diff --git a/spec/controllers/api/v1/application_groups_controller_spec.rb b/spec/controllers/api/v1/application_groups_controller_spec.rb index 3db3adb8d..e73646dc6 100644 --- a/spec/controllers/api/v1/application_groups_controller_spec.rb +++ b/spec/controllers/api/v1/application_groups_controller_spec.rb @@ -179,7 +179,8 @@ end it "should not let a user call it through an app" do - expect{api_get :updates, user_2_token}.to raise_error(SecurityTransgression) + api_get :updates, user_2_token + expect(response).to have_http_status :forbidden end end @@ -234,8 +235,10 @@ end it "should not let a user call it through an app" do - expect{api_get :updates, user_2_token}.to raise_error(SecurityTransgression) - expect{api_put :updated, user_2_token}.to raise_error(SecurityTransgression) + api_get :updates, user_2_token + expect(response).to have_http_status :forbidden + api_put :updated, user_2_token + expect(response).to have_http_status :forbidden end end diff --git a/spec/controllers/api/v1/application_users_controller_spec.rb b/spec/controllers/api/v1/application_users_controller_spec.rb index 982ad8e44..ec25a3682 100644 --- a/spec/controllers/api/v1/application_users_controller_spec.rb +++ b/spec/controllers/api/v1/application_users_controller_spec.rb @@ -62,25 +62,22 @@ expect(response.body).to eq(expected_response) end - it "raises not found when not found" do - expect { - api_get :find_by_username, untrusted_application_token, parameters: { username: 'foo' } - }.to raise_error(ActiveRecord::RecordNotFound) + it "responds with http status not found when not found" do + api_get :find_by_username, untrusted_application_token, parameters: { username: 'foo' } + expect(response).to have_http_status :not_found end - it "raises SecurityTransgression when called by anonymous" do - expect { - api_get :find_by_username, nil, parameters: { username: 'foo' } - }.to raise_error(SecurityTransgression) + it "responds with http status forbidden when called by anonymous" do + api_get :find_by_username, nil, parameters: { username: 'foo' } + expect(response).to have_http_status :forbidden end it "only finds users belonging to the requesting application" do # bob_brown is not a member of the "trusted_application" expect( bob_brown.application_users.where( application_id: trusted_application.id ) ).to be_empty # therefore no results will be returned - expect { - api_get :find_by_username, trusted_application_token, parameters: { username: bob_brown.username } - }.to raise_error(ActiveRecord::RecordNotFound) + api_get :find_by_username, trusted_application_token, parameters: { username: bob_brown.username } + expect(response).to have_http_status :not_found end end @@ -276,7 +273,8 @@ end it "should not let a user call it through an app" do - expect{api_get :updates, user_2_token}.to raise_error(SecurityTransgression) + api_get :updates, user_2_token + expect(response).to have_http_status :forbidden end end @@ -335,8 +333,10 @@ end it "should not let a user call it through an app" do - expect{api_get :updates, user_2_token}.to raise_error(SecurityTransgression) - expect{api_put :updated, user_2_token}.to raise_error(SecurityTransgression) + api_get :updates, user_2_token + expect(response).to have_http_status :forbidden + api_put :updated, user_2_token + expect(response).to have_http_status :forbidden end end diff --git a/spec/controllers/api/v1/contact_infos_controller_spec.rb b/spec/controllers/api/v1/contact_infos_controller_spec.rb index 667e22b0b..bb73cad62 100644 --- a/spec/controllers/api/v1/contact_infos_controller_spec.rb +++ b/spec/controllers/api/v1/contact_infos_controller_spec.rb @@ -21,9 +21,8 @@ describe "#resend_confirmation" do it "403s if the wrong user makes the request" do - expect{ - api_put :resend_confirmation, wrong_user_token, parameters: {id: contact_info.id} - }.to raise_error(SecurityTransgression) + api_put :resend_confirmation, wrong_user_token, parameters: {id: contact_info.id} + expect(response).to have_http_status 403 end it "returns an `already_confirmed` error when confirmed" do @@ -63,9 +62,8 @@ end it "403s if the wrong user makes the request" do - expect{ - api_put :confirm_by_pin, wrong_user_token, parameters: {id: contact_info.id} - }.to