Added auth feature for content_types

app/controllers/locomotive/api/content_types_controller.rb

@@ -2,11 +2,18 @@ module Locomotive
   module Api
     class ContentTypesController < BaseController
 
+      load_and_authorize_resource :class => Locomotive::ContentType
+
       def index
         @content_types = current_site.content_types
         respond_with(@content_types)
       end
 
+      def show
+        @content_type = current_site.content_types.find(params[:id])
+        respond_with @content_type
+      end
+
       def create
         @content_type = current_site.content_types.create(params[:content_type])
         respond_with @content_type, :location => main_app.locomotive_api_content_types_url
@@ -18,6 +25,12 @@ module Locomotive
         respond_with @content_type, :location => main_app.locomotive_api_content_types_url
       end
 
+      def destroy
+        @content_type = current_site.content_types.find(params[:id])
+        @content_type.destroy
+        respond_with @content_type
+      end
+
     end
   end
 end

app/models/locomotive/ability.rb

@@ -37,6 +37,8 @@ module Locomotive
       can :touch, Site do |site|
         site == @site
       end
+
+      can :read, ContentType
     end
 
     def setup_designer_permissions!

features/api/authorization/content_types.feature

@@ -0,0 +1,237 @@
+Feature: Content Types
+  In order to ensure content types are not tampered with
+  As an admin, designer or author
+  I will be restricted based on my role
+
+  Background:
+    Given I have the site: "test site" set up
+    And I have a custom model named "Projects" with id "4f832c2cb0d86d3f42fffffe" and
+      | label       | type      | required        |
+      | Name        | string    | true            |
+      | Description | text      | false           |
+    And I have a designer and an author
+
+  Scenario: As an unauthenticated user
+    Given I am not authenticated
+    When I do an API GET to content_types.json
+    Then the JSON response at "error" should be "You need to sign in or sign up before continuing."
+
+  # listing content types
+
+  Scenario: Accessing content types as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+
+  Scenario: Accessing content types as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+
+  Scenario: Accessing content types as an Author
+    Given I have an "author" API token
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+
+  # showing content type
+
+  Scenario: Accessing content type as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_types/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "id" should be "4f832c2cb0d86d3f42fffffe"
+    And the JSON response at "name" should be "Projects"
+
+  Scenario: Accessing content type as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_types/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "id" should be "4f832c2cb0d86d3f42fffffe"
+    And the JSON response at "name" should be "Projects"
+
+  Scenario: Accessing content type as an Author
+    Given I have an "author" API token
+    When I do an API GET request to content_types/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "id" should be "4f832c2cb0d86d3f42fffffe"
+    And the JSON response at "name" should be "Projects"
+
+  # create content type
+
+  Scenario: Creating new content type as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+    When I do an API POST to content_types.json with:
+    """
+    {
+      "content_type": {
+        "name": "Employees",
+        "slug": "employees",
+        "entries_custom_fields": [
+          {
+            "label": "Name",
+            "name": "name",
+            "type": "string"
+          },
+          {
+            "label": "Position",
+            "name": "position",
+            "type": "string"
+          }
+        ]
+      }
+    }
+    """
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    And the JSON should have the following:
+      | 1/name                          | "Employees"   |
+      | 1/slug                          | "employees"   |
+      | 1/entries_custom_fields/0/label | "Name"        |
+      | 1/entries_custom_fields/0/name  | "name"        |
+      | 1/entries_custom_fields/0/type  | "string"      |
+      | 1/entries_custom_fields/1/label | "Position"    |
+      | 1/entries_custom_fields/1/name  | "position"    |
+      | 1/entries_custom_fields/1/type  | "string"      |
+
+  Scenario: Creating new content type as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+    When I do an API POST to content_types.json with:
+    """
+    {
+      "content_type": {
+        "name": "Employees",
+        "slug": "employees",
+        "entries_custom_fields": [
+          {
+            "label": "Name",
+            "name": "name",
+            "type": "string"
+          },
+          {
+            "label": "Position",
+            "name": "position",
+            "type": "string"
+          }
+        ]
+      }
+    }
+    """
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    And the JSON should have the following:
+      | 1/name                          | "Employees"   |
+      | 1/slug                          | "employees"   |
+      | 1/entries_custom_fields/0/label | "Name"        |
+      | 1/entries_custom_fields/0/name  | "name"        |
+      | 1/entries_custom_fields/0/type  | "string"      |
+      | 1/entries_custom_fields/1/label | "Position"    |
+      | 1/entries_custom_fields/1/name  | "position"    |
+      | 1/entries_custom_fields/1/type  | "string"      |
+
+  Scenario: Creating new content type as an Author
+    Given I have an "author" API token
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+    When I do an API POST to content_types.json with:
+    """
+    {
+      "content_type": {
+        "name": "Employees",
+        "slug": "employees",
+        "entries_custom_fields": [
+          {
+            "label": "Name",
+            "name": "name",
+            "type": "string"
+          },
+          {
+            "label": "Position",
+            "name": "position",
+            "type": "string"
+          }
+        ]
+      }
+    }
+    """
+    Then an access denied error should occur
+
+  # update content type
+
+  Scenario: Updating content type as an Admin
+    Given I have an "admin" API token
+    When I do an API PUT to content_types/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "content_type": {
+        "name": "Brand new updated name"
+      }
+    }
+    """
+    When I do an API GET request to content_types/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "id" should be "4f832c2cb0d86d3f42fffffe"
+    And the JSON response at "name" should be "Brand new updated name"
+
+  Scenario: Updating content type as a Designer
+    Given I have a "designer" API token
+    When I do an API PUT to content_types/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "content_type": {
+        "name": "Brand new updated name"
+      }
+    }
+    """
+    When I do an API GET request to content_types/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "id" should be "4f832c2cb0d86d3f42fffffe"
+    And the JSON response at "name" should be "Brand new updated name"
+
+  Scenario: Updating content type as an Author
+    Given I have a "author" API token
+    When I do an API PUT to content_types/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "content_type": {
+        "name": "Brand new updated name"
+      }
+    }
+    """
+    Then an access denied error should occur
+
+  # destroy content type
+
+  Scenario: Destroying content type as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+    When I do an API DELETE to content_types/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 0 entries
+
+  Scenario: Destroying content type as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+    When I do an API DELETE to content_types/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 0 entries
+
+  Scenario: Deleting content type as an Author
+    Given I have a "author" API token
+    When I do an API GET request to content_types.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entries
+    When I do an API DELETE to content_types/4f832c2cb0d86d3f42fffffe.json
+    Then an access denied error should occur

