Spec access denied to regular user when soft-deleting variants

2026-02-11 23:17:48 +00:00 · 2014-04-11 11:21:10 +10:00
parent d16d970952
commit 95a6e34523
4 changed files with 27 additions and 2 deletions
--- a/lib/spree/api/testing_support/helpers_decorator.rb
+++ b/lib/spree/api/testing_support/helpers_decorator.rb
@@ -0,0 +1,7 @@
+require 'spree/api/testing_support/helpers'
+
+Spree::Api::TestingSupport::Helpers.class_eval do
+  def current_api_user
+    @current_api_user ||= stub_model(Spree::LegacyUser, :email => "spree@example.com", :enterprises => [])
+  end
+end
--- a/lib/spree/api/testing_support/setup.rb
+++ b/lib/spree/api/testing_support/setup.rb
@@ -5,7 +5,7 @@ module Spree
        def sign_in_as_admin!
          let!(:current_api_user) do
            user = stub_model(Spree::LegacyUser)
-            user.should_receive(:has_spree_role?).any_number_of_times.with("admin").and_return(true)
+            user.stub(:has_spree_role?).with("admin").and_return(true)

            # Stub enterprises, needed for cancan ability checks
            user.stub(:enterprises) { [] }
--- a/spec/controllers/spree/api/variants_controller_spec.rb
+++ b/spec/controllers/spree/api/variants_controller_spec.rb
@@ -16,6 +16,13 @@ module Spree
    end

    context "as a normal user" do
+      let!(:current_api_user) do
+        user = stub_model(Spree::LegacyUser)
+        user.stub(:has_spree_role?).with("admin").and_return(false)
+        user.stub(:enterprises) { [] }
+        user
+      end
+
      it "retrieves a list of variants with appropriate attributes" do
        spree_get :index, { :template => 'bulk_index', :format => :json }
        keys = json_response.first.keys.map{ |key| key.to_sym }
@@ -28,6 +35,16 @@ module Spree
        unit_attributes.all?{ |attr| keys.include? attr }.should == true
      end

+      it "is denied access when trying to delete a variant" do
+        product = create(:product)
+        variant = product.master
+
+        spree_delete :soft_delete, {variant_id: variant.to_param, product_id: product.to_param, format: :json}
+        assert_unauthorized!
+        lambda { variant.reload }.should_not raise_error
+        variant.deleted_at.should be_nil
+      end
+
      #it "sorts variants in ascending id order" do
      #  spree_get :index, { :template => 'bulk_index', :format => :json }
      #  ids = json_response.map{ |variant| variant['id'] }
@@ -45,7 +62,7 @@ module Spree

        spree_delete :soft_delete, {variant_id: variant.to_param, product_id: product.to_param, format: :json}
        response.status.should == 204
-        lambda { variant.reload }.should_not raise_error(ActiveRecord::RecordNotFound)
+        lambda { variant.reload }.should_not raise_error
        variant.deleted_at.should_not be_nil
      end
    end
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -25,6 +25,7 @@ require 'spree/core/testing_support/controller_requests'
 require 'spree/core/testing_support/capybara_ext'
 require 'spree/api/testing_support/setup'
 require 'spree/api/testing_support/helpers'
+require 'spree/api/testing_support/helpers_decorator'

 require 'active_record/fixtures'
 fixtures_dir = File.expand_path('../../db/default', __FILE__)