raise_error(SecurityTransgression) + api_put :confirm_by_pin, wrong_user_token, parameters: {id: contact_info.id} + expect(response).to have_http_status 403 end it "204s if already confirmed" do diff --git a/spec/controllers/api/v1/group_members_controller_spec.rb b/spec/controllers/api/v1/group_members_controller_spec.rb index 3060f72ac..9d629b753 100644 --- a/spec/controllers/api/v1/group_members_controller_spec.rb +++ b/spec/controllers/api/v1/group_members_controller_spec.rb @@ -29,17 +29,15 @@ context 'index' do it 'must not list group memberships without a token' do - expect{api_get :index, nil}.to( - raise_error(SecurityTransgression)) + api_get :index, nil - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not list group memberships for an app without a user token' do - expect{api_get :index, untrusted_application_token}.to( - raise_error(SecurityTransgression)) + api_get :index, untrusted_application_token - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must list all group memberships for human users' do @@ -210,37 +208,33 @@ context 'create' do it 'must not create a group_member without a token' do - expect{api_post :create, nil, parameters: {group_id: group_3.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + api_post :create, nil, parameters: {group_id: group_3.id, + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not create a group_member for an app without a user token' do - expect{api_post :create, untrusted_application_token, + api_post :create, untrusted_application_token, parameters: {group_id: group_3.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not create a group_member for an unauthorized user' do - expect{api_post :create, user_1_token, parameters: {group_id: group_3.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + api_post :create, user_1_token, parameters: {group_id: group_3.id, + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden group_3.add_member(user_1) controller.current_human_user.reload - expect{api_post :create, user_1_token, parameters: {group_id: group_3.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + api_post :create, user_1_token, parameters: {group_id: group_3.id, + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must create group_members for authorized users' do @@ -298,42 +292,38 @@ context 'destroy' do it 'must not destroy a group_member without a token' do - expect{api_delete :destroy, nil, + api_delete :destroy, nil, parameters: {group_id: group_2.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupMember.where(id: group_member_1.id).first).not_to be_nil end it 'must not destroy a group_member for an app without a user token' do - expect{api_delete :destroy, untrusted_application_token, + api_delete :destroy, untrusted_application_token, parameters: {group_id: group_2.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupMember.where(id: group_member_1.id).first).not_to be_nil end it 'must not destroy a group_member for an unauthorized user' do - expect{api_delete :destroy, user_1_token, + api_delete :destroy, user_1_token, parameters: {group_id: group_2.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupMember.where(id: group_member_1.id).first).not_to be_nil group_2.add_member(user_1) - expect{api_delete :destroy, user_1_token, + api_delete :destroy, user_1_token, parameters: {group_id: group_2.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupMember.where(id: group_member_1.id).first).not_to be_nil end diff --git a/spec/controllers/api/v1/group_nestings_controller_spec.rb b/spec/controllers/api/v1/group_nestings_controller_spec.rb index 978484832..789d89715 100644 --- a/spec/controllers/api/v1/group_nestings_controller_spec.rb +++ b/spec/controllers/api/v1/group_nestings_controller_spec.rb @@ -29,47 +29,42 @@ context 'create' do it 'must not create a group_nesting without a token' do - expect{api_post :create, nil, parameters: {group_id: group_3.id, - member_group_id: group_1.id}}.to( - raise_error(SecurityTransgression)) + api_post :create, nil, parameters: {group_id: group_3.id, + member_group_id: group_1.