-
Notifications
You must be signed in to change notification settings - Fork 59
/
tricky_operations_spec.rb
144 lines (122 loc) · 4.09 KB
/
tricky_operations_spec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
require 'spec_helper'
RSpec.describe 'Tricky operations', type: :request do
include AuthorizationStubs
fixtures :all
let(:article) { Article.all.sample }
let(:policy_scope) { Article.none }
subject { last_response }
let(:json_data) { JSON.parse(last_response.body)["data"] }
before do
allow_any_instance_of(ArticlePolicy::Scope).to receive(:resolve).and_return(policy_scope)
end
before do
header 'Content-Type', 'application/vnd.api+json'
end
describe 'POST /comments (with relationships link to articles)' do
subject(:last_response) { post("/comments", json) }
let(:json) do
<<-EOS.strip_heredoc
{
"data": {
"type": "comments",
"relationships": {
"article": {
"data": {
"id": "#{article.external_id}",
"type": "articles"
}
}
}
}
}
EOS
end
context 'authorized for create_resource on Comment and [article]' do
let(:policy_scope) { Article.where(id: article.id) }
before { allow_operation('create_resource', Comment, [article]) }
it { is_expected.to be_successful }
end
context 'unauthorized for create_resource on Comment and [article]' do
let(:policy_scope) { Article.where(id: article.id) }
before { disallow_operation('create_resource', Comment, [article]) }
it { is_expected.to be_forbidden }
end
end
describe 'POST /tags (with polymorphic relationship link to article)' do
subject(:last_response) { post("/tags", json) }
let(:json) do
<<-EOS.strip_heredoc
{
"data": {
"type": "tags",
"relationships": {
"taggable": {
"data": {
"id": "#{article.external_id}",
"type": "articles"
}
}
}
}
}
EOS
end
context 'authorized for create_resource on Tag and [article]' do
let(:policy_scope) { Article.where(id: article.id) }
before { allow_operation('create_resource', Tag, [article]) }
it { is_expected.to be_successful }
end
context 'unauthorized for create_resource on Tag and [article]' do
let(:policy_scope) { Article.where(id: article.id) }
before { disallow_operation('create_resource', Tag, [article]) }
it { is_expected.to be_forbidden }
end
end
describe 'PATCH /articles/:id (mass-modifying relationships)' do
let!(:new_comments) do
Array.new(2) { Comment.create }
end
let(:policy_scope) { Article.where(id: article.id) }
let(:comments_policy_scope) { Comment.all }
before do
allow_any_instance_of(CommentPolicy::Scope).to receive(:resolve).and_return(comments_policy_scope)
end
let(:json) do
<<-EOS.strip_heredoc
{
"data": {
"id": "#{article.external_id}",
"type": "articles",
"relationships": {
"comments": {
"data": [
{ "type": "comments", "id": "#{new_comments.first.id}" },
{ "type": "comments", "id": "#{new_comments.second.id}" }
]
}
}
}
}
EOS
end
subject(:last_response) { patch("/articles/#{article.external_id}", json) }
context 'authorized for replace_fields on article and all new records' do
context 'not limited by Comments policy scope' do
before { allow_operation('replace_fields', article, new_comments) }
it { is_expected.to be_successful }
end
context 'limited by Comments policy scope' do
let(:comments_policy_scope) { Comment.where("id NOT IN (?)", new_comments.map(&:id)) }
before { allow_operation('replace_fields', article, new_comments) }
it do
pending 'DISCUSS: Should this error out somehow?'
is_expected.to be_not_found
end
end
end
context 'unauthorized for replace_fields on article and all new records' do
before { disallow_operation('replace_fields', article, new_comments) }
it { is_expected.to be_forbidden }
end
end
end