Added auth feature for content_assets

app/controllers/locomotive/api/content_assets_controller.rb

@@ -2,11 +2,18 @@ module Locomotive
   module Api
     class ContentAssetsController < BaseController
 
+      load_and_authorize_resource :class => Locomotive::ContentAsset
+
       def index
         @content_assets = current_site.content_assets
         respond_with(@content_assets)
       end
 
+      def show
+        @content_asset = current_site.content_assets.find(params[:id])
+        respond_with(@content_asset)
+      end
+
       def create
         @content_asset = current_site.content_assets.create(params[:content_asset])
         respond_with @content_asset, :location => main_app.locomotive_api_content_assets_url
@@ -18,6 +25,12 @@ module Locomotive
         respond_with @content_asset, :location => main_app.locomotive_api_content_assets_url
       end
 
+      def destroy
+        @content_asset = current_site.content_assets.find(params[:id])
+        @content_asset.destroy
+        respond_with @content_asset
+      end
+
     end
   end
 end

features/api/authorization/content_assets.feature

@@ -0,0 +1,147 @@
+Feature: Content Assets
+  In order to ensure content assets are not tampered with
+  As an admin, designer or author
+  I will be restricted based on my role
+
+  Background:
+    Given I have the site: "test site" set up
+    And I have the following content assets:
+      | id                          | file      |
+      | 4f832c2cb0d86d3f42fffffe    | 5k.png    |
+      | 4f832c2cb0d86d3f42ffffff    | 5k_2.png  |
+    And I have a designer and an author
+
+  Scenario: As an unauthenticated user
+    Given I am not authenticated
+    When I do an API GET to content_assets.json
+    Then the JSON response at "error" should be "You need to sign in or sign up before continuing."
+
+  # listing content assets
+
+  Scenario: Accessing content assets as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  Scenario: Accessing content assets as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  Scenario: Accessing content assets as an Author
+    Given I have an "author" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+
+  # showing content asset
+
+  Scenario: Accessing content asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "5k.png"
+
+  Scenario: Accessing content asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "5k.png"
+
+  Scenario: Accessing content asset as an Author
+    Given I have an "author" API token
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "5k.png"
+
+  # create content asset
+
+  Scenario: Creating new content asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do a multipart API POST to content_assets.json with base key "content_asset" and:
+      | source  | assets/application.js     |
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    And the JSON at "2/filename" should be "application.js"
+
+  Scenario: Creating new content asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do a multipart API POST to content_assets.json with base key "content_asset" and:
+      | source  | assets/application.js     |
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    And the JSON at "2/filename" should be "application.js"
+
+  Scenario: Creating new content asset as an Author
+    Given I have an "author" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do a multipart API POST to content_assets.json with base key "content_asset" and:
+      | source  | assets/application.js     |
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 3 entries
+    And the JSON at "2/filename" should be "application.js"
+
+  # update content asset
+
+  Scenario: Updating content asset as an Admin
+    Given I have an "admin" API token
+    When I do a multipart API PUT to content_assets/4f832c2cb0d86d3f42fffffe.json with base key "content_asset" and:
+      | source  | assets/main.css   |
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "main.css"
+
+  Scenario: Updating content asset as a Designer
+    Given I have a "designer" API token
+    When I do a multipart API PUT to content_assets/4f832c2cb0d86d3f42fffffe.json with base key "content_asset" and:
+      | source  | assets/main.css   |
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "main.css"
+
+  Scenario: Updating content asset as an Author
+    Given I have a "author" API token
+    When I do a multipart API PUT to content_assets/4f832c2cb0d86d3f42fffffe.json with base key "content_asset" and:
+      | source  | assets/main.css   |
+    When I do an API GET request to content_assets/4f832c2cb0d86d3f42fffffe.json
+    Then the JSON response at "filename" should be "main.css"
+
+  # destroy content asset
+
+  Scenario: Destroying content asset as an Admin
+    Given I have an "admin" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API DELETE to content_assets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+
+  Scenario: Destroying content asset as a Designer
+    Given I have a "designer" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API DELETE to content_assets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry
+
+  Scenario: Deleting content asset as an Author
+    Given I have a "author" API token
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 2 entries
+    When I do an API DELETE to content_assets/4f832c2cb0d86d3f42fffffe.json
+    When I do an API GET request to content_assets.json
+    Then the JSON response should be an array
+    And the JSON response should have 1 entry

features/step_definitions/api_steps.rb

@@ -3,9 +3,17 @@ def api_base_url
   "http://#{@site.domains.first}/locomotive/api/"
 end
 
-def do_api_request(type, url, param_string = nil)
+def do_api_request(type, url, param_string_or_hash = nil)
   begin
-    params = param_string && JSON.parse(param_string) || {}
+    if param_string_or_hash
+      if param_string_or_hash.is_a? Hash
+        params = param_string_or_hash
+      else
+        params = JSON.parse(param_string_or_hash)
+      end
+    else
+      params = {}
+    end
     @json_response = do_request(type, api_base_url, url,
                                params.merge({ 'CONTENT_TYPE' => 'application/json' }))
   rescue CanCan::AccessDenied
@@ -67,3 +75,13 @@ Then /^an access denied error should occur$/ do
   @error.should_not be_nil
   @error.is_a?(CanCan::AccessDenied).should be_true
 end
+
+When /^I do a multipart API (\w+) (?:request )?to ([\w.\/]+) with base key "([^"]*)" and:$/ \
+    do |request_type, url, base_key, table|
+  params = {}
+  params = table.rows_hash
+  params.each do |key, filename|
+    params[key] = Rack::Test::UploadedFile.new(Rails.root.join('..', 'fixtures', filename))
+  end
+  do_api_request(request_type, url, { base_key => params })
+end

features/step_definitions/content_assets_steps.rb

@@ -0,0 +1,12 @@
+
+Given /^I have the following content assets:$/ do |table|
+  site = Locomotive::Site.first
+  table.hashes.each do |asset_hash|
+    asset_hash['site'] = site
+    asset_hash['source'] = FixturedAsset.open(asset_hash['file'])
+    asset_hash.delete('file')
+
+    asset = FactoryGirl.build(:asset, asset_hash)
+    asset.save.should be_true
+  end
+end