Added auth feature for theme assets

2012-04-25 16:26:02 -03:00 · 2012-04-25 16:26:02 -03:00 · 37f87e694c
commit 37f87e694c
parent 4e6c106772
3 changed files with 215 additions and 2 deletions
--- a/app/controllers/locomotive/api/theme_assets_controller.rb
+++ b/app/controllers/locomotive/api/theme_assets_controller.rb
@ -2,11 +2,18 @@ module Locomotive
  module Api
    class ThemeAssetsController < BaseController

+      load_and_authorize_resource :class => Locomotive::ThemeAsset
+
      def index
        @theme_assets = current_site.theme_assets.all
        respond_with(@theme_assets)
      end

+      def show
+        @theme_asset = current_site.theme_assets.find(params[:id])
+        respond_with @theme_asset
+      end
+
      def create
        @theme_asset = current_site.theme_assets.create(params[:theme_asset])
        respond_with @theme_asset, :location => main_app.locomotive_api_theme_assets_url
@ -18,6 +25,12 @@ module Locomotive
        respond_with @theme_asset, :location => main_app.locomotive_api_theme_assets_url
      end

+      def destroy
+        @theme_asset = current_site.theme_assets.find(params[:id])
+        @theme_asset.destroy
+        respond_with @theme_asset
+      end
+
    end
  end
 end
--- a/features/api/authorization/theme_assets.feature
+++ b/features/api/authorization/theme_assets.feature
@ -0,0 +1,185 @@
+Feature: Theme Assets
+  In order to ensure theme assets are not tampered with
+  As an admin, designer or author
+  I will be restricted based on my role
+
+  Background:
+    Given I have the site: "test site" set up
+    And a javascript asset named "my_javascript.js" with id "4f832c2cb0d86d3f42fffffe"
+    And a stylesheet asset named "my_stylesheet.css" with id "4f832c2cb0d86d3f42ffffff"
+
+  Scenario: As an unauthenticated user
+    Given I am not authenticated
+    When I do an API GET to theme_assets.json
+    Then the JSON response at "error" should be "You need to sign in or sign up before continuing."
+
+  # listing theme assets
+
+  Scenario: Accessing theme assets as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  Scenario: Accessing theme assets as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  Scenario: Accessing theme assets as an Author
+    Given I have an "author" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  # showing theme asset
+
+  Scenario: Accessing theme asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "local_path" should be "my_javascript.js"
+
+  Scenario: Accessing theme asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "local_path" should be "my_javascript.js"
+
+  Scenario: Accessing theme asset as an Author
+    Given I have an "author" API token
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "local_path" should be "my_javascript.js"
+
+  # create theme asset
+
+  Scenario: Creating new theme asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API POST to theme_assets.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "new-javascript.js",
+        "plain_text": "function doNothing() {}",
+        "plain_text_type": "javascript",
+        "performing_plain_text": "true"
+      }
+    }
+    """
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    And the JSON should have the following:
+      | 2/local_path    | "new-javascript.js"           |
+      | 2/content_type  | "javascript"                  |
+
+  Scenario: Creating new theme asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API POST to theme_assets.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "new-javascript.js",
+        "plain_text": "function doNothing() {}",
+        "plain_text_type": "javascript",
+        "performing_plain_text": "true"
+      }
+    }
+    """
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    And the JSON should have the following:
+      | 2/local_path    | "new-javascript.js"           |
+      | 2/content_type  | "javascript"                  |
+
+  Scenario: Creating new theme asset as an Author
+    Given I have an "author" API token
+    When I do an API POST to theme_assets.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "new-javascript.js",
+        "plain_text": "function doNothing() {}",
+        "plain_text_type": "javascript",
+        "performing_plain_text": "true"
+      }
+    }
+    """
+    Then an access denied error should occur
+
+  # update theme asset
+
+  Scenario: Updating theme asset as an Admin
+    Given I have an "admin" API token
+    When I do an API PUT to theme_assets/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "newer-javascript.js"
+      }
+    }
+    """
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response should have the following:
+      | local_path  | "newer-javascript.js"     |
+
+  Scenario: Updating theme asset as a Designer
+    Given I have a "designer" API token
+    When I do an API PUT to theme_assets/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "newer-javascript.js"
+      }
+    }
+    """
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response should have the following:
+      | local_path  | "newer-javascript.js"     |
+
+  Scenario: Updating theme asset as an Author
+    Given I have a "author" API token
+    When I do an API PUT to theme_assets/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "theme_asset": {
+        "plain_text_name": "newer-javascript.js"
+      }
+    }
+    """
+    When I do an API GET request to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response should have the following:
+      | local_path  | "newer-javascript.js"     |
+
+  # destroy theme asset
+
+  Scenario: Destroying theme asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API DELETE to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entries
+
+  Scenario: Destroying theme asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API DELETE to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to theme_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entries
+
+  Scenario: Deleting theme asset as an Author
+    Given I have a "author" API token
+    When I do an API DELETE to theme_assets/4f832c2cb0d86d3f42fffffe.json
+    Then an access denied error should occur
--- a/features/step_definitions/theme_asset_steps.rb
+++ b/features/step_definitions/theme_asset_steps.rb
@ -1,15 +1,18 @@
 ### Theme assets

 # helps create a theme asset
-def create_plain_text_asset(name, type)
-  asset = FactoryGirl.build(:theme_asset, {
+def new_plain_text_asset(name, type)
+  FactoryGirl.build(:theme_asset, {
    :site                   => @site,
    :plain_text_name        => name,
    :plain_text             => 'Lorem ipsum',
    :plain_text_type        => type,
    :performing_plain_text  => true
  })
+end

+def create_plain_text_asset(name, type)
+  asset = new_plain_text_asset(name, type)
  asset.save!
 end

@ -19,10 +22,22 @@ Given /^a javascript asset named "([^"]*)"$/ do |name|
  @asset = create_plain_text_asset(name, 'javascript')
 end

+Given /^a javascript asset named "([^"]*)" with id "([^"]*)"$/ do |name, id|
+  @asset = new_plain_text_asset(name, 'javascript')
+  @asset.id = BSON::ObjectId(id)
+  @asset.save!
+end
+
 Given /^a stylesheet asset named "([^"]*)"$/ do |name|
  @asset = create_plain_text_asset(name, 'stylesheet')
 end

+Given /^a stylesheet asset named "([^"]*)" with id "([^"]*)"$/ do |name, id|
+  @asset = new_plain_text_asset(name, 'stylesheet')
+  @asset.id = BSON::ObjectId(id)
+  @asset.save!
+end
+
 Given /^I have an image theme asset named "([^"]*)"$/ do |name|
  @asset = FactoryGirl.create(:theme_asset, :site => @site, :source => File.open(Rails.root.join('..', 'fixtures', 'assets', '5k.png')))
  @asset.source_filename = name