Added auth feature for snippets

This commit is contained in:
Alex Sanford 2012-04-25 10:56:38 -03:00
parent d2da4b659e
commit 4e6c106772
3 changed files with 204 additions and 2 deletions

View File

@ -2,11 +2,18 @@ module Locomotive
module Api
class SnippetsController < BaseController
load_and_authorize_resource :class => Locomotive::Snippet
def index
@snippets = current_site.snippets.all
respond_with(@snippets)
end
def show
@snippet = current_site.snippets.find(params[:id])
respond_with @snippet
end
def create
@snippet = current_site.snippets.create(params[:snippet])
respond_with @snippet, :location => main_app.locomotive_api_snippets_url
@ -18,6 +25,12 @@ module Locomotive
respond_with @snippet, :location => main_app.locomotive_api_snippets_url
end
def destroy
@snippet = current_site.snippets.find(params[:id])
@snippet.destroy
respond_with @snippet
end
end
end
end

View File

@ -0,0 +1,179 @@
Feature: Snippets
In order to ensure snippets are not tampered with
As an admin, designer or author
I will be restricted based on my role
Background:
Given I have the site: "test site" set up
And a snippet named "My Snippet" with id "4f832c2cb0d86d3f42fffffe" and template:
"""
My Snippet
"""
And I have a designer and an author
Scenario: As an unauthenticated user
Given I am not authenticated
When I do an API GET to snippets.json
Then the JSON response at "error" should be "You need to sign in or sign up before continuing."
# listing content types
Scenario: Accessing snippets as an Admin
Given I have an "admin" API token
When I do an API GET request to snippets.json
Then the JSON response should be an array
And the JSON response should have 1 entry
Scenario: Accessing snippets as a Designer
Given I have a "designer" API token
When I do an API GET request to snippets.json
Then the JSON response should be an array
And the JSON response should have 1 entry
Scenario: Accessing snippets as an Author
Given I have an "author" API token
When I do an API GET request to snippets.json
Then an access denied error should occur
# showing snippet
Scenario: Accessing snippet as an Admin
Given I have an "admin" API token
When I do an API GET request to snippets/4f832c2cb0d86d3f42fffffe.json
Then the JSON response at "id" should be "4f832c2cb0d86d3f42fffffe"
And the JSON response at "name" should be "My Snippet"
Scenario: Accessing snippet as a Designer
Given I have a "designer" API token
When I do an API GET request to snippets/4f832c2cb0d86d3f42fffffe.json
Then the JSON response at "id" should be "4f832c2cb0d86d3f42fffffe"
And the JSON response at "name" should be "My Snippet"
Scenario: Accessing snippet as an Author
Given I have an "author" API token
When I do an API GET request to snippets/4f832c2cb0d86d3f42fffffe.json
Then an access denied error should occur
# create snippet
Scenario: Creating new snippet as an Admin
Given I have an "admin" API token
When I do an API GET request to snippets.json
Then the JSON response should be an array
And the JSON response should have 1 entry
When I do an API POST to snippets.json with:
"""
{
"snippet": {
"name": "Another snippet",
"template": "<h1>Another Snippet!</h1>"
}
}
"""
When I do an API GET request to snippets.json
Then the JSON response should be an array
And the JSON response should have 2 entries
And the JSON should have the following:
| 1/name | "Another Snippet" |
| 1/template | "<h1>Another Snippet!</h1>" |
Scenario: Creating new snippet as a Designer
Given I have a "designer" API token
When I do an API GET request to snippets.json
Then the JSON response should be an array
And the JSON response should have 1 entry
When I do an API POST to snippets.json with:
"""
{
"snippet": {
"name": "Another snippet",
"template": "<h1>Another Snippet!</h1>"
}
}
"""
When I do an API GET request to snippets.json
Then the JSON response should be an array
And the JSON response should have 2 entries
And the JSON should have the following:
| 1/name | "Another Snippet" |
| 1/template | "<h1>Another Snippet!</h1>" |
Scenario: Creating new snippet as an Author
Given I have an "author" API token
When I do an API POST to snippets.json with:
"""
{
"snippet": {
"name": "Another snippet",
"template": "<h1>Another Snippet!</h1>"
}
}
"""
Then an access denied error should occur
# update snippet
Scenario: Updating snippet as an Admin
Given I have an "admin" API token
When I do an API PUT to snippets/4f832c2cb0d86d3f42fffffe.json with:
"""
{
"snippet": {
"name": "Brand new updated name"
}
}
"""
When I do an API GET request to snippets/4f832c2cb0d86d3f42fffffe.json
Then the JSON response at "name" should be "Brand new updated name"
Scenario: Updating snippet as a Designer
Given I have a "designer" API token
When I do an API PUT to snippets/4f832c2cb0d86d3f42fffffe.json with:
"""
{
"snippet": {
"name": "Brand new updated name"
}
}
"""
When I do an API GET request to snippets/4f832c2cb0d86d3f42fffffe.json
Then the JSON response at "name" should be "Brand new updated name"
Scenario: Updating snippet as an Author
Given I have a "author" API token
When I do an API PUT to snippets/4f832c2cb0d86d3f42fffffe.json with:
"""
{
"snippet": {
"name": "Brand new updated name"
}
}
"""
Then an access denied error should occur
# destroy snippet
Scenario: Destroying snippet as an Admin
Given I have an "admin" API token
When I do an API GET request to snippets.json
Then the JSON response should be an array
And the JSON response should have 1 entry
When I do an API DELETE to snippets/4f832c2cb0d86d3f42fffffe.json
When I do an API GET request to snippets.json
Then the JSON response should be an array
And the JSON response should have 0 entries
Scenario: Destroying snippet as a Designer
Given I have a "designer" API token
When I do an API GET request to snippets.json
Then the JSON response should be an array
And the JSON response should have 1 entry
When I do an API DELETE to snippets/4f832c2cb0d86d3f42fffffe.json
When I do an API GET request to snippets.json
Then the JSON response should be an array
And the JSON response should have 0 entries
Scenario: Deleting snippet as an Author
Given I have a "author" API token
When I do an API DELETE to snippets/4f832c2cb0d86d3f42fffffe.json
Then an access denied error should occur

View File

@ -1,9 +1,13 @@
### Snippets
# helps create a simple snippet with a slug and template
def new_snippet(name, template = nil)
@site.snippets.new(:name => name, :template => template)
end
def create_snippet(name, template = nil)
snippet = @site.snippets.create(:name => name, :template => template)
snippet.should be_valid
snippet = new_snippet(name, template)
snippet.save!
snippet
end
@ -13,6 +17,12 @@ Given /^a snippet named "([^"]*)" with the template:$/ do |name, template|
@snippet = create_snippet(name, template)
end
Given /^a snippet named "([^"]*)" with id "([^"]*)" and template:$/ do |name, id, template|
@snippet = new_snippet(name, template)
@snippet.id = BSON::ObjectId(id)
@snippet.save!
end
When /^I change the snippet template to "([^"]*)"$/ do |code|
page.evaluate_script "window.application_view.view.editor.setValue('#{code}')"
end