From 96007174cbdd4f24ab89dd83b0614905bbc3b462 Mon Sep 17 00:00:00 2001
From: Alex Sanford <alex.sanford1@gmail.com>
Date: Thu, 26 Apr 2012 16:14:23 -0300
Subject: [PATCH] Added auth feature for content_assets

---
 .../api/content_assets_controller.rb          |  13 ++
 .../api/authorization/content_assets.feature  | 147 ++++++++++++++++++
 features/step_definitions/api_steps.rb        |  22 ++-
 .../step_definitions/content_assets_steps.rb  |  12 ++
 spec/fixtures/assets/5k_2.png                 | Bin 0 -> 1284 bytes
 5 files changed, 192 insertions(+), 2 deletions(-)
 create mode 100644 features/api/authorization/content_assets.feature
 create mode 100644 features/step_definitions/content_assets_steps.rb
 create mode 100644 spec/fixtures/assets/5k_2.png

diff --git a/app/controllers/locomotive/api/content_assets_controller.rb b/app/controllers/locomotive/api/content_assets_controller.rb
index abde5f8c..2acd8c12 100644
--- a/app/controllers/locomotive/api/content_assets_controller.rb
+++ b/app/controllers/locomotive/api/content_assets_controller.rb
@@ -2,11 +2,18 @@ module Locomotive
   module Api
     class ContentAssetsController < BaseController
 
+      load_and_authorize_resource :class => Locomotive::ContentAsset
+
       def index
         @content_assets = current_site.content_assets
         respond_with(@content_assets)
       end
 
+      def show
+        @content_asset = current_site.content_assets.find(params[:id])
+        respond_with(@content_asset)
+      end
+
       def create
         @content_asset = current_site.content_assets.create(params[:content_asset])
         respond_with @content_asset, :location => main_app.locomotive_api_content_assets_url
@@ -18,6 +25,12 @@ module Locomotive
         respond_with @content_asset, :location => main_app.locomotive_api_content_assets_url
       end
 
+      def destroy
+        @content_asset = current_site.content_assets.find(params[:id])
+        @content_asset.destroy
+        respond_with @content_asset
+      end
+
     end
   end
 end
diff --git a/features/api/authorization/content_assets.feature b/features/api/authorization/content_assets.feature
new file mode 100644
index 00000000..ff3f8aec
--- /dev/null
+++ b/features/api/authorization/content_assets.feature
@@ -0,0 +1,147 @@
+Feature: Content Assets
+  In order to ensure content assets are not tampered with
+  As an admin, designer or author
+  I will be restricted based on my role
+
+  Background:
+    Given I have the site: "test site" set up
+    And I have the following content assets:
+      | id                          | file      |
+      | 4f832c2cb0d86d3f42fffffe    | 5k.png    |
+      | 4f832c2cb0d86d3f42ffffff    | 5k_2.png  |
+    And I have a designer and an author
+
+  Scenario: As an unauthenticated user
+    Given I am not authenticated
+    When I do an API GET to content_assets.json
+    Then the JSON response at "error" should be "You need to sign in or sign up before continuing."
+
+  # listing content assets
+
+  Scenario: Accessing content assets as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  Scenario: Accessing content assets as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  Scenario: Accessing content assets as an Author
+    Given I have an "author" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  # showing content asset
+
+  Scenario: Accessing content asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "5k.png"
+
+  Scenario: Accessing content asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "5k.png"
+
+  Scenario: Accessing content asset as an Author
+    Given I have an "author" API token
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "5k.png"
+
+  # create content asset
+
+  Scenario: Creating new content asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do a multipart API POST to content_assets.json with base key "content_asset" and:
+      | source  | assets/application.js     |
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    And the JSON at "2/filename" should be "application.js"
+
+  Scenario: Creating new content asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do a multipart API POST to content_assets.json with base key "content_asset" and:
+      | source  | assets/application.js     |
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    And the JSON at "2/filename" should be "application.js"
+
+  Scenario: Creating new content asset as an Author
+    Given I have an "author" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do a multipart API POST to content_assets.json with base key "content_asset" and:
+      | source  | assets/application.js     |
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    And the JSON at "2/filename" should be "application.js"
+
+  # update content asset
+
+  Scenario: Updating content asset as an Admin
+    Given I have an "admin" API token
+    When I do a multipart API PUT to content_assets/4f832c2cb0d86d3f42fffffe.json with base key "content_asset" and:
+      | source  | assets/main.css   |
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "main.css"
+
+  Scenario: Updating content asset as a Designer
+    Given I have a "designer" API token
+    When I do a multipart API PUT to content_assets/4f832c2cb0d86d3f42fffffe.json with base key "content_asset" and:
+      | source  | assets/main.css   |
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "main.css"
+
+  Scenario: Updating content asset as an Author
+    Given I have a "author" API token
+    When I do a multipart API PUT to content_assets/4f832c2cb0d86d3f42fffffe.json with base key "content_asset" and:
+      | source  | assets/main.css   |
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "main.css"
+
+  # destroy content asset
+
+  Scenario: Destroying content asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API DELETE to content_assets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+
+  Scenario: Destroying content asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API DELETE to content_assets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+
+  Scenario: Deleting content asset as an Author
+    Given I have a "author" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API DELETE to content_assets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
diff --git a/features/step_definitions/api_steps.rb b/features/step_definitions/api_steps.rb
index 8d9b3059..92745a03 100644
--- a/features/step_definitions/api_steps.rb
+++ b/features/step_definitions/api_steps.rb
@@ -3,9 +3,17 @@ def api_base_url
   "http://#{@site.domains.first}/locomotive/api/"
 end
 
