396 lines
13 KiB
Ruby
396 lines
13 KiB
Ruby
|
require 'spec_helper_min'
|
||
|
require 'support/helpers'
|
||
|
|
||
|
describe Carto::Api::SnapshotsController do
|
||
|
include HelperMethods
|
||
|
|
||
|
let(:fake_state) { { manolo: 'escobar' } }
|
||
|
|
||
|
before(:all) do
|
||
|
bypass_named_maps
|
||
|
@user = FactoryGirl.create(:carto_user)
|
||
|
@intruder = FactoryGirl.create(:carto_user)
|
||
|
@visualization = FactoryGirl.create(:carto_visualization, user: @user)
|
||
|
@other_visualization = FactoryGirl.create(:carto_visualization, user: @user)
|
||
|
end
|
||
|
|
||
|
after(:all) do
|
||
|
@visualization.destroy
|
||
|
@other_visualization.destroy
|
||
|
@intruder.destroy
|
||
|
@user.destroy
|
||
|
end
|
||
|
|
||
|
describe('#index') do
|
||
|
def snapshots_index_url(user_domain: @user.subdomain,
|
||
|
visualization_id: @visualization.id,
|
||
|
api_key: @user.api_key)
|
||
|
snapshots_url(user_domain: user_domain,
|
||
|
visualization_id: visualization_id,
|
||
|
api_key: api_key)
|
||
|
end
|
||
|
|
||
|
before(:all) do
|
||
|
5.times do
|
||
|
Carto::Snapshot.create!(user_id: @user.id,
|
||
|
visualization_id: @visualization.id,
|
||
|
state: fake_state)
|
||
|
end
|
||
|
|
||
|
@buddy = FactoryGirl.create(:carto_user)
|
||
|
5.times do
|
||
|
Carto::Snapshot.create!(user_id: @buddy.id,
|
||
|
visualization_id: @visualization.id,
|
||
|
state: fake_state)
|
||
|
end
|
||
|
|
||
|
5.times do
|
||
|
Carto::Snapshot.create!(user_id: @buddy.id,
|
||
|
visualization_id: @other_visualization.id,
|
||
|
state: fake_state)
|
||
|
end
|
||
|
end
|
||
|
|
||
|
after(:all) do
|
||
|
Carto::Snapshot.all.map(&:destroy)
|
||
|
@buddy.destroy
|
||
|
end
|
||
|
|
||
|
it 'rejects unauthenticated access' do
|
||
|
Carto::Visualization.any_instance
|
||
|
.stubs(:is_publically_accesible?)
|
||
|
.returns(false)
|
||
|
|
||
|
get_json(snapshots_index_url(api_key: nil), Hash.new) do |response|
|
||
|
response.status.should eq 401
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'rejects users with no read access' do
|
||
|
Carto::Visualization.any_instance
|
||
|
.stubs(:is_viewable_by_user?)
|
||
|
.returns(false)
|
||
|
|
||
|
intruder_url = snapshots_index_url(user_domain: @intruder.subdomain,
|
||
|
api_key: @intruder.api_key)
|
||
|
get_json(intruder_url, Hash.new) do |response|
|
||
|
response.status.should eq 403
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'returns 404 for non existent visualizations' do
|
||
|
not_found_url = snapshots_index_url(visualization_id: random_uuid)
|
||
|
get_json(not_found_url, Hash.new) do |response|
|
||
|
response.status.should eq 404
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'lists only snapshots for user and visualization' do
|
||
|
buddy_url = snapshots_index_url(user_domain: @buddy.subdomain,
|
||
|
api_key: @buddy.api_key)
|
||
|
|
||
|
buddy_snaps = Carto::Snapshot.where(user_id: @buddy.id,
|
||
|
visualization_id: @visualization.id)
|
||
|
.map(&:id)
|
||
|
.sort
|
||
|
|
||
|
get_json(buddy_url, Hash.new) do |response|
|
||
|
response.status.should eq 200
|
||
|
|
||
|
response_ids = response.body
|
||
|
.map { |snapshot| snapshot['id'] }
|
||
|
.compact
|
||
|
.sort
|
||
|
response_ids.should_not be_empty
|
||
|
|
||
|
response_ids.should eq buddy_snaps
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
|
||
|
describe('#show') do
|
||
|
def snapshots_show_url(user_domain: @user.subdomain,
|
||
|
visualization_id: @visualization.id,
|
||
|
snapshot_id: @snapshot.id,
|
||
|
api_key: @user.api_key)
|
||
|
snapshot_url(user_domain: user_domain,
|
||
|
visualization_id: visualization_id,
|
||
|
id: snapshot_id,
|
||
|
api_key: api_key)
|
||
|
end
|
||
|
|
||
|
before(:all) do
|
||
|
@snapshot = Carto::Snapshot.create!(user_id: @user.id,
|
||
|
visualization_id: @visualization.id,
|
||
|
state: fake_state)
|
||
|
end
|
||
|
|
||
|
after(:all) do
|
||
|
@snapshot.destroy
|
||
|
end
|
||
|
|
||
|
it 'rejects unauthenticated access' do
|
||
|
Carto::Visualization.any_instance
|
||
|
.stubs(:is_publically_accesible?)
