Sfoglia il codice sorgente

Restrict actions for unauthorized users

Lou 3 anni fa
parent
commit
7e3f9cdce2

+ 5
- 0
app/controllers/api/v1/users_controller.rb Vedi File

@@ -1,5 +1,6 @@
1 1
 class Api::V1::UsersController < ApplicationController
2 2
   before_action :set_user, only: %i[show update destroy]
3
+  before_action :check_owner, only: %i[update destroy]
3 4
 
4 5
   def index
5 6
     render json: User.all
@@ -42,4 +43,8 @@ class Api::V1::UsersController < ApplicationController
42 43
   def set_user
43 44
     @user = User.find(params[:id])
44 45
   end
46
+
47
+  def check_owner
48
+    head :forbidden unless @user.id == current_user&.id
49
+  end
45 50
 end

+ 1
- 0
app/controllers/application_controller.rb Vedi File

@@ -1,2 +1,3 @@
1 1
 class ApplicationController < ActionController::API
2
+  include Authenticable
2 3
 end

+ 19
- 12
test/controllers/api/v1/users_controller_test.rb Vedi File

@@ -38,27 +38,34 @@ class Api::V1::UsersControllerTest < ActionDispatch::IntegrationTest
38 38
 
39 39
   #UPDATE
40 40
   test "should update user" do
41
-    patch api_v1_user_url(@user), params: { user: { email: @user.email, username: @user.username, password: '123456' } }, as: :json
41
+    patch api_v1_user_url(@user),
42
+    params: { user: { email: @user.email, password: '123456' } },
43
+    headers: { Authorization: JsonWebToken.encode(user_id: @user.id) },
44
+    as: :json
42 45
     assert_response :success
43 46
   end
44 47
 
45
-  # test "should not update user when invalid params are sent" do
46
-  #   patch api_v1_user_url(@user), params: { user: { email: 'bad_email', username: @user.username, password: '123456' } }, as: :json
47
-  #   assert_response :unprocessable_entity
48
-  # end
48
+  test "should forbid update user" do
49
+    patch api_v1_user_url(@user),
50
+    params: { user: { email: @user.email, password: '123456' } },
51
+    as: :json
52
+    assert_response :forbidden
53
+  end
49 54
 
50 55
   #DESTROY 
51 56
   test "should destroy user" do
52 57
     assert_difference('User.count', -1) do
53
-      delete api_v1_user_url(@user), as: :json
58
+      delete api_v1_user_url(@user),
59
+      headers: { Authorization: JsonWebToken.encode(user_id: @user.id) },
60
+      as: :json
54 61
     end
55 62
     assert_response :no_content
56 63
   end
57 64
 
58
-  # test "should forbid destroy user" do
59
-  #   assert_no_difference('User.count') do
60
-  #     delete api_v1_user_url(@user), as: :json
61
-  #   end
62
-  #   assert_response :forbidden
63
-  # end
65
+  test "should forbid destroy user" do
66
+    assert_no_difference('User.count') do
67
+      delete api_v1_user_url(@user), as: :json
68
+    end
69
+    assert_response :forbidden
70
+  end
64 71
 end

+ 26
- 0
test/controllers/concerns/authenticable_test.rb Vedi File

@@ -0,0 +1,26 @@
1
+class MockController
2
+  include Authenticable
3
+  attr_accessor :request
4
+
5
+  def initialize
6
+    mock_request = Struct.new(:headers)
7
+    self.request = mock_request.new({})
8
+  end
9
+end
10
+
11
+class AuthenticableTest < ActionDispatch::IntegrationTest
12
+  setup do
13
+    @user = users(:one)
14
+    @authentication = MockController.new
15
+  end
16
+
17
+  test 'should get user from Authorization token' do
18
+    @authentication.request.headers['Authorization'] = JsonWebToken.encode(user_id: @user.id)
19
+    assert_equal @user.id, @authentication.current_user.id
20
+  end
21
+
22
+  test 'should not get user from empty Authorization token' do
23
+    @authentication.request.headers['Authorization'] = nil
24
+    assert_nil @authentication.current_user
25
+  end
26
+end

Loading…
Annulla
Salva