{ :path => "/api/0.6/changeset/1/close", :method => :put },
{ :controller => "api/changesets/closes", :action => "update", :changeset_id => "1" }
)
+
+ assert_raises(ActionController::UrlGenerationError) do
+ put api_changeset_close_path(-132)
+ end
end
- ##
- # test that the user who opened a change can close it
- def test_update
- private_user = create(:user, :data_public => false)
- private_changeset = create(:changeset, :user => private_user)
- user = create(:user)
- changeset = create(:changeset, :user => user)
+ def test_update_missing_changeset_when_unauthorized
+ put api_changeset_close_path(999111)
- ## Try without authentication
- put api_changeset_close_path(changeset)
assert_response :unauthorized
+ end
- ## Try using the non-public user
- auth_header = bearer_authorization_header private_user
- put api_changeset_close_path(private_changeset), :headers => auth_header
- assert_require_public_data
+ def test_update_missing_changeset_by_regular_user
+ auth_header = bearer_authorization_header
+
+ put api_changeset_close_path(999111), :headers => auth_header
+
+ assert_response :not_found
+ end
+
+ def test_update_when_unauthorized
+ changeset = create(:changeset)
- ## The try with the public user
+ put api_changeset_close_path(changeset)
+
+ assert_response :unauthorized
+ assert_predicate changeset.reload, :open?
+ end
+
+ def test_update_by_private_user
+ user = create(:user, :data_public => false)
+ changeset = create(:changeset, :user => user)
auth_header = bearer_authorization_header user
- cs_id = changeset.id
- put api_changeset_close_path(cs_id), :headers => auth_header
- assert_response :success
+ put api_changeset_close_path(changeset), :headers => auth_header
- # test that it really is closed now
- cs = Changeset.find(changeset.id)
- assert_not(cs.open?,
- "changeset should be closed now (#{cs.closed_at} > #{Time.now.utc}.")
+ assert_require_public_data
+ assert_predicate changeset.reload, :open?
end
- ##
- # test that a different user can't close another user's changeset
- def test_update_invalid
+ def test_update_by_changeset_non_creator
user = create(:user)
changeset = create(:changeset)
-
auth_header = bearer_authorization_header user
put api_changeset_close_path(changeset), :headers => auth_header
+
assert_response :conflict
assert_equal "The user doesn't own that changeset", @response.body
+ assert_predicate changeset.reload, :open?
+ end
+
+ def test_update_without_required_scope
+ user = create(:user)
+ changeset = create(:changeset, :user => user)
+ auth_header = bearer_authorization_header user, :scopes => %w[read_prefs]
+
+ put api_changeset_close_path(changeset), :headers => auth_header
+
+ assert_response :forbidden
+ assert_predicate changeset.reload, :open?
+ end
+
+ def test_update_by_changeset_creator_with_required_scope
+ user = create(:user)
+ changeset = create(:changeset, :user => user)
+ auth_header = bearer_authorization_header user, :scopes => %w[write_api]
+
+ put api_changeset_close_path(changeset), :headers => auth_header
+
+ assert_response :success
+ assert_not_predicate changeset.reload, :open?
+ end
+
+ def test_update_twice
+ user = create(:user)
+ auth_header = bearer_authorization_header user
+
+ freeze_time do
+ changeset = create(:changeset, :user => user)
+
+ travel 30.minutes
+ put api_changeset_close_path(changeset), :headers => auth_header
+
+ assert_response :success
+ changeset.reload
+ assert_not_predicate changeset, :open?
+ assert_equal 0.minutes.ago, changeset.closed_at
+
+ travel 30.minutes
+ put api_changeset_close_path(changeset), :headers => auth_header
+
+ assert_response :conflict
+ changeset.reload
+ assert_not_predicate changeset, :open?
+ assert_equal 30.minutes.ago, changeset.closed_at
+ end
end
##
assert_response :not_found
assert_template "rescues/routing_error"
end
-
- ##
- # check that you can't close a changeset that isn't found
- def test_update_not_found
- cs_ids = [0, -132, "123"]
-
- # First try to do it with no auth
- cs_ids.each do |id|
- put api_changeset_close_path(id)
- assert_response :unauthorized, "Shouldn't be able close the non-existant changeset #{id}, when not authorized"
- rescue ActionController::UrlGenerationError => e
- assert_match(/No route matches/, e.to_s)
- end
-
- # Now try with auth
- auth_header = bearer_authorization_header
- cs_ids.each do |id|
- put api_changeset_close_path(id), :headers => auth_header
- assert_response :not_found, "The changeset #{id} doesn't exist, so can't be closed"
- rescue ActionController::UrlGenerationError => e
- assert_match(/No route matches/, e.to_s)
- end
- end
end
end
end
projects / rails.git / blobdiff