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not create a group_nesting for an app without a user token' do - expect{api_post :create, untrusted_application_token, + api_post :create, untrusted_application_token, parameters: {group_id: group_3.id, - member_group_id: group_1.id}}.to( - raise_error(SecurityTransgression)) + member_group_id: group_1.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not create a group_nesting for an unauthorized user' do - expect{api_post :create, user_1_token, parameters: {group_id: group_3.id, - member_group_id: group_1.id}}.to( - raise_error(SecurityTransgression)) + api_post :create, user_1_token, parameters: {group_id: group_3.id, + member_group_id: group_1.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden group_3.add_owner(user_1) controller.current_human_user.reload - expect{api_post :create, user_1_token, parameters: {group_id: group_3.id, - member_group_id: group_1.id}}.to( - raise_error(SecurityTransgression)) + api_post :create, user_1_token, parameters: {group_id: group_3.id, + member_group_id: group_1.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden GroupOwner.last.destroy group_1.add_owner(user_1) controller.current_human_user.reload - expect{api_post :create, user_1_token, parameters: {group_id: group_3.id, - member_group_id: group_1.id}}.to( - raise_error(SecurityTransgression)) + api_post :create, user_1_token, parameters: {group_id: group_3.id, + member_group_id: group_1.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must create group_nestings for authorized users' do @@ -87,42 +82,38 @@ context 'destroy' do it 'must not destroy a group_nesting without a token' do - expect{api_delete :destroy, nil, + api_delete :destroy, nil, parameters: {group_id: group_1.id, - member_group_id: group_2.id}}.to( - raise_error(SecurityTransgression)) + member_group_id: group_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupNesting.where(id: group_nesting_1.id).first).not_to be_nil end it 'must not destroy a group_nesting for an app without a user token' do - expect{api_delete :destroy, untrusted_application_token, + api_delete :destroy, untrusted_application_token, parameters: {group_id: group_1.id, - member_group_id: group_2.id}}.to( - raise_error(SecurityTransgression)) + member_group_id: group_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupNesting.where(id: group_nesting_1.id).first).not_to be_nil end it 'must not destroy a group_nesting for an unauthorized user' do - expect{api_delete :destroy, user_1_token, + api_delete :destroy, user_1_token, parameters: {group_id: group_1.id, - member_group_id: group_2.id}}.to( - raise_error(SecurityTransgression)) + member_group_id: group_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupNesting.where(id: group_nesting_1.id).first).not_to be_nil group_2.add_member(user_1) - expect{api_delete :destroy, user_1_token, + api_delete :destroy, user_1_token, parameters: {group_id: group_1.id, - member_group_id: group_2.id}}.to( - raise_error(SecurityTransgression)) + member_group_id: group_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupNesting.where(id: group_nesting_1.id).first).not_to be_nil end diff --git a/spec/controllers/api/v1/group_owners_controller_spec.rb b/spec/controllers/api/v1/group_owners_controller_spec.rb index 07695dc7d..3716185be 100644 --- a/spec/controllers/api/v1/group_owners_controller_spec.rb +++ b/spec/controllers/api/v1/group_owners_controller_spec.rb @@ -29,17 +29,15 @@ context 'index' do it 'must not list group ownerships without a token' do - expect{api_get :index, nil}.to( - raise_error(SecurityTransgression)) + api_get :index, nil - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not list group ownerships for an app without a user token' do - expect{api_get :index, untrusted_application_token}.to( - raise_error(SecurityTransgression)) + api_get :index, untrusted_application_token - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must list all group ownerships for human users' do @@ -182,37 +180,33 @@ context 'create' do it 'must not create a group_owner without a token' do - expect{api_post :create, nil, parameters: {group_id: group_3.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + api_post :create, nil, parameters: {group_id: group_3.id, + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not create a group_owner for an app without a user token' do - expect{api_post :create, untrusted_application_token, + api_post :create, untrusted_application_token, parameters: {group_id: group_3.