cartodb/spec/models/carto/oauth_app_user_spec.rb
2020-06-15 10:58:47 +08:00

739 lines
27 KiB
Ruby

require 'spec_helper_min'
require 'helpers/database_connection_helper'
module Carto
describe OauthAppUser do
include_context 'organization with users helper'
include CartoDB::Factories
include DatabaseConnectionHelper
describe 'validation' do
before(:all) do
user = FactoryGirl.create(:valid_user)
@user = Carto::User.find(user.id)
@app = FactoryGirl.create(:oauth_app, user: @user)
end
after(:all) do
@user.destroy
@app.destroy
end
it 'requires user' do
app_user = OauthAppUser.new
expect(app_user).to_not(be_valid)
expect(app_user.errors[:user]).to(include("can't be blank"))
end
it 'requires oauth app_user' do
app_user = OauthAppUser.new
expect(app_user).to_not(be_valid)
expect(app_user.errors[:oauth_app]).to(include("can't be blank"))
end
it 'does not allow duplicates' do
begin
@app_user1 = OauthAppUser.create!(user: @user, oauth_app: @app)
app_user2 = OauthAppUser.new(user: @user, oauth_app: @app)
expect(app_user2).to_not(be_valid)
expect(app_user2.errors[:user]).to(include("has already been taken"))
ensure
@app_user1.destroy if @app_user1
end
end
it 'does not accept invalid scopes' do
app_user = OauthAppUser.new(scopes: ['wadus'])
expect(app_user).to_not(be_valid)
expect(app_user.errors[:scopes]).to(include("contains unsupported scopes: wadus"))
end
it 'validates' do
app_user = OauthAppUser.new(user: @user, oauth_app: @app)
expect(app_user).to(be_valid)
end
describe 'restricted app' do
before(:all) do
@app.update!(restricted: true)
end
before(:each) do
@app.oauth_app_organizations.each(&:destroy!)
@app.oauth_app_organizations.create!(organization: @carto_organization, seats: 1)
end
after(:all) do
@app.destroy
end
it 'does not accept non-organization users' do
app_user = OauthAppUser.new(user: @user, oauth_app: @app)
expect(app_user).not_to(be_valid)
expect(app_user.errors[:user]).to(include("is not part of an organization"))
end
it 'does not accept users from unknown organizations' do
@app.oauth_app_organizations.each(&:destroy!)
@app.oauth_app_organizations.create!(organization: @carto_organization_2, seats: 1)
app_user = OauthAppUser.new(user: @carto_org_user_1, oauth_app: @app)
expect(app_user).not_to(be_valid)
expect(app_user.errors[:user]).to(include("is part of an organization which is not allowed access to this application"))
end
it 'accepts users from the authorized organization' do
app_user = OauthAppUser.new(user: @carto_org_user_1, oauth_app: @app)
expect(app_user).to(be_valid)
end
it 'does not accepts users over the seat limit' do
OauthAppUser.create!(user: @carto_org_user_1, oauth_app: @app)
app_user = OauthAppUser.new(user: @carto_org_user_2, oauth_app: @app)
expect(app_user).not_to(be_valid)
expect(app_user.errors[:user]).to(include("does not have an available seat to use this application"))
end
end
end
describe '#authorized?' do
before(:all) do
@user = FactoryGirl.create(:valid_user)
@carto_user = Carto::User.find(@user.id)
end
before(:each) do
@app = FactoryGirl.create(:oauth_app, user: @carto_user)
@t1 = create_table(user_id: @carto_user.id)
@t2 = create_table(user_id: @carto_user.id)
end
after(:each) do
@t1.destroy
@t2.destroy
@app.destroy
end
after(:all) do
@user.destroy
@carto_user.destroy
end
it 'is authorized only if all requested scopes are already granted' do
o1 = "datasets:rw:#{@carto_user.database_schema}.#{@t1.name}"
o2 = "datasets:rw:#{@carto_user.database_schema}.#{@t2.name}"
o3 = "schemas:c:#{@carto_user.database_schema}"
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: [o1, o2, o3])
expect(oau).to(be_authorized([o1]))
expect(oau).to(be_authorized([o2]))
expect(oau).to(be_authorized([o3]))
expect(oau).to(be_authorized([o1, o2, o3]))
expect(oau).not_to(be_authorized(['not_allowed']))
expect(oau).not_to(be_authorized([o1, 'not_allowed']))
end
it 'should be authorized if requesting read permission having read-write' do
