cli
/
Chronobriq-API
Watch 7
Star 2
Fork 0
Code Issues 2 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Restrict actions for unauthorized users

Lou 3 years ago
parent
2753b9f6c8
commit
7e3f9cdce2
4 changed files with 51 additions and 12 deletions
Unified View Show Diff Stats
  1. 5
    0
      app/controllers/api/v1/users_controller.rb
  2. 1
    0
      app/controllers/application_controller.rb
  3. 19
    12
      test/controllers/api/v1/users_controller_test.rb
  4. 26
    0
      test/controllers/concerns/authenticable_test.rb

+ 5
- 0
app/controllers/api/v1/users_controller.rb View File

1 
 class Api::V1::UsersController < ApplicationController
 1 
 class Api::V1::UsersController < ApplicationController
2 
   before_action :set_user, only: %i[show update destroy]
 2 
   before_action :set_user, only: %i[show update destroy]
3 
+  before_action :check_owner, only: %i[update destroy]
3
4
4 
   def index
 5 
   def index
5 
     render json: User.all
 6 
     render json: User.all
42 
   def set_user
 43 
   def set_user
43 
     @user = User.find(params[:id])
 44 
     @user = User.find(params[:id])
44 
   end
 45 
   end
46 
+
47 
+  def check_owner
48 
+    head :forbidden unless @user.id == current_user&.id
49 
+  end
45 
 end
 50 
 end

+ 1
- 0
app/controllers/application_controller.rb View File

1 
 class ApplicationController < ActionController::API
 1 
 class ApplicationController < ActionController::API
2 
+  include Authenticable
2 
 end
 3 
 end

+ 19
- 12
test/controllers/api/v1/users_controller_test.rb View File

38
38
39 
   #UPDATE
 39 
   #UPDATE
40 
   test "should update user" do
 40 
   test "should update user" do
41 
-    patch api_v1_user_url(@user), params: { user: { email: @user.email, username: @user.username, password: '123456' } }, as: :json
41 
+    patch api_v1_user_url(@user),
42 
+    params: { user: { email: @user.email, password: '123456' } },
43 
+    headers: { Authorization: JsonWebToken.encode(user_id: @user.id) },
44 
+    as: :json
42 
     assert_response :success
 45 
     assert_response :success
43 
   end
 46 
   end
44
47
45 
-  # test "should not update user when invalid params are sent" do
46 
-  #   patch api_v1_user_url(@user), params: { user: { email: 'bad_email', username: @user.username, password: '123456' } }, as: :json
47 
-  #   assert_response :unprocessable_entity
48 
-  # end
48 
+  test "should forbid update user" do
49 
+    patch api_v1_user_url(@user),
50 
+    params: { user: { email: @user.email, password: '123456' } },
51 
+    as: :json
52 
+    assert_response :forbidden
53 
+  end
49
54
50 
   #DESTROY
55 
   #DESTROY
51 
   test "should destroy user" do
 56 
   test "should destroy user" do
52 
     assert_difference('User.count', -1) do
 57 
     assert_difference('User.count', -1) do
53 
-      delete api_v1_user_url(@user), as: :json
58 
+      delete api_v1_user_url(@user),
59 
+      headers: { Authorization: JsonWebToken.encode(user_id: @user.id) },
60 
+      as: :json
54 
     end
 61 
     end
55 
     assert_response :no_content
 62 
     assert_response :no_content
56 
   end
 63 
   end
57
64
58 
-  # test "should forbid destroy user" do
59 
-  #   assert_no_difference('User.count') do
60 
-  #     delete api_v1_user_url(@user), as: :json
61 
-  #   end
62 
-  #   assert_response :forbidden
63 
-  # end
65 
+  test "should forbid destroy user" do
66 
+    assert_no_difference('User.count') do
67 
+      delete api_v1_user_url(@user), as: :json
68 
+    end
69 
+    assert_response :forbidden
70 
+  end
64 
 end
 71 
 end

+ 26
- 0
test/controllers/concerns/authenticable_test.rb View File

1 
+class MockController
2 
+  include Authenticable
3 
+  attr_accessor :request
4 
+
5 
+  def initialize
6 
+    mock_request = Struct.new(:headers)
7 
+    self.request = mock_request.new({})
8 
+  end
9 
+end
10 
+
11 
+class AuthenticableTest < ActionDispatch::IntegrationTest
12 
+  setup do
13 
+    @user = users(:one)
14 
+    @authentication = MockController.new
15 
+  end
16 
+
17 
+  test 'should get user from Authorization token' do
18 
+    @authentication.request.headers['Authorization'] = JsonWebToken.encode(user_id: @user.id)
19 
+    assert_equal @user.id, @authentication.current_user.id
20 
+  end
21 
+
22 
+  test 'should not get user from empty Authorization token' do
23 
+    @authentication.request.headers['Authorization'] = nil
24 
+    assert_nil @authentication.current_user
25 
+  end
26 
+end

Write Preview
Loading…
Cancel
Save