features/step_definitions/content_types_steps.rb

@@ -1,6 +1,9 @@
-Given %r{^I have a custom model named "([^"]*)" with$} do |name, fields|
+def build_content_type(name)
   site = Locomotive::Site.first
-  content_type = FactoryGirl.build(:content_type, :site => site, :name => name, :order_by => '_position')
+  FactoryGirl.build(:content_type, :site => site, :name => name, :order_by => '_position')
+end
+
+def set_custom_fields_from_table(content_type, fields)
   fields.hashes.each do |field|
     # found a belongs_to association
     if field['type'] == 'belongs_to'
@@ -12,6 +15,19 @@ Given %r{^I have a custom model named "([^"]*)" with$} do |name, fields|
 
     content_type.entries_custom_fields.build field
   end
+end
+
+Given %r{^I have a custom model named "([^"]*)" with id "([^"]*)" and$} do |name, id, fields|
+  content_type = build_content_type(name)
+  content_type.id = BSON::ObjectId(id)
+  set_custom_fields_from_table(content_type, fields)
+  content_type.valid?
+  content_type.save.should be_true
+end
+
+Given %r{^I have a custom model named "([^"]*)" with$} do |name, fields|
+  content_type = build_content_type(name)
+  set_custom_fields_from_table(content_type, fields)
   content_type.valid?
   content_type.save.should be_true
 end