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not create a group_owner for an unauthorized user' do - expect{api_post :create, user_1_token, parameters: {group_id: group_3.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + api_post :create, user_1_token, parameters: {group_id: group_3.id, + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden group_3.add_member(user_1) controller.current_human_user.reload - expect{api_post :create, user_1_token, parameters: {group_id: group_3.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + api_post :create, user_1_token, parameters: {group_id: group_3.id, + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must create group_owners for authorized users' do @@ -269,42 +263,38 @@ context 'destroy' do it 'must not destroy a group_owner without a token' do - expect{api_delete :destroy, nil, + api_delete :destroy, nil, parameters: {group_id: group_2.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupOwner.where(id: group_owner_1.id).first).not_to be_nil end it 'must not destroy a group_owner for an app without a user token' do - expect{api_delete :destroy, untrusted_application_token, + api_delete :destroy, untrusted_application_token, parameters: {group_id: group_2.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupOwner.where(id: group_owner_1.id).first).not_to be_nil end it 'must not destroy a group_owner for an unauthorized user' do - expect{api_delete :destroy, user_1_token, + api_delete :destroy, user_1_token, parameters: {group_id: group_2.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupOwner.where(id: group_owner_1.id).first).not_to be_nil group_2.add_member(user_1) - expect{api_delete :destroy, user_1_token, + api_delete :destroy, user_1_token, parameters: {group_id: group_2.id, - user_id: user_2.id}}.to( - raise_error(SecurityTransgression)) + user_id: user_2.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(GroupOwner.where(id: group_owner_1.id).first).not_to be_nil end diff --git a/spec/controllers/api/v1/groups_controller_spec.rb b/spec/controllers/api/v1/groups_controller_spec.rb index 352b1820b..e750b851d 100644 --- a/spec/controllers/api/v1/groups_controller_spec.rb +++ b/spec/controllers/api/v1/groups_controller_spec.rb @@ -251,24 +251,21 @@ end it 'must not show a private group without a token' do - expect{api_get :show, nil, parameters: {id: group_1.id}}.to( - raise_error(SecurityTransgression)) + api_get :show, nil, parameters: {id: group_1.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not show a private group to an app without a user token' do - expect{api_get :show, untrusted_application_token, parameters: {id: group_1.id}}.to( - raise_error(SecurityTransgression)) + api_get :show, untrusted_application_token, parameters: {id: group_1.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not show a private group to an unauthorized user' do - expect{api_get :show, user_1_token, parameters: {id: group_1.id}}.to( - raise_error(SecurityTransgression)) + api_get :show, user_1_token, parameters: {id: group_1.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must show private groups to authorized users' do @@ -331,17 +328,15 @@ context 'create' do it 'must not create a group without a token' do - expect{api_post :create, nil}.to( - raise_error(SecurityTransgression)) + api_post :create, nil - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must not create a group for an app without a user token' do - expect{api_post :create, untrusted_application_token}.to( - raise_error(SecurityTransgression)) + api_post :create, untrusted_application_token - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden end it 'must create groups for users' do @@ -367,54 +362,49 @@ context 'update' do it 'must not update a group without a token' do - expect{api_put :update, nil, + api_put :update, nil, parameters: {id: group_3.id}, - raw_post_data: {name: 'MyGroup'}}.to( - raise_error(SecurityTransgression)) + raw_post_data: {name: 'MyGroup'} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(group_3.reload.name).to eq('Group 3') end it 'must not update a group