X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/149c07fd2bc33a8974d0b0f6e8ab5425d3178374..c203edda20370bb1760a091356f334d342ccb25b:/test/controllers/user_preferences_controller_test.rb?ds=inline

diff --git a/test/controllers/user_preferences_controller_test.rb b/test/controllers/user_preferences_controller_test.rb
index 3e5cbb369..99b40d5f0 100644
--- a/test/controllers/user_preferences_controller_test.rb
+++ b/test/controllers/user_preferences_controller_test.rb
@@ -96,8 +96,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
 
     # try a put without auth
     assert_no_difference "UserPreference.count" do
-      content "<osm><preferences><preference k='key' v='new_value'/><preference k='new_key' v='value'/></preferences></osm>"
-      put :update
+      put :update, :body => "<osm><preferences><preference k='key' v='new_value'/><preference k='new_key' v='value'/></preferences></osm>"
     end
     assert_response :unauthorized, "should be authenticated"
     assert_equal "value", UserPreference.find([user.id, "key"]).v
@@ -111,8 +110,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
 
     # try the put again
     assert_no_difference "UserPreference.count" do
-      content "<osm><preferences><preference k='key' v='new_value'/><preference k='new_key' v='value'/></preferences></osm>"
-      put :update
+      put :update, :body => "<osm><preferences><preference k='key' v='new_value'/><preference k='new_key' v='value'/></preferences></osm>"
     end
     assert_response :success
     assert_equal "text/plain", @response.content_type
@@ -125,8 +123,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
 
     # try a put with duplicate keys
     assert_no_difference "UserPreference.count" do
-      content "<osm><preferences><preference k='key' v='value'/><preference k='key' v='newer_value'/></preferences></osm>"
-      put :update
+      put :update, :body => "<osm><preferences><preference k='key' v='value'/><preference k='key' v='newer_value'/></preferences></osm>"
     end
     assert_response :bad_request
     assert_equal "text/plain", @response.content_type
@@ -135,8 +132,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
 
     # try a put with invalid content
     assert_no_difference "UserPreference.count" do
-      content "nonsense"
-      put :update
+      put :update, :body => "nonsense"
     end
     assert_response :bad_request
   end
@@ -149,8 +145,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
 
     # try a put without auth
     assert_no_difference "UserPreference.count" do
-      content "new_value"
-      put :update_one, :params => { :preference_key => "new_key" }
+      put :update_one, :params => { :preference_key => "new_key" }, :body => "new_value"
     end
     assert_response :unauthorized, "should be authenticated"
     assert_raises ActiveRecord::RecordNotFound do
@@ -162,8 +157,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
 
     # try adding a new preference
     assert_difference "UserPreference.count", 1 do
-      content "new_value"
-      put :update_one, :params => { :preference_key => "new_key" }
+      put :update_one, :params => { :preference_key => "new_key" }, :body => "new_value"
     end
     assert_response :success
     assert_equal "text/plain", @response.content_type
@@ -172,8 +166,7 @@ class UserPreferencesControllerTest < ActionController::TestCase
 
     # try changing the value of a preference
     assert_no_difference "UserPreference.count" do
-      content "newer_value"
-      put :update_one, :params => { :preference_key => "new_key" }
+      put :update_one, :params => { :preference_key => "new_key" }, :body => "newer_value"
     end
     assert_response :success
     assert_equal "text/plain", @response.content_type
@@ -217,4 +210,35 @@ class UserPreferencesControllerTest < ActionController::TestCase
       UserPreference.find([user.id, "key"])
     end
   end
+
+  # Ensure that a valid access token with correct capabilities can be used to
+  # read preferences
+  def test_read_one_using_token
+    user = create(:user)
+    token = create(:access_token, :user => user, :allow_read_prefs => true)
+    create(:user_preference, :user => user, :k => "key", :v => "value")
+
+    # Hack together an oauth request - an alternative would be to sign the request properly
+    @request.env["oauth.version"] = 1
+    @request.env["oauth.strategies"] = [:token]
+    @request.env["oauth.token"] = token
+
+    get :read_one, :params => { :preference_key => "key" }
+    assert_response :success
+  end
+
+  # Ensure that a valid access token with incorrect capabilities can't be used
+  # to read preferences even, though the owner of that token could read them
+  # by other methods.
+  def test_read_one_using_token_fail
+    user = create(:user)
+    token = create(:access_token, :user => user, :allow_read_prefs => false)
+    create(:user_preference, :user => user, :k => "key", :v => "value")
+    @request.env["oauth.version"] = 1
+    @request.env["oauth.strategies"] = [:token]
+    @request.env["oauth.token"] = token
+
+    get :read_one, :params => { :preference_key => "key" }
+    assert_response :forbidden
+  end
 end