Added auth feature for snippets

app/controllers/locomotive/api/snippets_controller.rb

@@ -2,11 +2,18 @@ module Locomotive
   module Api
     class SnippetsController < BaseController
 
+      load_and_authorize_resource :class => Locomotive::Snippet
+
       def index
         @snippets = current_site.snippets.all
         respond_with(@snippets)
       end
 
+      def show
+        @snippet = current_site.snippets.find(params[:id])
+        respond_with @snippet
+      end
+
       def create
         @snippet = current_site.snippets.create(params[:snippet])
         respond_with @snippet, :location => main_app.locomotive_api_snippets_url
@@ -18,6 +25,12 @@ module Locomotive
         respond_with @snippet, :location => main_app.locomotive_api_snippets_url
       end
 
+      def destroy
+        @snippet = current_site.snippets.find(params[:id])
+        @snippet.destroy
+        respond_with @snippet
+      end
+
     end
   end
 end

features/api/authorization/snippets.feature

@@ -0,0 +1,179 @@
+Feature: Snippets
+  In order to ensure snippets are not tampered with
+  As an admin, designer or author
+  I will be restricted based on my role
+
+  Background:
+    Given I have the site: "test site" set up
+    And a snippet named "My Snippet" with id "4f832c2cb0d86d3f42fffffe" and template:
+    """
+    My Snippet
+    """
+    And I have a designer and an author
+
+  Scenario: As an unauthenticated user
+    Given I am not authenticated
+    When I do an API GET to snippets.json
+    Then the JSON response at "error" should be "You need to sign in or sign up before continuing."
+
+  # listing content types
+
+  Scenario: Accessing snippets as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to snippets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+
+  Scenario: Accessing snippets as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to snippets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+
+  Scenario: Accessing snippets as an Author
+    Given I have an "author" API token
+    When I do an API GET request to snippets.json
+    Then an access denied error should occur
+
+  # showing snippet
+
+  Scenario: Accessing snippet as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to snippets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "id" should be "4f832c2cb0d86d3f42fffffe"
+    And the JSON response at "name" should be "My Snippet"
+
+  Scenario: Accessing snippet as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to snippets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "id" should be "4f832c2cb0d86d3f42fffffe"
+    And the JSON response at "name" should be "My Snippet"
+
+  Scenario: Accessing snippet as an Author
+    Given I have an "author" API token
+    When I do an API GET request to snippets/4f832c2cb0d86d3f42fffffe.json
+    Then an access denied error should occur
+
+  # create snippet
+
+  Scenario: Creating new snippet as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to snippets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+    When I do an API POST to snippets.json with:
+    """
+    {
+      "snippet": {
+        "name": "Another snippet",
+        "template": "<h1>Another Snippet!</h1>"
+      }
+    }
+    """
+    When I do an API GET request to snippets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    And the JSON should have the following:
+      | 1/name      | "Another Snippet"             |
+      | 1/template  | "<h1>Another Snippet!</h1>"   |
+
+  Scenario: Creating new snippet as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to snippets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+    When I do an API POST to snippets.json with:
+    """
+    {
+      "snippet": {
+        "name": "Another snippet",
+        "template": "<h1>Another Snippet!</h1>"
+      }
+    }
+    """
+    When I do an API GET request to snippets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    And the JSON should have the following:
+      | 1/name      | "Another Snippet" |
+      | 1/template  | "<h1>Another Snippet!</h1>"   |
+
+  Scenario: Creating new snippet as an Author
+    Given I have an "author" API token
+    When I do an API POST to snippets.json with:
+    """
+    {
+      "snippet": {
+        "name": "Another snippet",
+        "template": "<h1>Another Snippet!</h1>"
+      }
+    }
+    """
+    Then an access denied error should occur
+
+  # update snippet
+
+  Scenario: Updating snippet as an Admin
+    Given I have an "admin" API token
+    When I do an API PUT to snippets/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "snippet": {
+        "name": "Brand new updated name"
+      }
+    }
+    """
+    When I do an API GET request to snippets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "name" should be "Brand new updated name"
+
+  Scenario: Updating snippet as a Designer
+    Given I have a "designer" API token
+    When I do an API PUT to snippets/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "snippet": {
+        "name": "Brand new updated name"
+      }
+    }
+    """
+    When I do an API GET request to snippets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "name" should be "Brand new updated name"
+
+  Scenario: Updating snippet as an Author
+    Given I have a "author" API token
+    When I do an API PUT to snippets/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "snippet": {
+        "name": "Brand new updated name"
+      }
+    }
+    """
+    Then an access denied error should occur
+
+  # destroy snippet
+
+  Scenario: Destroying snippet as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to snippets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+    When I do an API DELETE to snippets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to snippets.json
+    Then the JSON response should be an array
+    And the JSON response should have 0 entries
+
+  Scenario: Destroying snippet as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to snippets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+    When I do an API DELETE to snippets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to snippets.json
+    Then the JSON response should be an array
+    And the JSON response should have 0 entries
+
+  Scenario: Deleting snippet as an Author
+    Given I have a "author" API token
+    When I do an API DELETE to snippets/4f832c2cb0d86d3f42fffffe.json
+    Then an access denied error should occur

features/step_definitions/snippet_steps.rb

@@ -1,9 +1,13 @@
 ### Snippets
 
 # helps create a simple snippet with a slug and template
+def new_snippet(name, template = nil)
+  @site.snippets.new(:name => name, :template => template)
+end
+
 def create_snippet(name, template = nil)
-  snippet = @site.snippets.create(:name => name, :template => template)
+  snippet = new_snippet(name, template)
-  snippet.should be_valid
+  snippet.save!
   snippet
 end
 
@@ -13,6 +17,12 @@ Given /^a snippet named "([^"]*)" with the template:$/ do |name, template|
   @snippet = create_snippet(name, template)
 end
 
+Given /^a snippet named "([^"]*)" with id "([^"]*)" and template:$/ do |name, id, template|
+  @snippet = new_snippet(name, template)
+  @snippet.id = BSON::ObjectId(id)
+  @snippet.save!
+end
+
 When /^I change the snippet template to "([^"]*)"$/ do |code|
   page.evaluate_script "window.application_view.view.editor.setValue('#{code}')"
 end