write_read = "datasets:rw:#{@t1.name}"
read = "datasets:r:#{@t1.name}"
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: [write_read])
expect(oau).to(be_authorized([read]))
end
it 'should NOT be authorized if requesting read-write permission having only read' do
write_read = "datasets:rw:#{@t1.name}"
read = "datasets:r:#{@t1.name}"
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: [read])
expect(oau).not_to(be_authorized([write_read]))
end
end
describe '#upgrade!' do
before(:all) do
@user = FactoryGirl.create(:valid_user)
@carto_user = Carto::User.find(@user.id)
@app = FactoryGirl.create(:oauth_app, user: @carto_user)
@t1 = create_table(user_id: @carto_user.id)
@t2 = create_table(user_id: @carto_user.id)
@t3 = create_table(user_id: @carto_user.id)
@t4 = create_table(user_id: @carto_user.id)
end
after(:all) do
@t1.destroy
@t2.destroy
@t3.destroy
@t4.destroy
@app.destroy
@user.destroy
@carto_user.destroy
end
it 'grants all new scopes without duplicates' do
o1 = "datasets:rw:#{@t1.name}"
o2 = "datasets:rw:#{@t2.name}"
o3 = "datasets:rw:#{@t3.name}"
o4 = "datasets:rw:#{@t4.name}"
o5 = "schemas:c:#{@carto_user.database_schema}"
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: [o1, o2])
oau.upgrade!([])
expect(oau.scopes).to(eq([o1, o2]))
oau.upgrade!([o1])
expect(oau.scopes).to(eq([o1, o2]))
oau.upgrade!([o3])
expect(oau.scopes).to(eq([o1, o2, o3]))
oau.upgrade!([o2, o4])
expect(oau.scopes).to(eq([o1, o2, o3, o4]))
oau.upgrade!([])
expect(oau.scopes).to(eq([o1, o2, o3, o4]))
oau.upgrade!([o5])
expect(oau.scopes).to(eq([o1, o2, o3, o4, o5]))
end
end
describe 'datasets scope' do
before(:each) do
@user = FactoryGirl.create(:valid_user)
@carto_user = Carto::User.find(@user.id)
@app = FactoryGirl.create(:oauth_app, user: @carto_user)
@table1 = create_table(user_id: @carto_user.id)
end
after(:each) do
@table1.destroy
@app.destroy
@user.destroy
@carto_user.destroy
end
it 'creation and update' do
table2 = create_table(user_id: @carto_user.id)
dataset_scope1 = "datasets:rw:#{@table1.name}"
dataset_scope2 = "datasets:r:#{table2.name}"
scopes = ['user:profile', dataset_scope1, dataset_scope2]
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes)
expect(oau.scopes).to(eq(scopes))
oau.upgrade!([])
expect(oau.scopes).to(eq(scopes))
oau.upgrade!([dataset_scope1])
expect(oau.scopes).to(eq(scopes))
table2.destroy
oau.destroy
end
it 'rename table and check how it affects the scopes' do
scopes_before = ['user:profile', "datasets:rw:#{@table1.name}"]
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes_before)
expect(oau.all_scopes).to(eq(scopes_before))
@table1.name = 'table_renamed_' + @table1.name
@table1.save
expect(oau.all_scopes).to_not(eq(scopes_before))
scopes_after = ['user:profile', "datasets:rw:#{@table1.name}"]
expect(oau.all_scopes).to(eq(scopes_after))
oau.destroy
end
it 'write on table with the proper permissions' do
scopes_before = ['user:profile', "datasets:rw:#{@table1.name}"]
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes_before)
expect(oau.all_scopes).to(eq(scopes_before))
access_token = OauthAccessToken.create!(oauth_app_user: oau, scopes: scopes_before)
with_connection_from_api_key(access_token.api_key) do |connection|
connection.execute("insert into #{@table1.name} (cartodb_id) values (999)")
connection.execute("select cartodb_id from #{@table1.name}") do |result|
result[0]['cartodb_id'].should eq '999'
end
end
oau.destroy
end
it 'should fail if we change the write permissions and we try to write in the table' do
scopes_before = ['offline', 'user:profile', "datasets:rw:#{@table1.name}"]
scopes_after = ['offline', 'user:profile']
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes_before)
expect(oau.all_scopes).to(eq(scopes_before))
refresh_token = oau.oauth_refresh_tokens.create!(scopes: scopes_before)
access_token = refresh_token.exchange!(requested_scopes: scopes_before)[0]
