Added auth feature for theme assets

app/controllers/locomotive/api/theme_assets_controller.rb

@@ -2,11 +2,18 @@ module Locomotive
   module Api
     class ThemeAssetsController < BaseController
 
+      load_and_authorize_resource :class => Locomotive::ThemeAsset
+
       def index
         @theme_assets = current_site.theme_assets.all
         respond_with(@theme_assets)
       end
 
+      def show
+        @theme_asset = current_site.theme_assets.find(params[:id])
+        respond_with @theme_asset
+      end
+
       def create
         @theme_asset = current_site.theme_assets.create(params[:theme_asset])
         respond_with @theme_asset, :location => main_app.locomotive_api_theme_assets_url
@@ -18,6 +25,12 @@ module Locomotive
         respond_with @theme_asset, :location => main_app.locomotive_api_theme_assets_url
       end
 
+      def destroy
+        @theme_asset = current_site.theme_assets.find(params[:id])
+        @theme_asset.destroy
+        respond_with @theme_asset
+      end
+
     end
   end
 end

features/api/authorization/theme_assets.feature

@@ -0,0 +1,185 @@
+Feature: Theme Assets
+  In order to ensure theme assets are not tampered with
+  As an admin, designer or author
+  I will be restricted based on my role
+
+  Background:
+    Given I have the site: "test site" set up
+    And a javascript asset named "my_javascript.js" with id "4f832c2cb0d86d3f42fffffe"
+    And a stylesheet asset named "my_stylesheet.css" with id "4f832c2cb0d86d3f42ffffff"
+
+  Scenario: As an unauthenticated user
+    Given I am not authenticated
+    When I do an API GET to theme_assets.json
+    Then the JSON response at "error" should be "You need to sign in or sign up before continuing."
+
+  # listing theme assets
+
+  Scenario: Accessing theme assets as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  Scenario: Accessing theme assets as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  Scenario: Accessing theme assets as an Author
+    Given I have an "author" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  # showing theme asset
+
+  Scenario: Accessing theme asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "local_path" should be "my_javascript.js"
+
+  Scenario: Accessing theme asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "local_path" should be "my_javascript.js"
+
+  Scenario: Accessing theme asset as an Author
+    Given I have an "author" API token
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "local_path" should be "my_javascript.js"
+
+  # create theme asset
+
+  Scenario: Creating new theme asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API POST to theme_assets.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "new-javascript.js",
+        "plain_text": "function doNothing() {}",
+        "plain_text_type": "javascript",
+        "performing_plain_text": "true"
+      }
+    }
+    """
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    And the JSON should have the following:
+      | 2/local_path    | "new-javascript.js"           |
+      | 2/content_type  | "javascript"                  |
+
+  Scenario: Creating new theme asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API POST to theme_assets.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "new-javascript.js",
+        "plain_text": "function doNothing() {}",
+        "plain_text_type": "javascript",
+        "performing_plain_text": "true"
+      }
+    }
+    """
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    And the JSON should have the following:
+      | 2/local_path    | "new-javascript.js"           |
+      | 2/content_type  | "javascript"                  |
+
+  Scenario: Creating new theme asset as an Author
+    Given I have an "author" API token
+    When I do an API POST to theme_assets.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "new-javascript.js",
+        "plain_text": "function doNothing() {}",
+        "plain_text_type": "javascript",
+        "performing_plain_text": "true"
+      }
+    }
+    """
+    Then an access denied error should occur
+
+  # update theme asset
+
+  Scenario: Updating theme asset as an Admin
+    Given I have an "admin" API token
+    When I do an API PUT to theme_assets/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "newer-javascript.js"
+      }
+    }
+    """
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response should have the following:
+      | local_path  | "newer-javascript.js"     |
+
+  Scenario: Updating theme asset as a Designer
+    Given I have a "designer" API token
+    When I do an API PUT to theme_assets/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "newer-javascript.js"
+      }
+    }
+    """
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response should have the following:
+      | local_path  | "newer-javascript.js"     |
+
+  Scenario: Updating theme asset as an Author
+    Given I have a "author" API token
+    When I do an API PUT to theme_assets/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "newer-javascript.js"
+      }
+    }
+    """
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response should have the following:
+      | local_path  | "newer-javascript.js"     |
+
+  # destroy theme asset
+
+  Scenario: Destroying theme asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API DELETE to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entries
+
+  Scenario: Destroying theme asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API DELETE to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entries
+
+  Scenario: Deleting theme asset as an Author
+    Given I have a "author" API token
+    When I do an API DELETE to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then an access denied error should occur

features/step_definitions/theme_asset_steps.rb

@@ -1,15 +1,18 @@
 ### Theme assets
 
 # helps create a theme asset
-def create_plain_text_asset(name, type)
+def new_plain_text_asset(name, type)
-  asset = FactoryGirl.build(:theme_asset, {
+  FactoryGirl.build(:theme_asset, {
     :site                   => @site,
     :plain_text_name        => name,
     :plain_text             => 'Lorem ipsum',
     :plain_text_type        => type,
     :performing_plain_text  => true
   })
+end
 
+def create_plain_text_asset(name, type)
+  asset = new_plain_text_asset(name, type)
   asset.save!
 end
 
@@ -19,10 +22,22 @@ Given /^a javascript asset named "([^"]*)"$/ do |name|
   @asset = create_plain_text_asset(name, 'javascript')
 end
 
+Given /^a javascript asset named "([^"]*)" with id "([^"]*)"$/ do |name, id|
+  @asset = new_plain_text_asset(name, 'javascript')
+  @asset.id = BSON::ObjectId(id)
+  @asset.save!
+end
+
 Given /^a stylesheet asset named "([^"]*)"$/ do |name|
   @asset = create_plain_text_asset(name, 'stylesheet')
 end
 
+Given /^a stylesheet asset named "([^"]*)" with id "([^"]*)"$/ do |name, id|
+  @asset = new_plain_text_asset(name, 'stylesheet')
+  @asset.id = BSON::ObjectId(id)
+  @asset.save!
+end
+
 Given /^I have an image theme asset named "([^"]*)"$/ do |name|
   @asset = FactoryGirl.create(:theme_asset, :site => @site, :source => File.open(Rails.root.join('..', 'fixtures', 'assets', '5k.png')))
   @asset.source_filename = name