cartodb/spec/requests/carto/api/snapshots_controller_specs.rb
2020-06-15 10:58:47 +08:00

396 lines
13 KiB
Ruby

require 'spec_helper_min'
require 'support/helpers'
describe Carto::Api::SnapshotsController do
include HelperMethods
let(:fake_state) { { manolo: 'escobar' } }
before(:all) do
bypass_named_maps
@user = FactoryGirl.create(:carto_user)
@intruder = FactoryGirl.create(:carto_user)
@visualization = FactoryGirl.create(:carto_visualization, user: @user)
@other_visualization = FactoryGirl.create(:carto_visualization, user: @user)
end
after(:all) do
@visualization.destroy
@other_visualization.destroy
@intruder.destroy
@user.destroy
end
describe('#index') do
def snapshots_index_url(user_domain: @user.subdomain,
visualization_id: @visualization.id,
api_key: @user.api_key)
snapshots_url(user_domain: user_domain,
visualization_id: visualization_id,
api_key: api_key)
end
before(:all) do
5.times do
Carto::Snapshot.create!(user_id: @user.id,
visualization_id: @visualization.id,
state: fake_state)
end
@buddy = FactoryGirl.create(:carto_user)
5.times do
Carto::Snapshot.create!(user_id: @buddy.id,
visualization_id: @visualization.id,
state: fake_state)
end
5.times do
Carto::Snapshot.create!(user_id: @buddy.id,
visualization_id: @other_visualization.id,
state: fake_state)
end
end
after(:all) do
Carto::Snapshot.all.map(&:destroy)
@buddy.destroy
end
it 'rejects unauthenticated access' do
Carto::Visualization.any_instance
.stubs(:is_publically_accesible?)
.returns(false)
get_json(snapshots_index_url(api_key: nil), Hash.new) do |response|
response.status.should eq 401
end
end
it 'rejects users with no read access' do
Carto::Visualization.any_instance
.stubs(:is_viewable_by_user?)
.returns(false)
intruder_url = snapshots_index_url(user_domain: @intruder.subdomain,
api_key: @intruder.api_key)
get_json(intruder_url, Hash.new) do |response|
response.status.should eq 403
end
end
it 'returns 404 for non existent visualizations' do
not_found_url = snapshots_index_url(visualization_id: random_uuid)
get_json(not_found_url, Hash.new) do |response|
response.status.should eq 404
end
end
it 'lists only snapshots for user and visualization' do
buddy_url = snapshots_index_url(user_domain: @buddy.subdomain,
api_key: @buddy.api_key)
buddy_snaps = Carto::Snapshot.where(user_id: @buddy.id,
visualization_id: @visualization.id)
.map(&:id)
.sort
get_json(buddy_url, Hash.new) do |response|
response.status.should eq 200
response_ids = response.body
.map { |snapshot| snapshot['id'] }
.compact
.sort
response_ids.should_not be_empty
response_ids.should eq buddy_snaps
end
end
end
describe('#show') do
def snapshots_show_url(user_domain: @user.subdomain,
visualization_id: @visualization.id,
snapshot_id: @snapshot.id,
api_key: @user.api_key)
snapshot_url(user_domain: user_domain,
visualization_id: visualization_id,
id: snapshot_id,
api_key: api_key)
end
before(:all) do
@snapshot = Carto::Snapshot.create!(user_id: @user.id,
visualization_id: @visualization.id,
state: fake_state)
end
after(:all) do
@snapshot.destroy
end
it 'rejects unauthenticated access' do
Carto::Visualization.any_instance
.stubs(:is_publically_accesible?)
.returns(false)
get_json(snapshots_show_url(api_key: nil), Hash.new) do |response|
response.status.should eq 401
end
end
it 'rejects users with no read access' do
Carto::Visualization.any_instance
.stubs(:is_viewable_by_user?)
.returns(false)
intruder_url = snapshots_show_url(user_domain: @intruder.subdomain,
api_key: @intruder.api_key)
get_json(intruder_url, Hash.new) do |response|
response.status.should eq 403
end
end
it 'returns 404 for non existent visualizations' do
not_found_url = snapshots_show_url(visualization_id: random_uuid)
get_json(not_found_url, Hash.new) do |response|
response.status.should eq 404
end
end
it 'returns 404 for inexistent snapshots' do
not_found_url = snapshots_show_url(snapshot_id: random_uuid)
get_json(not_found_url, Hash.new) do |response|
response.status.should eq 404
end
end
it 'only accepts owners of snapshots' do
intruder_url = snapshots_show_url(user_domain: @intruder.subdomain,
api_key: @intruder.api_key)
get_json(intruder_url, Hash.new) do |response|
response.status.should eq 403
end
end
it 'shows a snapshot' do
get_json(snapshots_show_url, Hash.new) do |response|
response.status.should eq 200
response.body[:id].should eq @snapshot.id
end
end
end
describe('#create') do
def snapshots_create_url(user_domain: @user.subdomain,
visualization_id: @visualization.id,
api_key: @user.api_key)
snapshots_url(user_domain: user_domain,
visualization_id: visualization_id,
api_key: api_key)
end
before(:each) do
@user.visualizations.map(&:snapshots).flatten.map(&:destroy)
end
after(:all) do
@user.visualizations.map(&:snapshots).flatten.map(&:destroy)
end
it 'rejects unauthenticated access' do
Carto::Visualization.any_instance
.stubs(:is_publically_accesible?)