-def do_api_request(type, url, param_string = nil)
+def do_api_request(type, url, param_string_or_hash = nil)
   begin
-    params = param_string && JSON.parse(param_string) || {}
+    if param_string_or_hash
+      if param_string_or_hash.is_a? Hash
+        params = param_string_or_hash
+      else
+        params = JSON.parse(param_string_or_hash)
+      end
+    else
+      params = {}
+    end
     @json_response = do_request(type, api_base_url, url,
                                params.merge({ 'CONTENT_TYPE' => 'application/json' }))
   rescue CanCan::AccessDenied
@@ -67,3 +75,13 @@ Then /^an access denied error should occur$/ do
   @error.should_not be_nil
   @error.is_a?(CanCan::AccessDenied).should be_true
 end
+
+When /^I do a multipart API (\w+) (?:request )?to ([\w.\/]+) with base key "([^"]*)" and:$/ \
+    do |request_type, url, base_key, table|
+  params = {}
+  params = table.rows_hash
+  params.each do |key, filename|
+    params[key] = Rack::Test::UploadedFile.new(Rails.root.join('..', 'fixtures', filename))
+  end
+  do_api_request(request_type, url, { base_key => params })
+end
diff --git a/features/step_definitions/content_assets_steps.rb b/features/step_definitions/content_assets_steps.rb
new file mode 100644
index 00000000..0a53b29f
--- /dev/null
+++ b/features/step_definitions/content_assets_steps.rb
@@ -0,0 +1,12 @@
+
+Given /^I have the following content assets:$/ do |table|
+  site = Locomotive::Site.first
+  table.hashes.each do |asset_hash|
+    asset_hash['site'] = site
+    asset_hash['source'] = FixturedAsset.open(asset_hash['file'])
+    asset_hash.delete('file')
+
+    asset = FactoryGirl.build(:asset, asset_hash)
+    asset.save.should be_true
+  end
+end
diff --git a/spec/fixtures/assets/5k_2.png b/spec/fixtures/assets/5k_2.png
new file mode 100644
index 0000000000000000000000000000000000000000..cf85f7cf573f05059b71d39bd2a104c496fb4f16
GIT binary patch
literal 1284
zcmex=<NpH&0WUXCHwH#V1_nkTWcdG&!P+^<)iK0B$VwqSMK`M;HC>_1P|rX?qqI0P
zFI~aY%U!`Mz|~!$%*;qrN1?DZF(<R6Qo&Zi(tzv#Z3brsW+o;O0s<BwV&!0EWnp3E
zVrOUL;Njxo;pXDz=H(L-;N=tK<K`9+6A%;@5fv5X;TM+>6Oj-S5fuR$!pIEN!@|nR
z%E~Fi%grl7GWdUhL6Cz%fkA<pQHg;`kdaxC@&6G9d7vj*8Nq-73K*GyZe(NU;N;>4
zD%dK(z{JSR%*4VBay3wOEl{3;MUYiU(a@1iI53f2sZhkIapFP_Wv7h?MT0JWP%%y_
zYU1P)6PJ*bQdLve(9|+9H8Z!cv~qTFb#wRd^a>6M4GWKmj7m;PO-s+n%qlJ^Ei136
ztZHs)ZENr7?3y%r%G7DoXUv?nXz`Mz%a*TLxoXqqEnBy3-?4Mop~FXx9y@;G<f%)S
zuUx%${l?8(4<9{#^7PsB7cXCZ{Pg+D*Kgl{{QL#-7b62R#9KfT;xROT2?G7a#KOYN
z!VdBmBU3pLGYhh?DjKp0IR>&P778mFHFAhJO<cI~Ag8i%&<D|^qKjN&DkcwAKZ3jl
z_8D;=Ya+{MaE~GUb&G+AnGqOy%z_N|41a@6KZze-|3h>BVf)5?CRc4#|IT0iV{y!7
z&#o7lE2VB9HM75J(s$rVN$#o}mNFAuYq>w3K4SHsq2(Wc#pS3Ed$@}q$=ZAD+O@HB
zdV#Tu&*@M98N@iwSw9y2vHrJow&wbpl53{AnP>m)tX+OL*0I*gU1fFIrNuUn&-`@G
zH8M;-Al>iv>}c4pZE{QN;_^bP%dHH)OwHQ3?C$z2e?9(At<Qa{{%yw9{4dr0oUi6_
zUt9a|w~s&;?=#nO0R_Xp*wxcwn!;uI94#z<rR}%bx?lK}ob<({eL&Y84%~J1O)2ZH
zEwe1Xe04ABT@n%I8aq2enQ7-|zqdOSx6Qv`Yxm)PWb_>gm2H{H;Ra_6K0aaI+P>l(
zZ{^IeWSc|6Q@v{X^zKIe39>5O5%Dlpl(SfEUHXs9hXX6lAF{gFXmct0;Hn$vlT|J}
zuF2NPX`OC+AgAk3@Q3RM-pl?w_n%?w{pLUFb}esL+`Q*)68`Z-qp7ax+{f7s<^ub7
zedfD#Q-YbHXa1d-v^~=wZ$IQ4{Yd7X+|?TU`sCC#8IycI9ADwMOS5H#U}Gukb!HoV
zcAGCOWod>hgW1DG7N1oYn^bLfb*truucBHP=WO$hyZx>r<kG8oI@4^K^!c)u2kdv#
zl+n(#dgCLOruUSoXT|9TqXVT%`<DO6Ty*zG`GG37ne`mo_iWkRC7CSrbAi!1{<DAC
znHQX3+H?QG@x$^m7177UZyoQ-`x3To((yMFqcfYFZtppodt}Gs2FHWX`z+QMa9OOM
n`LJf@(~7vP&Q+6tO#Kpe>;8x5D`!2^mJckd(azO5|NkZcW*-N_

literal 0
HcmV?d00001