Skip to content

Commit

Permalink
Fix specs
Browse files Browse the repository at this point in the history
  • Loading branch information
@BryanHouston
BryanHouston committed Aug 4, 2016
1 parent 31626ff commit f3e5f40
Show file tree
Hide file tree
Showing 15 changed files with 195 additions and 237 deletions.
9 changes: 6 additions & 3 deletions spec/controllers/api/v1/application_groups_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,8 @@
end

it "should not let a user call it through an app" do
expect{api_get :updates, user_2_token}.to raise_error(SecurityTransgression)
api_get :updates, user_2_token
expect(response).to have_http_status :forbidden
end

end
Expand Down Expand Up @@ -234,8 +235,10 @@
end

it "should not let a user call it through an app" do
expect{api_get :updates, user_2_token}.to raise_error(SecurityTransgression)
expect{api_put :updated, user_2_token}.to raise_error(SecurityTransgression)
api_get :updates, user_2_token
expect(response).to have_http_status :forbidden
api_put :updated, user_2_token
expect(response).to have_http_status :forbidden
end

end
Expand Down
28 changes: 14 additions & 14 deletions spec/controllers/api/v1/application_users_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,25 +62,22 @@
expect(response.body).to eq(expected_response)
end

it "raises not found when not found" do
expect {
api_get :find_by_username, untrusted_application_token, parameters: { username: 'foo' }
}.to raise_error(ActiveRecord::RecordNotFound)
it "responds with http status not found when not found" do
api_get :find_by_username, untrusted_application_token, parameters: { username: 'foo' }
expect(response).to have_http_status :not_found
end

it "raises SecurityTransgression when called by anonymous" do
expect {
api_get :find_by_username, nil, parameters: { username: 'foo' }
}.to raise_error(SecurityTransgression)
it "responds with http status forbidden when called by anonymous" do
api_get :find_by_username, nil, parameters: { username: 'foo' }
expect(response).to have_http_status :forbidden
end

it "only finds users belonging to the requesting application" do
# bob_brown is not a member of the "trusted_application"
expect( bob_brown.application_users.where( application_id: trusted_application.id ) ).to be_empty
# therefore no results will be returned
expect {
api_get :find_by_username, trusted_application_token, parameters: { username: bob_brown.username }
}.to raise_error(ActiveRecord::RecordNotFound)
api_get :find_by_username, trusted_application_token, parameters: { username: bob_brown.username }
expect(response).to have_http_status :not_found
end
end

Expand Down Expand Up @@ -276,7 +273,8 @@
end

it "should not let a user call it through an app" do
expect{api_get :updates, user_2_token}.to raise_error(SecurityTransgression)
api_get :updates, user_2_token
expect(response).to have_http_status :forbidden
end

end
Expand Down Expand Up @@ -335,8 +333,10 @@
end

it "should not let a user call it through an app" do
expect{api_get :updates, user_2_token}.to raise_error(SecurityTransgression)
expect{api_put :updated, user_2_token}.to raise_error(SecurityTransgression)
api_get :updates, user_2_token
expect(response).to have_http_status :forbidden
api_put :updated, user_2_token
expect(response).to have_http_status :forbidden
end

end
Expand Down
10 changes: 4 additions & 6 deletions spec/controllers/api/v1/contact_infos_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,8 @@

describe "#resend_confirmation" do
it "403s if the wrong user makes the request" do
expect{
api_put :resend_confirmation, wrong_user_token, parameters: {id: contact_info.id}
}.to raise_error(SecurityTransgression)
api_put :resend_confirmation, wrong_user_token, parameters: {id: contact_info.id}
expect(response).to have_http_status 403
end

it "returns an `already_confirmed` error when confirmed" do
Expand Down Expand Up @@ -63,9 +62,8 @@
end

it "403s if the wrong user makes the request" do
expect{
api_put :confirm_by_pin, wrong_user_token, parameters: {id: contact_info.id}
}.to raise_error(SecurityTransgression)
api_put :confirm_by_pin, wrong_user_token, parameters: {id: contact_info.id}
expect(response).to have_http_status 403
end

it "204s if already confirmed" do
Expand Down
66 changes: 28 additions & 38 deletions spec/controllers/api/v1/group_members_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,17 +29,15 @@

context 'index' do
it 'must not list group memberships without a token' do
expect{api_get :index, nil}.to(
raise_error(SecurityTransgression))
api_get :index, nil

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
end

it 'must not list group memberships for an app without a user token' do
expect{api_get :index, untrusted_application_token}.to(
raise_error(SecurityTransgression))
api_get :index, untrusted_application_token

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
end

it 'must list all group memberships for human users' do
Expand Down Expand Up @@ -210,37 +208,33 @@

context 'create' do
it 'must not create a group_member without a token' do
expect{api_post :create, nil, parameters: {group_id: group_3.id,
user_id: user_2.id}}.to(
raise_error(SecurityTransgression))
api_post :create, nil, parameters: {group_id: group_3.id,
user_id: user_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
end

it 'must not create a group_member for an app without a user token' do
expect{api_post :create, untrusted_application_token,
api_post :create, untrusted_application_token,
parameters: {group_id: group_3.id,
user_id: user_2.id}}.to(
raise_error(SecurityTransgression))
user_id: user_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
end

it 'must not create a group_member for an unauthorized user' do
expect{api_post :create, user_1_token, parameters: {group_id: group_3.id,
user_id: user_2.id}}.to(
raise_error(SecurityTransgression))
api_post :create, user_1_token, parameters: {group_id: group_3.id,
user_id: user_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden

