Authorise access to OrderCycles API

2026-03-01 02:03:22 +00:00 · 2014-04-11 13:36:26 +10:00
parent 3c8757034a
commit b649d6ef69
2 changed files with 32 additions and 9 deletions
--- a/app/controllers/api/order_cycles_controller.rb
+++ b/app/controllers/api/order_cycles_controller.rb
@@ -2,6 +2,8 @@ module Api
  class OrderCyclesController < Spree::Api::BaseController
    respond_to :json
    def managed
+      authorize! :admin, OrderCycle
+      authorize! :read, OrderCycle
      @order_cycles = OrderCycle.ransack(params[:q]).result.managed_by(current_api_user)
      render params[:template] || :bulk_index
    end
@@ -12,4 +14,3 @@ module Api
    end
  end
 end
-        
--- a/spec/controllers/api/order_cycles_controller_spec.rb
+++ b/spec/controllers/api/order_cycles_controller_spec.rb
@@ -6,15 +6,37 @@ module Api
    include Spree::Api::TestingSupport::Helpers
    render_views

-    context "as a normal user" do
-      let!(:oc1) { FactoryGirl.create(:order_cycle) }
-      let!(:oc2) { FactoryGirl.create(:order_cycle) }
-      let(:attributes) { [:id, :name, :suppliers, :distributors] }
+    let!(:oc1) { FactoryGirl.create(:order_cycle) }
+    let!(:oc2) { FactoryGirl.create(:order_cycle) }
+    let(:coordinator) { oc1.coordinator }
+    let(:attributes) { [:id, :name, :suppliers, :distributors] }

-      before do
-        stub_authentication!
-        Spree.user_class.stub :find_by_spree_api_key => current_api_user
+    before do
+      stub_authentication!
+      Spree.user_class.stub :find_by_spree_api_key => current_api_user
+    end
+
+    context "as a normal user" do
+      sign_in_as_user!
+
+      it "should deny me access to managed order cycles" do
+        spree_get :managed, { :format => :json }
+        assert_unauthorized!
      end
+    end
+
+    context "as an enterprise user" do
+      sign_in_as_enterprise_user! [:coordinator]
+
+      it "retrieves a list of variants with appropriate attributes" do
+        get :managed, { :format => :json }
+        keys = json_response.first.keys.map{ |key| key.to_sym }
+        attributes.all?{ |attr| keys.include? attr }.should == true
+      end
+    end
+
+    context "as an administrator" do
+      sign_in_as_admin!

      it "retrieves a list of variants with appropriate attributes" do
        get :managed, { :format => :json }
@@ -89,4 +111,4 @@ module Api
      end
    end
  end
-end
+end