|
||
|
.returns(false)
|
||
|
|
||
|
get_json(snapshots_show_url(api_key: nil), Hash.new) do |response|
|
||
|
response.status.should eq 401
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'rejects users with no read access' do
|
||
|
Carto::Visualization.any_instance
|
||
|
.stubs(:is_viewable_by_user?)
|
||
|
.returns(false)
|
||
|
|
||
|
intruder_url = snapshots_show_url(user_domain: @intruder.subdomain,
|
||
|
api_key: @intruder.api_key)
|
||
|
get_json(intruder_url, Hash.new) do |response|
|
||
|
response.status.should eq 403
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'returns 404 for non existent visualizations' do
|
||
|
not_found_url = snapshots_show_url(visualization_id: random_uuid)
|
||
|
get_json(not_found_url, Hash.new) do |response|
|
||
|
response.status.should eq 404
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'returns 404 for inexistent snapshots' do
|
||
|
not_found_url = snapshots_show_url(snapshot_id: random_uuid)
|
||
|
|
||
|
get_json(not_found_url, Hash.new) do |response|
|
||
|
response.status.should eq 404
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'only accepts owners of snapshots' do
|
||
|
intruder_url = snapshots_show_url(user_domain: @intruder.subdomain,
|
||
|
api_key: @intruder.api_key)
|
||
|
get_json(intruder_url, Hash.new) do |response|
|
||
|
response.status.should eq 403
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'shows a snapshot' do
|
||
|
get_json(snapshots_show_url, Hash.new) do |response|
|
||
|
response.status.should eq 200
|
||
|
response.body[:id].should eq @snapshot.id
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
|
||
|
describe('#create') do
|
||
|
def snapshots_create_url(user_domain: @user.subdomain,
|
||
|
visualization_id: @visualization.id,
|
||
|
api_key: @user.api_key)
|
||
|
snapshots_url(user_domain: user_domain,
|
||
|
visualization_id: visualization_id,
|
||
|
api_key: api_key)
|
||
|
end
|
||
|
|
||
|
before(:each) do
|
||
|
@user.visualizations.map(&:snapshots).flatten.map(&:destroy)
|
||
|
end
|
||
|
|
||
|
after(:all) do
|
||
|
@user.visualizations.map(&:snapshots).flatten.map(&:destroy)
|
||
|
end
|
||
|
|
||
|
it 'rejects unauthenticated access' do
|
||
|
Carto::Visualization.any_instance
|
||
|
.stubs(:is_publically_accesible?)
|
||
|
.returns(false)
|
||
|
|
||
|
nil_api_key_url = snapshots_create_url(api_key: nil)
|
||
|
post_json(nil_api_key_url, state: fake_state) do |response|
|
||
|
response.status.should eq 401
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'rejects users with no read access' do
|
||
|
Carto::Visualization.any_instance
|
||
|
.stubs(:is_viewable_by_user?)
|
||
|
.returns(false)
|
||
|
|
||
|
intruder_url = snapshots_create_url(user_domain: @intruder.subdomain,
|
||
|
api_key: @intruder.api_key)
|
||
|
post_json(intruder_url, state: fake_state) do |response|
|
||
|
response.status.should eq 403
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'returns 404 for non existent visualizations' do
|
||
|
not_found_url = snapshots_create_url(visualization_id: random_uuid)
|
||
|
post_json(not_found_url, state: fake_state) do |response|
|
||
|
response.status.should eq 404
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'creates a snapshot' do
|
||
|
@visualization.snapshots.count.should eq 0
|
||
|
|
||
|
post_json(snapshots_create_url, state: fake_state) do |response|
|
||
|
response.status.should eq 201
|
||
|
|
||
|
@visualization.reload
|
||
|
|
||
|
@visualization.snapshots.count.should eq 1
|
||
|
@visualization.snapshots.first.id.should eq response.body[:id]
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
|
||
|
describe('#update') do
|
||
|
def snapshots_update_url(user_domain: @user.subdomain,
|
||
|
visualization_id: @visualization.id,
|
||
|
snapshot_id: @snapshot.id,
|
||
|
api_key: @user.api_key)
|
||
|
snapshot_url(user_domain: user_domain,
|
||
|
visualization_id: visualization_id,
|
||
|
id: snapshot_id,
|
||
|
api_key: api_key)
|
||
|
end
|
||
|
|
||
|
before(:all) do
|
||
|
@snapshot = Carto::Snapshot.create!(user_id: @user.id,
|
||
|
visualization_id: @visualization.id,
|
||
|
state: fake_state)
|
||
|
end
|
||
|
|
||
|
after(:all) do
|
||
|
@snapshot.destroy
|
||
|
end
|
||
|
|
||
|
it 'rejects unauthenticated access' do
|
||
|
Carto::Visualization.any_instance
|
||
|
.stubs(:is_publically_accesible?)