with_connection_from_api_key(access_token.api_key) do |connection|
connection.execute("insert into #{@table1.name} (cartodb_id) values (999)")
connection.execute("select cartodb_id from #{@table1.name}") do |result|
result[0]['cartodb_id'].should eq '999'
end
end
access_token_new = refresh_token.exchange!(requested_scopes: scopes_after)[0]
expect(access_token.api_key.db_role).to_not(eq(access_token_new.api_key.db_role))
with_connection_from_api_key(access_token_new.api_key) do |connection|
expect {
connection.execute("insert into #{@table1.name} (cartodb_id) values (1000)")
}.to raise_exception(Sequel::DatabaseError, /permission denied for (relation|table) #{@table1.name}/)
end
oau.destroy
end
it 'should let downgrade scope for datasets from rw to r scope' do
scopes_before = ['offline', 'user:profile', "datasets:rw:#{@table1.name}"]
scopes_after = ['offline', 'user:profile', "datasets:r:#{@table1.name}"]
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes_before)
expect(oau.all_scopes).to(eq(scopes_before))
refresh_token = oau.oauth_refresh_tokens.create!(scopes: scopes_before)
access_token = refresh_token.exchange!(requested_scopes: scopes_before)[0]
with_connection_from_api_key(access_token.api_key) do |connection|
connection.execute("insert into #{@table1.name} (cartodb_id) values (999)")
connection.execute("select cartodb_id from #{@table1.name}") do |result|
result[0]['cartodb_id'].should eq '999'
end
end
access_token_new = refresh_token.exchange!(requested_scopes: scopes_after)[0]
expect(access_token.api_key.db_role).to_not(eq(access_token_new.api_key.db_role))
with_connection_from_api_key(access_token_new.api_key) do |connection|
connection.execute("select cartodb_id from #{@table1.name}") do |result|
result[0]['cartodb_id'].should eq '999'
end
expect {
connection.execute("insert into #{@table1.name} (cartodb_id) values (999)")
}.to raise_exception(Sequel::DatabaseError, /permission denied for (relation|table) #{@table1.name}/)
end
oau.destroy
end
end
describe 'schemas scope' do
before(:all) do
@user = FactoryGirl.create(:valid_user)
@carto_user = Carto::User.find(@user.id)
@app = FactoryGirl.create(:oauth_app, user: @carto_user)
@table1 = create_table(user_id: @carto_user.id)
@table2 = create_table(user_id: @carto_user.id)
end
after(:all) do
@table1.destroy
@table2.destroy
@app.destroy
@user.destroy
@carto_user.destroy
end
it 'creation and update' do
table2 = create_table(user_id: @carto_user.id)
dataset_scope1 = "datasets:rw:#{@table1.name}"
dataset_scope2 = "datasets:r:#{table2.name}"
scopes = ['user:profile', dataset_scope1, dataset_scope2]
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes)
expect(oau.scopes).to(eq(scopes))
oau.upgrade!([])
expect(oau.scopes).to(eq(scopes))
oau.upgrade!([dataset_scope1])
expect(oau.scopes).to(eq(scopes))
table2.destroy
oau.destroy
end
it 'create table with permissions should work and assign it to the owner_role' do
schemas_scope = "schemas:c"
scopes = ['user:profile', schemas_scope]
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes)
expect(oau.scopes).to(eq(scopes))
access_token = OauthAccessToken.create!(oauth_app_user: oau, scopes: scopes)
with_connection_from_api_key(access_token.api_key) do |connection|
connection.execute("create table test_table as select 1 as test")
connection.execute("select count(1) from test_table") do |result|
result[0]['count'].should eq '1'
end
connection.execute("select pg_catalog.pg_get_userbyid(relowner) as owner from pg_class where relname = 'test_table'") do |result|
result[0]['owner'].should eq oau.ownership_role_name
end
connection.execute("drop table test_table")
end
oau.destroy
end
it 'create table without permissions should fail' do
scopes = ['user:profile']
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes)
expect(oau.scopes).to(eq(scopes))
access_token = OauthAccessToken.create!(oauth_app_user: oau, scopes: scopes)
with_connection_from_api_key(access_token.api_key) do |connection|