for an app without a user token' do - expect{api_put :update, untrusted_application_token, + api_put :update, untrusted_application_token, parameters: {id: group_3.id}, - raw_post_data: {name: 'MyGroup'}}.to( - raise_error(SecurityTransgression)) + raw_post_data: {name: 'MyGroup'} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(group_3.reload.name).to eq('Group 3') end it 'must not update a group for an unauthorized user' do - expect{api_put :update, user_1_token, + api_put :update, user_1_token, parameters: {id: group_3.id}, - raw_post_data: {name: 'MyGroup'}}.to( - raise_error(SecurityTransgression)) + raw_post_data: {name: 'MyGroup'} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(group_3.reload.name).to eq('Group 3') group_3.add_member(user_1) - expect{api_put :update, user_1_token, + api_put :update, user_1_token, parameters: {id: group_3.id}, - raw_post_data: {name: 'MyGroup'}}.to( - raise_error(SecurityTransgression)) + raw_post_data: {name: 'MyGroup'} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(group_3.reload.name).to eq('Group 3') FactoryGirl.create(:group_nesting, container_group: group_3, member_group: group_2) group_2.add_owner(user_1) - expect{api_put :update, user_1_token, + api_put :update, user_1_token, parameters: {id: group_3.id}, - raw_post_data: {name: 'MyGroup'}}.to( - raise_error(SecurityTransgression)) + raw_post_data: {name: 'MyGroup'} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(group_3.reload.name).to eq('Group 3') end @@ -432,48 +422,43 @@ context 'destroy' do it 'must not destroy a group without a token' do - expect{api_delete :destroy, nil, - parameters: {id: group_3.id}}.to( - raise_error(SecurityTransgression)) + api_delete :destroy, nil, + parameters: {id: group_3.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(Group.where(id: group_3.id).first).not_to be_nil end it 'must not destroy a group for an app without a user token' do - expect{api_delete :destroy, untrusted_application_token, - parameters: {id: group_3.id}}.to( - raise_error(SecurityTransgression)) + api_delete :destroy, untrusted_application_token, + parameters: {id: group_3.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(Group.where(id: group_3.id).first).not_to be_nil end it 'must not destroy a group for an unauthorized user' do - expect{api_delete :destroy, user_1_token, - parameters: {id: group_3.id}}.to( - raise_error(SecurityTransgression)) + api_delete :destroy, user_1_token, + parameters: {id: group_3.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(Group.where(id: group_3.id).first).not_to be_nil group_3.add_member(user_1) - expect{api_delete :destroy, user_1_token, - parameters: {id: group_3.id}}.to( - raise_error(SecurityTransgression)) + api_delete :destroy, user_1_token, + parameters: {id: group_3.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(Group.where(id: group_3.id).first).not_to be_nil FactoryGirl.create(:group_nesting, container_group: group_3, member_group: group_2) group_2.add_owner(user_1) - expect{api_delete :destroy, user_1_token, - parameters: {id: group_3.id}}.to( - raise_error(SecurityTransgression)) + api_delete :destroy, user_1_token, + parameters: {id: group_3.id} - expect(response.body).to be_empty + expect(response).to have_http_status :forbidden expect(Group.where(id: group_3.id).first).not_to be_nil end diff --git a/spec/controllers/api/v1/messages_controller_spec.rb b/spec/controllers/api/v1/messages_controller_spec.rb index f6d2644c3..41c42e443 100644 --- a/spec/controllers/api/v1/messages_controller_spec.rb +++ b/spec/controllers/api/v1/messages_controller_spec.rb @@ -71,17 +71,14 @@ it "does not allow users or untrusted applications to send messages" do Mail::TestMailer.deliveries.clear - expect{ - api_post :create, user_1_untrusted_token, parameters: message_params - }.to raise_error(Lev::SecurityTransgression) + api_post :create, user_1_untrusted_token, parameters: message_params + expect(response).to have_http_status :forbidden - expect{ - api_post :create, user_1_trusted_token, parameters: message_params - }.to raise_error(Lev::SecurityTransgression) + api_post :create, user_1_trusted_token, parameters: message_params + expect(response).to have_http_status :forbidden - expect{ - api_post :create, untrusted_application_token, parameters: message_params - }.to raise_error(Lev::SecurityTransgression) + api_post :create, untrusted_application_token, parameters: message_params + expect(response).to have_http_status :forbidden # These exceptions are no longer "notified" out expect(Mail::TestMailer.deliveries.size).to eq(0) diff --git a/spec/controllers/api/v1/users_controller_spec.rb b/spec/controllers/api/v1/users_controller_spec.rb index 859e00316..c7a1fc43b 100644 --- a/spec/controllers/api/v1/users_controller_spec.rb +++ b/spec/controllers/api/v1/users_controller_spec.rb @@ -109,7 +109,8 @@ end it "should not let an application get a User without a token" do - expect {api_get :show, trusted_application_token, parameters: {id: admin_user.id}}.to raise_error(SecurityTransgression) + api_get :show, trusted_application_token, parameters: {id: admin_user.id} + expect(response).to have_http_status :forbidden end it "should return a properly formatted JSON response for low-info user" do @@ -195,7 +196,8 @@ end it "should not let an application update a User without a token" do - expect{api_put :update, trusted_application_token, parameters: {id: admin_user.id}}.to raise_error(SecurityTransgression) + api_put :update, trusted_application_token, parameters: {id: admin_user.id} + expect(response).to have_http_status :forbidden end it "should not let a user's contact info be modified through the users API" do @@ -249,21 +251,19 @@ it "should not create a new user for anonymous" do user_count = User.count - expect{ - api_post :find_or_create, - nil, - raw_post_data: {email: 'a-new-email@test.com'} - }.to raise_error(SecurityTransgression) + api_post :find_or_create, + nil, + raw_post_data: {email: 'a-new-email@test.com'} + expect(response).to have_http_status :forbidden expect(User.count).to eq user_count end it "should not create a new user for another user" do user_count = User.count - expect{ - api_post :find_or_create, - user_2_token, - raw_post_data: {email: 'a-new-email@test.com'} - }.to raise_error(SecurityTransgression) + api_post :find_or_create, + user_2_token, + raw_post_data: {email: 'a-new-email@test.com'} + expect(response).to have_http_status :forbidden expect(User.count).to eq user_count end diff --git a/spec/controllers/oauth/applications_controller_spec.rb b/spec/controllers/oauth/applications_controller_spec.rb index effe296e5..8ce3d6283 100644 --- a/spec/controllers/oauth/applications_controller_spec.rb +++ b/spec/controllers/oauth/applications_controller_spec.rb @@ -92,8 +92,8 @@ module Oauth it "should not let a user get someone else's application" do controller.sign_in! user - expect{get :show, id: untrusted_application_admin.id}.to( - raise_error(SecurityTransgression)) + get :show, id: untrusted_application_admin.id + expect(response).to have_http_status :forbidden end it "should let an admin get someone else's application" do @@ -107,7 +107,8 @@ module Oauth it "should not let a user get new" do controller.sign_in! user - expect{ get :new }.to raise_error(SecurityTransgression) + get :new + expect(response).to have_http_status :forbidden end it "should let an admin get new" do @@ -118,10 +119,11 @@ module Oauth it "should not let a user create an application" do controller.sign_in! user - expect{ post :create, :application => { + post :create, :application => { name: 'Some app', redirect_uri: 'http://www.example.com', - trusted: true} }.to raise_error(SecurityTransgression) + trusted: true} + expect(response).to have_http_status :forbidden end it "should let an admin create an application" do @@ -146,8 +148,8 @@ module Oauth it "should not let a user edit someone else's application" do controller.sign_in! user - expect{get :edit, id: untrusted_application_admin.id}.to( - raise_error(SecurityTransgression)) + get :edit, id: untrusted_application_admin.id + expect(response).to have_http_status :forbidden end it "should let an admin edit someone else's application" do @@ -170,7 +172,8 @@ module Oauth it "should not let a user update someone else's application" do controller.sign_in! user - expect{post :update, id: untrusted_application_admin.id, application: {name: 'Some other name', redirect_uri: 'http://www.example.net', trusted: