diff --git a/test/integration/active_storage_authorization_test.rb b/test/integration/active_storage_authorization_test.rb index 605bc109d..045d08e4b 100644 --- a/test/integration/active_storage_authorization_test.rb +++ b/test/integration/active_storage_authorization_test.rb @@ -17,6 +17,13 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest assert_match %r{rails/active_storage}, response.location end + test "bearer token with board access can view blob" do + get rails_blob_path(@blob, disposition: :inline), env: bearer_token_env(identity_access_tokens(:davids_api_token).token) + + assert_response :redirect + assert_match %r{rails/active_storage}, response.location + end + test "authenticated user without board access cannot view blob" do sign_in_as :mike @@ -38,6 +45,13 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest assert_match %r{rails/active_storage/}, response.location end + test "bearer token with board access can view representation" do + get rails_representation_path(@blob.representation(resize_to_limit: [ 100, 100 ])), env: bearer_token_env(identity_access_tokens(:davids_api_token).token) + + assert_response :redirect + assert_match %r{rails/active_storage/}, response.location + end + test "authenticated user without board access cannot view representation" do sign_in_as :mike @@ -194,6 +208,15 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest assert_match %r{rails/active_storage}, response.location end + test "export owner can download their export with bearer token" do + blob = create_export_blob_for(users(:david)) + + get rails_blob_path(blob, disposition: :attachment), env: bearer_token_env(identity_access_tokens(:davids_api_token).token) + + assert_response :redirect + assert_match %r{rails/active_storage}, response.location + end + test "non-owner cannot download another user's export" do sign_in_as :jz @@ -249,4 +272,8 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest user.avatar.blob end end + + def bearer_token_env(token) + { "HTTP_AUTHORIZATION" => "Bearer #{token}" } + end end