expect {
connection.execute("create table test_table as select 1 as test")
}.to raise_exception(Sequel::DatabaseError, /permission denied for schema public/)
end
oau.destroy
end
it 'create table with permission, then refresh token and drop the table with the new db role' do
schemas_scope = "schemas:c"
scopes = ['offline', 'user:profile', schemas_scope]
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes)
expect(oau.scopes).to(eq(scopes))
refresh_token = oau.oauth_refresh_tokens.create!(scopes: scopes)
access_token = refresh_token.exchange!(requested_scopes: scopes)[0]
with_connection_from_api_key(access_token.api_key) do |connection|
connection.execute("create table test_table as select 1 as test")
connection.execute("select count(1) from test_table") do |result|
result[0]['count'].should eq '1'
end
connection.execute("select pg_catalog.pg_get_userbyid(relowner) as owner from pg_class where relname = 'test_table'") do |result|
result[0]['owner'].should eq oau.ownership_role_name
end
end
access_token_new = refresh_token.exchange!(requested_scopes: scopes)[0]
expect(access_token.api_key.db_role).to_not(eq(access_token_new.api_key.db_role))
with_connection_from_api_key(access_token_new.api_key) do |connection|
connection.execute("drop table test_table")
end
oau.destroy
end
it 'create table with permission, then refresh token and remove permission, then try to create another table and get exception' do
schemas_scope = "schemas:c"
scopes = ['offline', 'user:profile', schemas_scope]
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes)
expect(oau.scopes).to(eq(scopes))
refresh_token = oau.oauth_refresh_tokens.create!(scopes: scopes)
access_token = refresh_token.exchange!(requested_scopes: scopes)[0]
with_connection_from_api_key(access_token.api_key) do |connection|
connection.execute("create table test_table as select 1 as test")
connection.execute("select count(1) from test_table") do |result|
result[0]['count'].should eq '1'
end
connection.execute("select pg_catalog.pg_get_userbyid(relowner) as owner from pg_class where relname = 'test_table'") do |result|
result[0]['owner'].should eq oau.ownership_role_name
end
connection.execute("drop table test_table")
end
access_token_new = refresh_token.exchange!(requested_scopes: ['offline', 'user:profile'])[0]
expect(access_token.api_key.db_role).to_not(eq(access_token_new.api_key.db_role))
with_connection_from_api_key(access_token_new.api_key) do |connection|
expect {
connection.execute("create table test_table_without_permissions as select 1 as test")
}.to raise_exception(Sequel::DatabaseError, /permission denied for schema public/)
end
oau.destroy
end
it 'master role can drop tables created with access token API key' do
schemas_scope = "schemas:c"
scopes = ['offline', 'user:profile', schemas_scope]
oau = OauthAppUser.create!(user: @carto_user, oauth_app: @app, scopes: scopes)
expect(oau.scopes).to(eq(scopes))
refresh_token = oau.oauth_refresh_tokens.create!(scopes: scopes)
access_token = refresh_token.exchange!(requested_scopes: scopes)[0]
with_connection_from_api_key(access_token.api_key) do |connection|
connection.execute("create table test_table as select 1 as test")
connection.execute("select count(1) from test_table") do |result|
result[0]['count'].should eq '1'
end
end
with_connection_from_api_key(@carto_user.api_keys.master.first) do |connection|
connection.execute("drop table test_table")
connection.execute("select * from pg_class where relname = 'test_table'") do |result|
result.count.should eq 0
end
end
end
end
describe 'shared datasets' do
before :each do
@app = FactoryGirl.create(:oauth_app, user: @carto_org_user_1)
@shared_table = create_table(user_id: @carto_org_user_1.id)
not_shared_table = create_table(user_id: @carto_org_user_1.id)
perm = @shared_table.table_visualization.permission
perm.acl = [{ type: 'user', entity: { id: @carto_org_user_2.id }, access: 'rw' }]
perm.save!
