raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-01-25 20:46:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
pr/9941
openfoodnetwork/spec/controllers/spree/api_keys_controller_spec.rb
Maikel Linke fc79612f26 Prevent users from changing API keys for others 
It was checking for the permission to create a user which everyone can
do. Now it's checking for updating that particular user and doesn't
allow generating new keys for other users any more.

This would have been an inconvenience but not a big security issue
because you can't view the key of another user.
2022-10-20 17:56:46 +11:00

56 lines
1.4 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
require 'spec_helper'
describe Spree::ApiKeysController, type: :controller, performance: true do
routes { Spree::Core::Engine.routes }
include AuthenticationHelper
include ControllerRequestsHelper
let(:user) { create(:user) }
let(:other_user) { create(:user) }
let(:redirect_path) { "#{spree.account_path}#/developer_settings" }
before do
allow(controller).to receive(:spree_current_user) { user }
end
describe "create" do
it "creates a new api key" do
expect { spree_post :create }.to change { user.reload.spree_api_key }
expect(user.spree_api_key).to be_present
end
it "denies creating a new api key for other user" do
expect {
spree_post :create, id: other_user.id
other_user.reload
}.to_not change {
other_user.spree_api_key
}
end
it "redirects to the api keys tab on account page " do
spree_post :create
expect(response).to redirect_to redirect_path
end
end
describe "destroy" do
before do
user.generate_api_key
user.save
end
it "clears the api key" do
expect { spree_delete :destroy, id: user.id }.to change { user.reload.spree_api_key }.to(nil)
end
it "redirects to the api keys tab on account page " do
spree_delete :destroy, id: user.id
expect(response).to redirect_to redirect_path
end
end
end
Reference in New Issue View Git Blame Copy Permalink