Added auth feature for memberships

2012-04-30 16:29:32 -03:00 · 2012-04-30 16:29:32 -03:00 · 24e5eb855a
commit 24e5eb855a
parent 9c15f1cbab
5 changed files with 301 additions and 1 deletions
--- a/app/controllers/locomotive/api/base_controller.rb
+++ b/app/controllers/locomotive/api/base_controller.rb
@ -13,7 +13,7 @@ module Locomotive

      before_filter :set_locale

-      # before_filter :validate_site_membership
+      before_filter :set_current_thread_variables

      self.responder = Locomotive::ActionController::Responder # custom responder

@ -21,6 +21,11 @@ module Locomotive

      protected

+    def set_current_thread_variables
+      Thread.current[:account]  = current_locomotive_account
+      Thread.current[:site]     = current_site
+    end
+
      def current_ability
        @current_ability ||= Ability.new(current_locomotive_account, current_site)
      end
--- a/app/controllers/locomotive/api/memberships_controller.rb
+++ b/app/controllers/locomotive/api/memberships_controller.rb
@ -0,0 +1,49 @@
+module Locomotive
+  module Api
+    class MembershipsController < BaseController
+
+      # It's an embedded document, so we'll just load manually
+      before_filter :load_membership, :only => [ :show, :update, :destroy ]
+      before_filter :load_memberships, :only => [ :index ]
+
+      authorize_resource :class => Locomotive::Membership
+
+      def index
+        respond_with(@memberships)
+      end
+
+      def show
+        respond_with(@membership)
+      end
+
+      def create
+        build_params = params[:membership].merge({ :role => 'author' }) # force author by default
+        @membership = current_site.memberships.create(build_params)
+        respond_with(@membership)
+      end
+
+      def update
+        @membership.update_attributes(params[:membership])
+        respond_with(@membership)
+      end
+
+      def destroy
+        @membership.destroy
+        respond_with(@membership)
+      end
+
+      protected
+
+      def load_membership
+        @membership ||= load_memberships.find(params[:id])
+      end
+
+      def load_memberships
+        @memberships ||= current_site.memberships
+      end
+
+    end
+
+  end
+end
+
--- a/config/routes.rb
+++ b/config/routes.rb
@ -70,6 +70,8 @@ Rails.application.routes.draw do

      resources :sites

+      resources :memberships
+
      resource  :current_site, :controller => 'current_site'

