Created some initial features for API authentication

2012-04-16 15:17:11 -03:00 · 2012-04-16 15:17:11 -03:00 · 4f12c2cd10
commit 4f12c2cd10
parent f7388d14e7
3 changed files with 235 additions and 0 deletions
--- a/features/api/authorization/pages.feature
+++ b/features/api/authorization/pages.feature
@ -0,0 +1,141 @@
+Feature: Pages
+  In order to ensure pages are not tampered with
+  As an admin, designer or author
+  I will be restricted based on my role
+
+  Background:
+    Given I have the site: "test site" set up
+    And I have a custom model named "Projects" with
+      | label       | type      | required        |
+      | Name        | string    | true            |
+      | Description | text      | false           |
+    And I have a designer and an author
+    And a page named "hello-world" with id "4f832c2cb0d86d3f42fffffe"
+    And a page named "goodbye-world" with id "4f832c2cb0d86d3f42ffffff"
+
+  Scenario: As an unauthenticated user
+    Given I am not authenticated
+    When I do an API GET to pages.json
+    Then the JSON response should be the following:
+    """
+    {
+      "error": "You need to sign in or sign up before continuing."
+    }
+    """
+
+  # listing pages
+
+  Scenario: Accessing pages as an Admin
+    Given I have an "admin" token
+    When I do an API GET request to pages.json
+    Then the JSON response should contain all pages
+
+  Scenario: Accessing pages as a Designer
+    Given I have a "designer" token
+    When I do an API GET request to pages.json
+    Then the JSON response should contain all pages
+
+  Scenario: Accessing pages as an Author
+    Given I have an "author" token
+    When I do an API GET request to pages.json
+    Then the JSON response should contain all pages
+
+  # create page
+
+  Scenario: Creating new page as an Admin
+    Given I have an "admin" token
+    When I do an API GET request to pages.json
+    Then the JSON response should contain 4 pages
+    And the JSON response should contain all pages
+    When I do an API POST to pages.json with:
+    """
+    {
+      "page": {
+        "title": "New Page",
+        "slug": "new-page",
+        "parent_id": "4f832c2cb0d86d3f42fffffe"
+      }
+    }
+    """
+    When I do an API GET request to pages.json
+    Then the JSON response should contain 5 pages
+    And the JSON response should contain all pages
+
+  Scenario: Creating new page as a Designer
+    Given I have a "designer" token
+    When I do an API GET request to pages.json
+    Then the JSON response should contain 4 pages
+    And the JSON response should contain all pages
+    When I do an API POST to pages.json with:
+    """
+    {
+      "page": {
+        "title": "New Page",
+        "slug": "new-page",
+        "parent_id": "4f832c2cb0d86d3f42fffffe"
+      }
+    }
+    """
+    When I do an API GET request to pages.json
+    Then the JSON response should contain 5 pages
+    And the JSON response should contain all pages
+
+  Scenario: Creating new page as an Author
+    Given I have an "author" token
+    When I do an API POST to pages.json with:
+    """
+    {
+      "page": {
+        "title": "New Page",
+        "slug": "new-page",
+        "parent_id": "4f832c2cb0d86d3f42fffffe"
+      }
+    }
+    """
+    Then the JSON response should be an access denied error
+
+  # update page
+
+  Scenario: Updating page as an Admin
+    Given I have an "admin" token
+    When I do an API PUT to pages/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "title": "Brand new updated title"
+    }
+    """
+    When I do an API GET request to pages/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response should contain:
+    """
+    {
+      "id": "4f832c2cb0d86d3f42fffffe",
+      "title": "Brand new updated title"
+    }
+    """
+
+  Scenario: Updating page as a Designer
+    Given I have a "designer" token
+    When I do an API PUT to pages/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "title": "Brand new updated title"
+    }
+    """
+    When I do an API GET request to pages/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response should contain:
+    """
+    {
+      "id": "4f832c2cb0d86d3f42fffffe",
+      "title": "Brand new updated title"
+    }
+    """
+
+  Scenario: Updating page as an Author
+    Given I have a "designer" token
+    When I do an API PUT to pages/4f832c2cb0d86d3f42fffffe.json with:
+    """
+    {
+      "title": "Brand new updated title"
+    }
+    """
+    Then the JSON response should be an access denied error
--- a/features/step_definitions/api_steps.rb
+++ b/features/step_definitions/api_steps.rb
@ -0,0 +1,72 @@
+
+def new_content_page(page_slug, page_contents = '', template = '')
+  @home = @site.pages.where(:slug => 'index').first || FactoryGirl.create(:page)
+  page = @site.pages.build(:slug => page_slug, :body => page_contents, :parent => @home, :title => "some title", :published => true, :raw_template => template)
+  page.should be_valid
+  page
+end
+
+def api_base_url
+  '/locomotive/api'
+end
+
+def do_api_request(type, url, param_string = nil)
+  params = param_string && JSON.parse(param_string) || {}
+  @raw_response = do_request(type, api_base_url, url, params)
+  @response = JSON.parse(@raw_response.body)
+end
+
+Given /^a page named "([^"]*)" with id "([^"]*)"$/ do |name, id|
+  @page = new_content_page(name)
+  @page.id = BSON::ObjectId(id)
+  @page.save!
+end
+
+Given /^I have an? "([^"]*)" token$/ do |role|
+  @membership = Locomotive::Site.first.memberships.where(:role => role.downcase).first \
+    || FactoryGirl.create(role.downcase.to_sym, :site => Locomotive::Site.first)
+
+  login_params = {
+    :email => @membership.account.email,
+    :password => 'easyone'
+  }
+  response = do_request('POST', api_base_url, 'tokens.json', login_params)
+
+  if response.status == 200
+    @token = JSON.parse(response.body)['token']
+  else
+    raise JSON.parse(response.body)['message']
+  end
+
+  add_default_params(:auth_token => @token)
+end
+
+When /^I do an API (\w+) (?:request )?to ([\w.\/]+)$/ do |request_type, url|
+  do_api_request(request_type, url)
+end
+
+When /^I do an API (\w+) (?:request )?to ([\w.\/]+) with:$/ do |request_type, url, param_string|
+  do_api_request(request_type, url, param_string)
+end
+
+Then /^the JSON response should be the following:$/ do |json|
+  @response.should == JSON.parse(json)
+end
+
+Then /^the JSON response should contain all pages$/ do
+  page_ids_in_response = @response.collect { |page| page['id'].to_s }.sort
+  all_page_ids = Locomotive::Page.all.collect { |page| page.id.to_s }.sort
+  page_ids_in_response.should == all_page_ids
+end
+
+Then /^the JSON response should contain (\d+) pages$/ do |n|
+  @response.count.should == n.to_i
+end
+
+Then /^the JSON response should be an access denied error$/ do
+  @response['message'].should == 'You are not authorized to access this page'
+end
+
+Then /^the JSON response should contain:$/ do |json|
+  @response.merge(JSON.parse(json)).should == @response
+end
--- a/features/support/http.rb
+++ b/features/support/http.rb
@ -0,0 +1,22 @@
+module HTTPHelpers
+
+  attr_accessor :default_params
+
+  def add_default_params(params)
+    default_params.merge!(params)
+  end
+
+  def do_request(type, base_url, url, params)
+    request_method = type.downcase.to_sym
+    page.driver.send(request_method, "#{base_url}/#{url}", default_params.merge(params))
+  end
+
+  protected
+
+  def default_params
+    @default_params ||= {}
+  end
+
+end
+
+World(HTTPHelpers)