|
||
|
.returns(false)
|
||
|
|
||
|
put_json(snapshots_update_url(api_key: nil), Hash.new) do |response|
|
||
|
response.status.should eq 401
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'rejects users with no read access' do
|
||
|
Carto::Visualization.any_instance
|
||
|
.stubs(:is_viewable_by_user?)
|
||
|
.returns(false)
|
||
|
|
||
|
intruder_url = snapshots_update_url(user_domain: @intruder.subdomain,
|
||
|
api_key: @intruder.api_key)
|
||
|
put_json(intruder_url, Hash.new) do |response|
|
||
|
response.status.should eq 403
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'returns 404 for non existent visualizations' do
|
||
|
not_found_url = snapshots_update_url(visualization_id: random_uuid)
|
||
|
put_json(not_found_url, Hash.new) do |response|
|
||
|
response.status.should eq 404
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'returns 404 for inexistent snapshots' do
|
||
|
not_found_url = snapshots_update_url(snapshot_id: random_uuid)
|
||
|
|
||
|
put_json(not_found_url, Hash.new) do |response|
|
||
|
response.status.should eq 404
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'only accepts owners of snapshots' do
|
||
|
intruder_url = snapshots_update_url(user_domain: @intruder.subdomain,
|
||
|
api_key: @intruder.api_key)
|
||
|
put_json(intruder_url, Hash.new) do |response|
|
||
|
response.status.should eq 403
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'updates a snapshot' do
|
||
|
new_state = { minili: 'iscibir' }
|
||
|
|
||
|
put_json(snapshots_update_url, state: new_state) do |response|
|
||
|
response.status.should eq 200
|
||
|
end
|
||
|
|
||
|
@snapshot.reload.state.should eq new_state
|
||
|
end
|
||
|
end
|
||
|
|
||
|
describe('#destroy') do
|
||
|
def snapshots_delete_url(user_domain: @user.subdomain,
|
||
|
visualization_id: @visualization.id,
|
||
|
snapshot_id: @snapshot.id,
|
||
|
api_key: @user.api_key)
|
||
|
snapshot_url(user_domain: user_domain,
|
||
|
visualization_id: visualization_id,
|
||
|
id: snapshot_id,
|
||
|
api_key: api_key)
|
||
|
end
|
||
|
|
||
|
before(:each) do
|
||
|
@snapshot = Carto::Snapshot.create!(user_id: @user.id,
|
||
|
visualization_id: @visualization.id,
|
||
|
state: fake_state)
|
||
|
end
|
||
|
|
||
|
after(:each) do
|
||
|
@snapshot.destroy
|
||
|
end
|
||
|
|
||
|
it 'rejects unauthenticated access' do
|
||
|
Carto::Visualization.any_instance
|
||
|
.stubs(:is_publically_accesible?)
|
||
|
.returns(false)
|
||
|
|
||
|
delete_json(snapshots_delete_url(api_key: nil), Hash.new) do |response|
|
||
|
response.status.should eq 401
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'rejects users with no read access' do
|
||
|
Carto::Visualization.any_instance
|
||
|
.stubs(:is_viewable_by_user?)
|
||
|
.returns(false)
|
||
|
|
||
|
intruder_url = snapshots_delete_url(user_domain: @intruder.subdomain,
|
||
|
api_key: @intruder.api_key)
|
||
|
delete_json(intruder_url, Hash.new) do |response|
|
||
|
response.status.should eq 403
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'returns 404 for non existent visualizations' do
|
||
|
not_found_url = snapshots_delete_url(visualization_id: random_uuid)
|
||
|
delete_json(not_found_url, Hash.new) do |response|
|
||
|
response.status.should eq 404
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'returns 404 for inexistent snapshots' do
|
||
|
not_found_url = snapshots_delete_url(snapshot_id: random_uuid)
|
||
|
|
||
|
delete_json(not_found_url, Hash.new) do |response|
|
||
|
response.status.should eq 404
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'only accepts owners of snapshots' do
|
||
|
intruder_url = snapshots_delete_url(user_domain: @intruder.subdomain,
|
||
|
api_key: @intruder.api_key)
|
||
|
delete_json(intruder_url, Hash.new) do |response|
|
||
|
response.status.should eq 403
|
||
|
end
|
||
|
end
|
||
|
|
||
|
it 'destroys a snapshot' do
|
||
|
delete_json(snapshots_delete_url, Hash.new) do |response|
|
||
|
response.status.should eq 204
|
||
|
end
|
||
|
end
|
||
|
end
|
||
|
end
|