.returns(false)
nil_api_key_url = snapshots_create_url(api_key: nil)
post_json(nil_api_key_url, state: fake_state) do |response|
response.status.should eq 401
end
end
it 'rejects users with no read access' do
Carto::Visualization.any_instance
.stubs(:is_viewable_by_user?)
.returns(false)
intruder_url = snapshots_create_url(user_domain: @intruder.subdomain,
api_key: @intruder.api_key)
post_json(intruder_url, state: fake_state) do |response|
response.status.should eq 403
end
end
it 'returns 404 for non existent visualizations' do
not_found_url = snapshots_create_url(visualization_id: random_uuid)
post_json(not_found_url, state: fake_state) do |response|
response.status.should eq 404
end
end
it 'creates a snapshot' do
@visualization.snapshots.count.should eq 0
post_json(snapshots_create_url, state: fake_state) do |response|
response.status.should eq 201
@visualization.reload
@visualization.snapshots.count.should eq 1
@visualization.snapshots.first.id.should eq response.body[:id]
end
end
end
describe('#update') do
def snapshots_update_url(user_domain: @user.subdomain,
visualization_id: @visualization.id,
snapshot_id: @snapshot.id,
api_key: @user.api_key)
snapshot_url(user_domain: user_domain,
visualization_id: visualization_id,
id: snapshot_id,
api_key: api_key)
end
before(:all) do
@snapshot = Carto::Snapshot.create!(user_id: @user.id,
visualization_id: @visualization.id,
state: fake_state)
end
after(:all) do
@snapshot.destroy
end
it 'rejects unauthenticated access' do
Carto::Visualization.any_instance
.stubs(:is_publically_accesible?)
.returns(false)
put_json(snapshots_update_url(api_key: nil), Hash.new) do |response|
response.status.should eq 401
end
end
it 'rejects users with no read access' do
Carto::Visualization.any_instance
.stubs(:is_viewable_by_user?)
.returns(false)
intruder_url = snapshots_update_url(user_domain: @intruder.subdomain,
api_key: @intruder.api_key)
put_json(intruder_url, Hash.new) do |response|
response.status.should eq 403
end
end
it 'returns 404 for non existent visualizations' do
not_found_url = snapshots_update_url(visualization_id: random_uuid)
put_json(not_found_url, Hash.new) do |response|
response.status.should eq 404
end
end
it 'returns 404 for inexistent snapshots' do
not_found_url = snapshots_update_url(snapshot_id: random_uuid)
put_json(not_found_url, Hash.new) do |response|
response.status.should eq 404
end
end
it 'only accepts owners of snapshots' do
intruder_url = snapshots_update_url(user_domain: @intruder.subdomain,
api_key: @intruder.api_key)
put_json(intruder_url, Hash.new) do |response|
response.status.should eq 403
end
end
it 'updates a snapshot' do
new_state = { minili: 'iscibir' }
put_json(snapshots_update_url, state: new_state) do |response|
response.status.should eq 200
end
@snapshot.reload.state.should eq new_state
end
end
describe('#destroy') do
def snapshots_delete_url(user_domain: @user.subdomain,
visualization_id: @visualization.id,
snapshot_id: @snapshot.id,
api_key: @user.api_key)
snapshot_url(user_domain: user_domain,
visualization_id: visualization_id,
id: snapshot_id,
api_key: api_key)
end
before(:each) do
@snapshot = Carto::Snapshot.create!(user_id: @user.id,
visualization_id: @visualization.id,
state: fake_state)
end
after(:each) do
@snapshot.destroy
end
it 'rejects unauthenticated access' do
Carto::Visualization.any_instance
.stubs(:is_publically_accesible?)
.returns(false)
delete_json(snapshots_delete_url(api_key: nil), Hash.new) do |response|
response.status.should eq 401
end
end
it 'rejects users with no read access' do
Carto::Visualization.any_instance
.stubs(:is_viewable_by_user?)
.returns(false)
intruder_url = snapshots_delete_url(user_domain: @intruder.subdomain,
api_key: @intruder.api_key)
delete_json(intruder_url, Hash.new) do |response|
response.status.should eq 403
end
end
it 'returns 404 for non existent visualizations' do
not_found_url = snapshots_delete_url(visualization_id: random_uuid)
delete_json(not_found_url, Hash.new) do |response|
response.status.should eq 404
end
end
it 'returns 404 for inexistent snapshots' do
not_found_url = snapshots_delete_url(snapshot_id: random_uuid)
delete_json(not_found_url, Hash.new) do |response|
response.status.should eq 404
end
end
it 'only accepts owners of snapshots' do
intruder_url = snapshots_delete_url(user_domain: @intruder.subdomain,
api_key: @intruder.api_key)
delete_json(intruder_url, Hash.new) do |response|
response.status.should eq 403
end
end
it 'destroys a snapshot' do
delete_json(snapshots_delete_url, Hash.new) do |response|
response.status.should eq 204
end
end
end
end