diff --git a/app/controllers/locomotive/api/theme_assets_controller.rb b/app/controllers/locomotive/api/theme_assets_controller.rb index c1cfae8d..c7cd0cd6 100644 --- a/app/controllers/locomotive/api/theme_assets_controller.rb +++ b/app/controllers/locomotive/api/theme_assets_controller.rb @@ -2,11 +2,18 @@ module Locomotive module Api class ThemeAssetsController < BaseController + load_and_authorize_resource :class => Locomotive::ThemeAsset + def index @theme_assets = current_site.theme_assets.all respond_with(@theme_assets) end + def show + @theme_asset = current_site.theme_assets.find(params[:id]) + respond_with @theme_asset + end + def create @theme_asset = current_site.theme_assets.create(params[:theme_asset]) respond_with @theme_asset, :location => main_app.locomotive_api_theme_assets_url @@ -18,6 +25,12 @@ module Locomotive respond_with @theme_asset, :location => main_app.locomotive_api_theme_assets_url end + def destroy + @theme_asset = current_site.theme_assets.find(params[:id]) + @theme_asset.destroy + respond_with @theme_asset + end + end end end diff --git a/features/api/authorization/theme_assets.feature b/features/api/authorization/theme_assets.feature new file mode 100644 index 00000000..e366209b --- /dev/null +++ b/features/api/authorization/theme_assets.feature @@ -0,0 +1,185 @@ +Feature: Theme Assets + In order to ensure theme assets are not tampered with + As an admin, designer or author + I will be restricted based on my role + + Background: + Given I have the site: "test site" set up + And a javascript asset named "my_javascript.js" with id "4f832c2cb0d86d3f42fffffe" + And a stylesheet asset named "my_stylesheet.css" with id "4f832c2cb0d86d3f42ffffff" + + Scenario: As an unauthenticated user + Given I am not authenticated + When I do an API GET to theme_assets.json + Then the JSON response at "error" should be "You need to sign in or sign up before continuing." + + # listing theme assets + + Scenario: Accessing theme assets as an Admin + Given I have an "admin" API token + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 2 entries + + Scenario: Accessing theme assets as a Designer + Given I have a "designer" API token + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 2 entries + + Scenario: Accessing theme assets as an Author + Given I have an "author" API token + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 2 entries + + # showing theme asset + + Scenario: Accessing theme asset as an Admin + Given I have an "admin" API token + When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json + Then the JSON response at "local_path" should be "my_javascript.js" + + Scenario: Accessing theme asset as a Designer + Given I have a "designer" API token + When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json + Then the JSON response at "local_path" should be "my_javascript.js" + + Scenario: Accessing theme asset as an Author + Given I have an "author" API token + When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json + Then the JSON response at "local_path" should be "my_javascript.js" + + # create theme asset + + Scenario: Creating new theme asset as an Admin + Given I have an "admin" API token + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 2 entries + When I do an API POST to theme_assets.json with: + """ + { + "theme_asset": { + "plain_text_name": "new-javascript.js", + "plain_text": "function doNothing() {}", + "plain_text_type": "javascript", + "performing_plain_text": "true" + } + } + """ + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 3 entries + And the JSON should have the following: + | 2/local_path | "new-javascript.js" | + | 2/content_type | "javascript" | + + Scenario: Creating new theme asset as a Designer + Given I have a "designer" API token + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 2 entries + When I do an API POST to theme_assets.json with: + """ + { + "theme_asset": { + "plain_text_name": "new-javascript.js", + "plain_text": "function doNothing() {}", + "plain_text_type": "javascript", + "performing_plain_text": "true" + } + } + """ + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 3 entries + And the JSON should have the following: + | 2/local_path | "new-javascript.js" | + | 2/content_type | "javascript" | + + Scenario: Creating new theme asset as an Author + Given I have an "author" API token + When I do an API POST to theme_assets.json with: + """ + { + "theme_asset": { + "plain_text_name": "new-javascript.js", + "plain_text": "function doNothing() {}", + "plain_text_type": "javascript", + "performing_plain_text": "true" + } + } + """ + Then an access denied error should occur + + # update theme asset + + Scenario: Updating theme asset as an Admin + Given I have an "admin" API token + When I do an API PUT to theme_assets/4f832c2cb0d86d3f42fffffe.json with: + """ + { + "theme_asset": { + "plain_text_name": "newer-javascript.js" + } + } + """ + When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json + Then the JSON response should have the following: + | local_path | "newer-javascript.js" | + + Scenario: Updating theme asset as a Designer + Given I have a "designer" API token + When I do an API PUT to theme_assets/4f832c2cb0d86d3f42fffffe.json with: + """ + { + "theme_asset": { + "plain_text_name": "newer-javascript.js" + } + } + """ + When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json + Then the JSON response should have the following: + | local_path | "newer-javascript.js" | + + Scenario: Updating theme asset as an Author + Given I have a "author" API token + When I do an API PUT to theme_assets/4f832c2cb0d86d3f42fffffe.json with: + """ + { + "theme_asset": { + "plain_text_name": "newer-javascript.js" + } + } + """ + When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json + Then the JSON response should have the following: + | local_path | "newer-javascript.js" | + + # destroy theme asset + + Scenario: Destroying theme asset as an Admin + Given I have an "admin" API token + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 2 entries + When I do an API DELETE to theme_assets/4f832c2cb0d86d3f42fffffe.json + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 1 entries + + Scenario: Destroying theme asset as a Designer + Given I have a "designer" API token + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 2 entries + When I do an API DELETE to theme_assets/4f832c2cb0d86d3f42fffffe.json + When I do an API GET request to theme_assets.json + Then the JSON response should be an array + And the JSON response should have 1 entries + + Scenario: Deleting theme asset as an Author + Given I have a "author" API token + When I do an API DELETE to theme_assets/4f832c2cb0d86d3f42fffffe.json + Then an access denied error should occur diff --git a/features/step_definitions/theme_asset_steps.rb b/features/step_definitions/theme_asset_steps.rb index 6cf5b71c..191b2178 100644 --- a/features/step_definitions/theme_asset_steps.rb +++ b/features/step_definitions/theme_asset_steps.rb @@ -1,15 +1,18 @@ ### Theme assets # helps create a theme asset -def create_plain_text_asset(name, type) - asset = FactoryGirl.build(:theme_asset, { +def new_plain_text_asset(name, type) + FactoryGirl.build(:theme_asset, { :site => @site, :plain_text_name => name, :plain_text => 'Lorem ipsum', :plain_text_type => type, :performing_plain_text => true }) +end +def create_plain_text_asset(name, type) + asset = new_plain_text_asset(name, type) asset.save! end @@ -19,10 +22,22 @@ Given /^a javascript asset named "([^"]*)"$/ do |name| @asset = create_plain_text_asset(name, 'javascript') end +Given /^a javascript asset named "([^"]*)" with id "([^"]*)"$/ do |name, id| + @asset = new_plain_text_asset(name, 'javascript') + @asset.id = BSON::ObjectId(id) + @asset.save! +end + Given /^a stylesheet asset named "([^"]*)"$/ do |name| @asset = create_plain_text_asset(name, 'stylesheet') end +Given /^a stylesheet asset named "([^"]*)" with id "([^"]*)"$/ do |name, id| + @asset = new_plain_text_asset(name, 'stylesheet') + @asset.id = BSON::ObjectId(id) + @asset.save! +end + Given /^I have an image theme asset named "([^"]*)"$/ do |name| @asset = FactoryGirl.create(:theme_asset, :site => @site, :source => File.open(Rails.root.join('..', 'fixtures', 'assets', '5k.png'))) @asset.source_filename = name