    end
--- a/features/api/authorization/memberships.feature
+++ b/features/api/authorization/memberships.feature
@ -0,0 +1,225 @@
+Feature: Memberships
+  In order to ensure memberships are not tampered with
+  As an admin, designer or author
+  I will be restricted based on my role
+
+  Background:
+    Given I have the site: "test site" set up with id: "4f832c2cb0d86d3f42fffffb"
+    And I have accounts:
+      | email           | id                        |
+      | new-user@a.com  | 4f832c2cb0d86d3f42fffffc  |
+    And I have memberships:
+      | email           | role      | id                        |
+      | admin@a.com     | admin     | 4f832c2cb0d86d3f42fffffd  |
+      | designer@a.com  | designer  | 4f832c2cb0d86d3f42fffffe  |
+      | author@a.com    | author    | 4f832c2cb0d86d3f42ffffff  |
+
+  Scenario: As an unauthenticated user
+    Given I am not authenticated
+    When I do an API GET to memberships.json
+    Then the JSON response at "error" should be "You need to sign in or sign up before continuing."
+
+  # listing memberships
+
+  Scenario: Accessing memberships as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to memberships.json
+    Then the JSON response should be an array
+    And the JSON response should have 4 entries
+
+  Scenario: Accessing memberships as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to memberships.json
+    Then the JSON response should be an array
+    And the JSON response should have 4 entries
+
+  Scenario: Accessing memberships as an Author
+    Given I have an "author" API token
+    When I do an API GET request to memberships.json
+    Then an access denied error should occur
+
+  # showing membership
+
+  Scenario: Accessing membership as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffd.json
+    Then the JSON response at "email" should be "admin@a.com"
+    When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "email" should be "designer@a.com"
+    When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
+    Then the JSON response at "email" should be "author@a.com"
+
+  Scenario: Accessing membership as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffd.json
+    Then the JSON response at "email" should be "admin@a.com"
+    When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "email" should be "designer@a.com"
+    When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
+    Then the JSON response at "email" should be "author@a.com"
+
+  Scenario: Accessing membership as an Author
+    Given I have an "author" API token
+    When I do an API GET request to memberships/4f832c2cb0d86d3f42fffffe.json
+    Then an access denied error should occur
+
+  # create membership
+
+  Scenario: Creating new membership as an Admin
+    Given I have an "admin" API token
+    When I do an API POST to memberships.json with:
+    """
+    {
+      "membership": {
+        "site_id": "4f832c2cb0d86d3f42fffffb",
+        "account_id": "4f832c2cb0d86d3f42fffffc"
+      }
+    }
+    """
+    When I do an API GET request to memberships.json
+    Then the JSON response should be an array
+    And the JSON response should have 5 entries
+
+  Scenario: Creating new membership as a Designer
+    Given I have a "designer" API token
+    When I do an API POST to memberships.json with:
+    """
+    {
+      "membership": {
+        "site_id": "4f832c2cb0d86d3f42fffffb",
+        "account_id": "4f832c2cb0d86d3f42fffffc"
+      }
+    }
+    """
+    When I do an API GET request to memberships.json
+    Then the JSON response should be an array
+    And the JSON response should have 5 entries
+
+  Scenario: Creating new membership as an Author
+    Given I have an "author" API token
+    When I do an API POST to memberships.json with:
+    """
+    {
+      "membership": {
+        "site_id": "4f832c2cb0d86d3f42fffffb",
+        "account_id": "4f832c2cb0d86d3f42fffffc"
+      }
+    }
+    """
+    Then an access denied error should occur
+
+  Scenario: Created membership should always be Author
+    Given I have an "admin" API token
+    When I do an API POST to memberships.json with:
+    """
+    {
+      "membership": {
+        "site_id": "4f832c2cb0d86d3f42fffffb",
+        "account_id": "4f832c2cb0d86d3f42fffffc",
+        "role": "admin"
+      }
+    }
+    """
+    When I do an API GET request to memberships.json
+    Then the JSON response should be an array
+    And the JSON response should have 5 entries
+    And the JSON at "4/role" should be "author"
+
+  # update membership
+
+  Scenario: Updating membership as an Admin
+    Given I have an "admin" API token
+    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
+    """
+    {
+      "membership": {
+        "role": "admin"
+      }
+    }
+    """
+    When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
+    Then the JSON response at "role" should be "admin"
+
+  Scenario: Updating membership as a Designer
+    Given I have a "designer" API token
+    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
+    """
+    {
+      "membership": {
+        "role": "admin"
+      }
+    }
+    """
+    When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
+    Then the JSON response at "role" should be "author"
+    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
+    """
+    {
+      "membership": {
+        "role": "designer"
+      }
+    }
+    """
+    When I do an API GET request to memberships/4f832c2cb0d86d3f42ffffff.json
+    Then the JSON response at "role" should be "designer"
+
+  Scenario: Updating membership as an Author
+    Given I have a "author" API token
+    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
+    """
+    {
+      "membership": {
+        "role": "admin"
+      }
+    }
+    """
+    Then an access denied error should occur
+    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
+    """
+    {
+      "membership": {
+        "role": "designer"
+      }
+    }
+    """
+    Then an access denied error should occur
+    When I do an API PUT to memberships/4f832c2cb0d86d3f42ffffff.json with:
+    """
+    {
+      "membership": {
+        "role": "author"
+      }
+    }
+    """
+    Then an access denied error should occur
+
+  # destroy membership
+
+  Scenario: Destroying membership as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to memberships.json
+    Then the JSON response should be an array
+    And the JSON response should have 4 entries
+    When I do an API DELETE to memberships/4f832c2cb0d86d3f42ffffff.json
+    When I do an API GET request to memberships.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+
+  Scenario: Destroying membership as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to memberships.json
+    Then the JSON response should be an array
+    And the JSON response should have 4 entries
+    When I do an API DELETE to memberships/4f832c2cb0d86d3f42ffffff.json
+    When I do an API GET request to memberships.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    When I do an API DELETE to memberships/4f832c2cb0d86d3f42fffffe.json
+    Then an access denied error should occur
+    When I do an API DELETE to memberships/4f832c2cb0d86d3f42fffffd.json
+    Then an access denied error should occur
+
+  Scenario: Deleting membership as an Author
+    Given I have a "author" API token
+    When I do an API DELETE to memberships/4f832c2cb0d86d3f42fffffe.json
+    Then an access denied error should occur
--- a/features/step_definitions/membership_steps.rb
+++ b/features/step_definitions/membership_steps.rb
@ -0,0 +1,19 @@
+
+Given /^I have accounts:$/ do |accounts_table|
+  accounts_table.hashes.each do |account_hash|
+    FactoryGirl.create(:account, account_hash)
+  end
+end
+
+Given /^I have memberships:$/ do |members_table|
+  members_table.hashes.each do |member_hash|
+    email = member_hash[:email]
+    account = Locomotive::Account.where(:email => email).first \
+      || FactoryGirl.create(:account, :email => email)
+
+    member_hash.delete(:email)
+    member_hash.merge!({ :account => account, :site => @site })
+
+    FactoryGirl.create(:membership, member_hash)
+  end
+end