require 'spec_helper' describe Locomotive::ApiContentsController do before(:each) do @site = FactoryGirl.create('existing site') @site.content_types.first.tap do |content_type| content_type.entries_custom_fields.build :label => 'Name', :type => 'string', :required => true content_type.entries_custom_fields.build :label => 'Description', :type => 'text' content_type.entries_custom_fields.build :label => 'File', :type => 'file' content_type.entries_custom_fields.build :label => 'Active', :type => 'boolean' end.save controller.stubs(:require_site).returns(true) controller.stubs(:current_site).returns(@site) end describe 'API disabled' do it 'blocks the creation of a new instance' do post 'create', default_post_params response.code.should eq('403') response.body.should == 'Api not enabled' end end describe 'API enabled' do before(:each) do Locomotive::ContentType.any_instance.stubs(:api_enabled?).returns(true) end it 'saves a content' do post 'create', default_post_params response.should redirect_to('http://www.locomotivecms.com/success') @site.reload.content_types.first.entries.size.should == 1 end it 'does not save a content if required parameters are missing' do post 'create', default_post_params(:content_entry => { :name => '' }) response.should redirect_to('http://www.locomotivecms.com/failure') @site.reload.content_types.first.entries.size.should == 0 end describe 'XSS vulnerability' do it 'sanitizes the params (simple example)' do post 'create', default_post_params(:content_entry => { :name => %(Hacking ) }) entry = @site.reload.content_types.first.entries.first entry.name.should == "Hacking alert(\"You have been hacked\")" end it 'sanitizes the params (more complex example)' do post 'create', default_post_params(:content_entry => { :name => %(