_my_account_url
end
def destroy
- @site = current_locomotive_account.sites.find(params[:id])
+ @site = self.current_locomotive_account.sites.find(params[:id])
if @site != current_site
@site.destroy
View
8 app/models/locomotive/ability.rb
@@ -9,9 +9,13 @@ def initialize(account, site)
alias_action :index, :show, :edit, :update, :to => :touch
- @membership = @site.memberships.where(:account_id => @account.id).first
+ if @site
+ @membership = @site.memberships.where(:account_id => @account.id).first
+ elsif @account.admin?
+ @membership = Membership.new(:account => @account, :role => 'admin')
+ end
- return false if @membership.blank?
+ return false if @membership.nil?
if @membership.admin?
setup_admin_permissions!
View
7 features/api/authorization/sites.feature
@@ -24,12 +24,14 @@ Feature: Sites
Scenario: Accessing sites as a Designer
Given I have a "designer" API token
When I do an API GET request to sites.json
- Then an access denied error should occur
+ Then the JSON response should be an array
+ And the JSON response should have 1 entry
Scenario: Accessing sites as an Author
Given I have an "author" API token
When I do an API GET request to sites.json
- Then an access denied error should occur
+ Then the JSON response should be an array
+ And the JSON response should have 1 entry
# showing site
@@ -46,6 +48,7 @@ Feature: Sites
Scenario: Accessing other site as a Designer
Given I have a "designer" API token
When I do an API GET request to sites/4f832c2cb0d86d3f42ffffff.json
+ # Then I print the json response
Then an access denied error should occur
Scenario: Accessing my site as an Author
View
20 features/step_definitions/api_steps.rb
@@ -25,6 +25,10 @@ def last_json
@json_response.try(:body) || page.source
end
+def last_status
+ @json_response.try(:status) || page.status
+end
+
Given /^I have an? "([^"]*)" API token$/ do |role|
@membership = Locomotive::Site.first.memberships.where(:role => role.downcase).first \
|| FactoryGirl.create(role.downcase.to_sym, :site => Locomotive::Site.first)
@@ -72,13 +76,19 @@ def last_json
end
Then /^an access denied error should occur$/ do
- @error.should_not be_nil
- @error.is_a?(CanCan::AccessDenied).should be_true
+ if @error
+ @error.is_a?(CanCan::AccessDenied).should be_true
+ else
+ last_status.should == 401
+ end
end
Then /^it should not exist$/ do
- @error.should_not be_nil
- @error.is_a?(Mongoid::Errors::DocumentNotFound).should be_true
+ if @error
+ @error.is_a?(Mongoid::Errors::DocumentNotFound).should be_true
+ else
+ last_status.should == 404
+ end
end
When /^I do a multipart API (\w+) (?:request )?to ([\w.\/]+) with base key "([^"]*)" and:$/ \
@@ -92,5 +102,5 @@ def last_json
end
Then /^I print the json response$/ do
- puts %{JSON: "#{last_json}"}
+ puts %{JSON: "#{last_json}" / #{last_json.inspect}}
end
View
2  lib/locomotive/action_controller/responder.rb
@@ -12,7 +12,7 @@ def set_flash_now?
def options
current_site = self.controller.send(:current_site)
current_account = self.controller.send(:current_locomotive_account)
- ability = current_account.nil? ? nil : self.controller.send(:current_ability)
+ ability = current_site.nil? || current_account.nil? ? nil : self.controller.send(:current_ability)
super.merge({
:current_site => current_site,
View
32 spec/models/locomotive/account_spec.rb
@@ -3,7 +3,7 @@
describe Locomotive::Account do
let!(:existing_account) { Factory(:account, :email => 'another@email.com') }
- it 'should have a valid factory' do
+ it 'has a valid factory' do
FactoryGirl.build(:account).should be_valid
end
@@ -16,12 +16,12 @@
it { should allow_value('prefix+suffix@email.com').for(:email) }
it { should_not allow_value('not-an-email').for(:email) }
- it "should have a default locale" do
+ it "has a default locale" do
account = Locomotive::Account.new
account.locale.should == 'en'
end
- it "should validate uniqueness of email" do
+ it "validates the uniqueness of email" do
FactoryGirl.create(:account)
(account = FactoryGirl.build(:account)).should_not be_valid
account.errors[:email].should == ["is already taken"]
@@ -29,7 +29,7 @@
## Associations ##
- it 'should own many sites' do
+ it 'owns many sites' do
account = FactoryGirl.create(:account)
site_1 = FactoryGirl.create(:site, :memberships => [Locomotive::Membership.new(:account => account)])
site_2 = FactoryGirl.create(:site, :subdomain => 'another_one', :memberships => [Locomotive::Membership.new(:account => account)])
@@ -47,14 +47,14 @@
Locomotive::Site.any_instance.stubs(:save).returns(true)
end
- it 'should also delete memberships' do
+ it 'also deletes memberships' do
Locomotive::Site.any_instance.stubs(:admin_memberships).returns(['junk', 'dirt'])
@site_1.memberships.first.expects(:destroy)
@site_2.memberships.first.expects(:destroy)
@account.destroy
end
- it 'should raise an exception if account is the only remaining admin' do
+ it 'raises an exception if account is the only remaining admin' do
@site_1.memberships.first.stubs(:admin?).returns(true)
@site_1.stubs(:admin_memberships).returns(['junk'])
lambda {
@@ -64,4 +64,24 @@
end
+ describe '#admin?' do
+
+ it 'is considered as an admin if she/he has a membership with an admin role' do
+ create_site_and_account
+ @account.admin?.should be_true
+ end
+
+ it 'is not considered as an admin if she/he does not have a membership with an admin role' do
+ create_site_and_account('author')
+ @account.admin?.should be_false
+ end
+
+ def create_site_and_account(role = 'admin')
+ @account = FactoryGirl.create(:account)
+ @membership = Locomotive::Membership.new(:account => @account, :role => role)
+ @site = FactoryGirl.create(:site, :memberships => [@membership])
+ end
+
+ end
+
end
Please sign in to comment.
Something went wrong with that request. Please try again.