require 'spec_helper' describe Admin::ApiContentsController do before(:each) do @site = Factory('existing site') @site.content_types.first.tap do |content_type| content_type.content_custom_fields.build :label => 'Name', :kind => 'string', :required => true content_type.content_custom_fields.build :label => 'Description', :kind => 'text' end.save controller.stubs(:require_site).returns(true) controller.stubs(:current_site).returns(@site) end describe 'API disabled' do it 'blocks the creation of a new instance' do post 'create', default_post_params response.code.should eq('403') response.body.should == 'Api not enabled' end end describe 'API enabled' do before(:each) do ContentType.any_instance.stubs(:api_enabled?).returns(true) end it 'saves a content' do post 'create', default_post_params response.should redirect_to('http://www.locomotivecms.com/success') @site.reload.content_types.first.contents.size.should == 1 end it 'does not save a content if required parameters are missing' do post 'create', default_post_params(:content => { :name => '' }) response.should redirect_to('http://www.locomotivecms.com/failure') @site.reload.content_types.first.contents.size.should == 0 end describe 'XSS vulnerability' do it 'sanitizes the params (simple example)' do post 'create', default_post_params(:content => { :name => %(Hacking ) }) content = @site.reload.content_types.first.contents.first content.name.should == "Hacking alert(\"You have been hacked\")" end it 'sanitizes the params (more complex example)' do post 'create', default_post_params(:content => { :name => %(