group_3.add_member(user_1)
controller.current_human_user.reload

expect{api_post :create, user_1_token, parameters: {group_id: group_3.id,
user_id: user_2.id}}.to(
raise_error(SecurityTransgression))
api_post :create, user_1_token, parameters: {group_id: group_3.id,
user_id: user_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
end

it 'must create group_members for authorized users' do
Expand Down Expand Up @@ -298,42 +292,38 @@

context 'destroy' do
it 'must not destroy a group_member without a token' do
expect{api_delete :destroy, nil,
api_delete :destroy, nil,
parameters: {group_id: group_2.id,
user_id: user_2.id}}.to(
raise_error(SecurityTransgression))
user_id: user_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
expect(GroupMember.where(id: group_member_1.id).first).not_to be_nil
end

it 'must not destroy a group_member for an app without a user token' do
expect{api_delete :destroy, untrusted_application_token,
api_delete :destroy, untrusted_application_token,
parameters: {group_id: group_2.id,
user_id: user_2.id}}.to(
raise_error(SecurityTransgression))
user_id: user_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
expect(GroupMember.where(id: group_member_1.id).first).not_to be_nil
end

it 'must not destroy a group_member for an unauthorized user' do
expect{api_delete :destroy, user_1_token,
api_delete :destroy, user_1_token,
parameters: {group_id: group_2.id,
user_id: user_2.id}}.to(
raise_error(SecurityTransgression))
user_id: user_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
expect(GroupMember.where(id: group_member_1.id).first).not_to be_nil

group_2.add_member(user_1)

expect{api_delete :destroy, user_1_token,
api_delete :destroy, user_1_token,
parameters: {group_id: group_2.id,
user_id: user_2.id}}.to(
raise_error(SecurityTransgression))
user_id: user_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
expect(GroupMember.where(id: group_member_1.id).first).not_to be_nil
end

Expand Down
63 changes: 27 additions & 36 deletions spec/controllers/api/v1/group_nestings_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,47 +29,42 @@

context 'create' do
it 'must not create a group_nesting without a token' do
expect{api_post :create, nil, parameters: {group_id: group_3.id,
member_group_id: group_1.id}}.to(
raise_error(SecurityTransgression))
api_post :create, nil, parameters: {group_id: group_3.id,
member_group_id: group_1.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
end

it 'must not create a group_nesting for an app without a user token' do
expect{api_post :create, untrusted_application_token,
api_post :create, untrusted_application_token,
parameters: {group_id: group_3.id,
member_group_id: group_1.id}}.to(
raise_error(SecurityTransgression))
member_group_id: group_1.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
end

it 'must not create a group_nesting for an unauthorized user' do
expect{api_post :create, user_1_token, parameters: {group_id: group_3.id,
member_group_id: group_1.id}}.to(
raise_error(SecurityTransgression))
api_post :create, user_1_token, parameters: {group_id: group_3.id,
member_group_id: group_1.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden

group_3.add_owner(user_1)
controller.current_human_user.reload

expect{api_post :create, user_1_token, parameters: {group_id: group_3.id,
member_group_id: group_1.id}}.to(
raise_error(SecurityTransgression))
api_post :create, user_1_token, parameters: {group_id: group_3.id,
member_group_id: group_1.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden

GroupOwner.last.destroy
group_1.add_owner(user_1)
controller.current_human_user.reload

expect{api_post :create, user_1_token, parameters: {group_id: group_3.id,
member_group_id: group_1.id}}.to(
raise_error(SecurityTransgression))
api_post :create, user_1_token, parameters: {group_id: group_3.id,
member_group_id: group_1.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
end

it 'must create group_nestings for authorized users' do
Expand All @@ -87,42 +82,38 @@

context 'destroy' do
it 'must not destroy a group_nesting without a token' do
expect{api_delete :destroy, nil,
api_delete :destroy, nil,
parameters: {group_id: group_1.id,
member_group_id: group_2.id}}.to(
raise_error(SecurityTransgression))
member_group_id: group_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
expect(GroupNesting.where(id: group_nesting_1.id).first).not_to be_nil
end

it 'must not destroy a group_nesting for an app without a user token' do
expect{api_delete :destroy, untrusted_application_token,
api_delete :destroy, untrusted_application_token,
parameters: {group_id: group_1.id,
member_group_id: group_2.id}}.to(
raise_error(SecurityTransgression))
member_group_id: group_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
expect(GroupNesting.where(id: group_nesting_1.id).first).not_to be_nil
end

it 'must not destroy a group_nesting for an unauthorized user' do
expect{api_delete :destroy, user_1_token,
api_delete :destroy, user_1_token,
parameters: {group_id: group_1.id,
member_group_id: group_2.id}}.to(
raise_error(SecurityTransgression))
member_group_id: group_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
expect(GroupNesting.where(id: group_nesting_1.id).first).not_to be_nil

group_2.add_member(user_1)

expect{api_delete :destroy, user_1_token,
api_delete :destroy, user_1_token,
parameters: {group_id: group_1.id,
member_group_id: group_2.id}}.to(
raise_error(SecurityTransgression))
member_group_id: group_2.id}

expect(response.body).to be_empty
expect(response).to have_http_status :forbidden
expect(GroupNesting.where(id: group_nesting_1.id).first).not_to be_nil
end

Expand Down
Loading

0 comments on commit f3e5f40

Please sign in to comment.