@shared_dataset_scope = "datasets:r:#{@carto_org_user_1.database_schema}.#{@shared_table.name}"
@non_shared_dataset_scope = "datasets:r:#{@carto_org_user_1.database_schema}.#{not_shared_table.name}"
end
after :each do
@app.destroy
end
it 'works with shared dataset' do
oau = OauthAppUser.create!(user: @carto_org_user_2, oauth_app: @app, scopes: [@shared_dataset_scope])
expect(oau.all_scopes).to(eq([@shared_dataset_scope]))
end
it 'should fail with non shared dataset' do
expect {
OauthAppUser.create!(user: @carto_org_user_2, oauth_app: @app, scopes: [@non_shared_dataset_scope])
}.to raise_error(Carto::OauthProvider::Errors::InvalidScope)
end
it 'should fail with shared and non shared dataset' do
expect {
OauthAppUser.create!(
user: @carto_org_user_2,
oauth_app: @app,
scopes: [@shared_dataset_scope, @non_shared_dataset_scope]
)
}.to raise_error(Carto::OauthProvider::Errors::InvalidScope)
end
it 'should revoke permissions removing shared permissions' do
oau = OauthAppUser.create!(user: @carto_org_user_2, oauth_app: @app, scopes: [@shared_dataset_scope])
expect(oau.all_scopes).to(eq([@shared_dataset_scope]))
expect(oau.authorized?([@shared_dataset_scope])).to eq(true)
expect(oau.authorized?([@non_shared_dataset_scope])).to eq(false)
# remove shared permissions
@shared_table.table_visualization.reload
perm = @shared_table.table_visualization.permission
perm.acl = [{ type: 'user', entity: { id: @carto_org_user_2.id }, access: 'r' }]
perm.save!
shared_dataset_scope_rw = "datasets:rw:#{@carto_org_user_1.database_schema}.#{@shared_table.name}"
expect(oau.authorized?([@shared_dataset_scope])).to eq(true)
expect(oau.authorized?([shared_dataset_scope_rw])).to eq(false)
# remove shared permissions
@shared_table.table_visualization.reload
perm = @shared_table.table_visualization.permission
perm.acl = []
perm.save!
expect(oau.authorized?([@shared_dataset_scope])).to eq(false)
expect(oau.authorized?([@non_shared_dataset_scope])).to eq(false)
end
describe 'read - write permissions' do
before :each do
@only_read_table = create_table(user_id: @carto_org_user_1.id)
perm = @only_read_table.table_visualization.permission
perm.acl = [{ type: 'user', entity: { id: @carto_org_user_2.id }, access: 'r' }]
perm.save!
end
after :each do
@only_read_table.destroy
end
it 'should fail write scope in shared dataset with only read perms' do
rw_scope = "datasets:rw:#{@carto_org_user_1.database_schema}.#{@only_read_table.name}"
expect {
OauthAppUser.create!(user: @carto_org_user_2, oauth_app: @app, scopes: [rw_scope])
}.to raise_error(Carto::OauthProvider::Errors::InvalidScope)
end
end
describe 'organization shared datasets' do
before :each do
@org_shared_table = create_table(user_id: @carto_org_user_1.id)
non_org_shared_table = create_table(user_id: @carto_org_user_1.id)
perm = @org_shared_table.table_visualization.permission
perm.acl = [
{
type: Permission::TYPE_ORGANIZATION,
entity: { id: @carto_organization.id },
access: Permission::ACCESS_READWRITE
}
]
perm.save!
