Add regression tests for bearer-authenticated blob downloads
This commit is contained in:
@@ -17,6 +17,13 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
|
|||||||
assert_match %r{rails/active_storage}, response.location
|
assert_match %r{rails/active_storage}, response.location
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "bearer token with board access can view blob" do
|
||||||
|
get rails_blob_path(@blob, disposition: :inline), env: bearer_token_env(identity_access_tokens(:davids_api_token).token)
|
||||||
|
|
||||||
|
assert_response :redirect
|
||||||
|
assert_match %r{rails/active_storage}, response.location
|
||||||
|
end
|
||||||
|
|
||||||
test "authenticated user without board access cannot view blob" do
|
test "authenticated user without board access cannot view blob" do
|
||||||
sign_in_as :mike
|
sign_in_as :mike
|
||||||
|
|
||||||
@@ -38,6 +45,13 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
|
|||||||
assert_match %r{rails/active_storage/}, response.location
|
assert_match %r{rails/active_storage/}, response.location
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "bearer token with board access can view representation" do
|
||||||
|
get rails_representation_path(@blob.representation(resize_to_limit: [ 100, 100 ])), env: bearer_token_env(identity_access_tokens(:davids_api_token).token)
|
||||||
|
|
||||||
|
assert_response :redirect
|
||||||
|
assert_match %r{rails/active_storage/}, response.location
|
||||||
|
end
|
||||||
|
|
||||||
test "authenticated user without board access cannot view representation" do
|
test "authenticated user without board access cannot view representation" do
|
||||||
sign_in_as :mike
|
sign_in_as :mike
|
||||||
|
|
||||||
@@ -194,6 +208,15 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
|
|||||||
assert_match %r{rails/active_storage}, response.location
|
assert_match %r{rails/active_storage}, response.location
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "export owner can download their export with bearer token" do
|
||||||
|
blob = create_export_blob_for(users(:david))
|
||||||
|
|
||||||
|
get rails_blob_path(blob, disposition: :attachment), env: bearer_token_env(identity_access_tokens(:davids_api_token).token)
|
||||||
|
|
||||||
|
assert_response :redirect
|
||||||
|
assert_match %r{rails/active_storage}, response.location
|
||||||
|
end
|
||||||
|
|
||||||
test "non-owner cannot download another user's export" do
|
test "non-owner cannot download another user's export" do
|
||||||
sign_in_as :jz
|
sign_in_as :jz
|
||||||
|
|
||||||
@@ -249,4 +272,8 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
|
|||||||
user.avatar.blob
|
user.avatar.blob
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def bearer_token_env(token)
|
||||||
|
{ "HTTP_AUTHORIZATION" => "Bearer #{token}" }
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user