true}}.to raise_error(SecurityTransgression) + post :update, id: untrusted_application_admin.id, application: {name: 'Some other name', redirect_uri: 'http://www.example.net', trusted: true} + expect(response).to have_http_status :forbidden end it "should let an admin update someone else's application" do @@ -184,8 +187,8 @@ module Oauth it "should not let a user destroy an application" do controller.sign_in! user - expect{delete :destroy, id: untrusted_application_user.id}.to( - raise_error(SecurityTransgression)) + delete :destroy, id: untrusted_application_user.id + expect(response).to have_http_status :forbidden end it "should let an admin destroy an application" do diff --git a/spec/controllers/remote_controller_spec.rb b/spec/controllers/remote_controller_spec.rb index 529d35040..3f4ca3504 100644 --- a/spec/controllers/remote_controller_spec.rb +++ b/spec/controllers/remote_controller_spec.rb @@ -8,8 +8,10 @@ render_views it 'throws when parent is not present or invalid' do - expect { get(:iframe) }.to raise_error(SecurityTransgression) - expect { get(:iframe, parent: 'foo') }.to raise_error(SecurityTransgression) + get(:iframe) + expect(response).to have_http_status :forbidden + get(:iframe, parent: 'foo') + expect(response).to have_http_status :forbidden end it 'loads and sets parent as context' do diff --git a/spec/features/add_application_spec.rb b/spec/features/add_application_spec.rb index 84641db76..7291c5f4e 100644 --- a/spec/features/add_application_spec.rb +++ b/spec/features/add_application_spec.rb @@ -1,6 +1,6 @@ require 'rails_helper' -feature 'Add application to accounts' do +feature 'Add application to accounts', js: true do scenario 'without logging in' do visit '/oauth/applications' expect_sign_in_page @@ -27,6 +27,7 @@ visit '/signin' signin_as 'user' - expect{ visit '/oauth/applications/new' }.to raise_error(StandardError) + visit '/oauth/applications/new' + expect(page).to have_http_status 403 end end diff --git a/spec/features/log_out_inactive_admins.rb b/spec/features/log_out_inactive_admins.rb index ca2a96fd8..d42aa13e5 100644 --- a/spec/features/log_out_inactive_admins.rb +++ b/spec/features/log_out_inactive_admins.rb @@ -100,7 +100,7 @@ expect(page).to have_current_path(visitor_page_url) end - scenario "can access non-admin (user required login) features when logged in" do + scenario "can access user features" do visit non_admin_feature_url expect(page).to have_current_path(non_admin_feature_url) @@ -113,7 +113,7 @@ expect(page).not_to have_current_path(admin_feature_url) end - scenario "cannot access non-admin* (required login) features" do + scenario "cannot access user features" do visit non_admin_feature_url expect(page).to have_current_path(signin_path) diff --git a/spec/features/unknown_route_spec.rb b/spec/features/unknown_route_spec.rb index 20d8708ac..8f8de7383 100644 --- a/spec/features/unknown_route_spec.rb +++ b/spec/features/unknown_route_spec.rb @@ -3,15 +3,13 @@ feature 'Unknown route used' do scenario 'when it is a JSON request' do - expect{ - visit '/lkajsdlkjdklfsjldkfjsl.json' - }.to raise_error(ActionController::RoutingError) + visit '/lkajsdlkjdklfsjldkfjsl.json' + expect(page).to have_http_status 404 end scenario 'when it is an HTML request' do - expect{ - visit '/lkajsdlkjdklfsjldkfjsl' - }.to raise_error(ActionController::RoutingError) + visit '/lkajsdlkjdklfsjldkfjsl' + expect(page).to have_http_status 404 end end diff --git a/spec/features/user_signs_up_spec.rb b/spec/features/user_signs_up_spec.rb index 774b255af..d571d8023 100644 --- a/spec/features/user_signs_up_spec.rb +++ b/spec/features/user_signs_up_spec.rb @@ -5,7 +5,7 @@ create_application visit_authorize_uri - expect_sign_in_page + expect(page.current_url).to include(signin_path) click_password_sign_up expect(page).to have_content('Create Account') @@ -23,9 +23,9 @@ visit '/' click_link 'Sign out' - expect_sign_in_page + expect(page.current_url).to include(signin_path) expect(page).not_to have_content('Welcome, testuser') - expect_sign_in_page + expect(page.current_url).to include(signin_path) end scenario 'sign up chooser page' do @@ -224,7 +224,7 @@ end visit '/signout' - expect_sign_in_page + expect(page).to have_current_path signin_path end end