@org_shared_dataset_scope = "datasets:r:#{@carto_org_user_1.database_schema}.#{@org_shared_table.name}"
@non_org_shared_dataset_scope = "datasets:r:#{@carto_org_user_1.database_schema}.#{non_org_shared_table.name}"
end
it 'works with org shared dataset' do
oau = OauthAppUser.create!(user: @carto_org_user_2, oauth_app: @app, scopes: [@org_shared_dataset_scope])
expect(oau.all_scopes).to(eq([@org_shared_dataset_scope]))
end
it 'should fail with non org shared dataset' do
expect {
OauthAppUser.create!(user: @carto_org_user_2, oauth_app: @app, scopes: [@non_org_shared_dataset_scope])
}.to raise_error(Carto::OauthProvider::Errors::InvalidScope)
end
it 'should fail with org shared and non org shared dataset' do
expect {
OauthAppUser.create!(
user: @carto_org_user_2,
oauth_app: @app,
scopes: [@org_shared_dataset_scope, @non_org_shared_dataset_scope]
)
}.to raise_error(Carto::OauthProvider::Errors::InvalidScope)
end
describe 'read - write permissions' do
before :each do
@only_read_table = create_table(user_id: @carto_org_user_1.id)
perm = @only_read_table.table_visualization.permission
perm.acl = [
{
type: Permission::TYPE_ORGANIZATION,
entity: { id: @carto_organization.id },
access: Permission::ACCESS_READONLY
}
]
perm.save!
end
after :each do
@only_read_table.destroy
end
it 'should fail write scope in org shared dataset with only read perms' do
rw_scope = "datasets:rw:#{@carto_org_user_1.database_schema}.#{@only_read_table.name}"
expect {
OauthAppUser.create!(user: @carto_org_user_2, oauth_app: @app, scopes: [rw_scope])
}.to raise_error(Carto::OauthProvider::Errors::InvalidScope)
end
end
end
end
describe 'views' do
before :all do
@user = FactoryGirl.create(:valid_user)
@carto_user = Carto::User.find(@user.id)
@user_table = create_table(user_id: @carto_user.id)
@view_name = "#{@user_table.name}_view"
@materialized_view_name = "#{@user_table.name}_matview"
@carto_user.in_database do |db|
query = %{
CREATE VIEW #{@view_name} AS SELECT * FROM #{@user_table.name};
CREATE MATERIALIZED VIEW #{@materialized_view_name} AS SELECT * FROM #{@user_table.name};
}
db.execute(query)
end
end
before :each do
@app = FactoryGirl.create(:oauth_app, user: @carto_user)
end
after :each do
@app.destroy
end
after :all do
@carto_user.in_database do |db|
query = %{
DROP VIEW #{@view_name};
DROP MATERIALIZED VIEW #{@materialized_view_name};
}
db.execute(query)
end
@user_table.destroy
@user.destroy
@carto_user.destroy
end
it 'validates view scope' do
oau = OauthAppUser.create!(
user: @carto_user,
oauth_app: @app,
scopes: ["datasets:r:#{@view_name}"]
)
expect(oau.all_scopes).to(eq(["datasets:r:#{@view_name}"]))
end
it 'validates materialized view scope' do
oau = OauthAppUser.create!(
user: @carto_user,
oauth_app: @app,
scopes: ["datasets:r:#{@materialized_view_name}"]
)
expect(oau.all_scopes).to(eq(["datasets:r:#{@materialized_view_name}"]))
end
end
describe '#destroy' do
before(:each) do
@user = FactoryGirl.create(:valid_user)
@app = FactoryGirl.create(:oauth_app, user_id: @user.id)
@app_user = Carto::OauthAppUser.create!(user_id: @user.id, oauth_app: @app)
access_token = OauthAccessToken.create!(oauth_app_user: @app_user,
scopes: ["schemas:c:#{@user.database_schema}"])
@api_key = access_token.api_key
end
after(:each) do
@app.destroy
@user.destroy
end
it 'drops the created roles' do
find_role_query = "SELECT * FROM pg_roles WHERE rolname LIKE '%#{@app_user.id}'"
@user.in_database.fetch(find_role_query).count.should eq 2
@app_user.destroy
@user.in_database.fetch(find_role_query).count.should eq 0
end
it 'reassigns the ownership of created tables to the master role' do
with_connection_from_api_key(@api_key) { |db| db.execute('CREATE TABLE puxa()') }
find_owner_query = "SELECT tableowner FROM pg_tables WHERE tablename = 'puxa'"
@user.in_database.fetch(find_owner_query).first[:tableowner].should eql @app_user.ownership_role_name
@app_user.destroy
@user.in_database.fetch(find_owner_query).first[:tableowner].should eql @user.database_username
end
end
end
end