Only allow writing when the access token has permission
This commit is contained in:
committed by
Stanko K.R.
parent
d36be764e2
commit
0ce3a85778
@@ -3,6 +3,7 @@ require "test_helper"
|
||||
class ApiTest < ActionDispatch::IntegrationTest
|
||||
setup do
|
||||
@davids_bearer_token = bearer_token_env(identity_access_tokens(:davids_api_token).token)
|
||||
@jasons_bearer_token = bearer_token_env(identity_access_tokens(:jasons_api_token).token)
|
||||
end
|
||||
|
||||
test "authenticate with valid access token" do
|
||||
@@ -15,6 +16,14 @@ class ApiTest < ActionDispatch::IntegrationTest
|
||||
assert_response :unauthorized
|
||||
end
|
||||
|
||||
test "changing data requires a write-endowed access token" do
|
||||
post boards_path(format: :json), params: { board: { name: "My new board" } }, env: @jasons_bearer_token
|
||||
assert_response :unauthorized
|
||||
|
||||
post boards_path(format: :json), params: { board: { name: "My new board" } }, env: @davids_bearer_token
|
||||
assert_response :redirect
|
||||
end
|
||||
|
||||
test "boards" do
|
||||
get boards_path(format: :json), env: @davids_bearer_token
|
||||
assert_equal users(:david).boards.count, @response.parsed_body.count
|
||||
|
||||
Reference in New Issue
Block a user