3fcf5a9d08
Respond with 403 to JSON requests that are unauthorized, instead of redirecting.
87 lines
2.2 KiB
Ruby
87 lines
2.2 KiB
Ruby
require "test_helper"
|
|
|
|
class ActiveStorage::DirectUploadsControllerTest < ActionDispatch::IntegrationTest
|
|
setup do
|
|
@blob_params = {
|
|
blob: {
|
|
filename: "screenshot.png",
|
|
byte_size: 12345,
|
|
checksum: "GQ5SqLsM7ylnji0Wgd9wNC==",
|
|
content_type: "image/png"
|
|
}
|
|
}
|
|
end
|
|
|
|
test "create" do
|
|
sign_in_as :david
|
|
|
|
post rails_direct_uploads_path,
|
|
params: @blob_params,
|
|
headers: bearer_token_header(identity_access_tokens(:davids_api_token).token),
|
|
as: :json
|
|
|
|
assert_response :success
|
|
assert_includes response.parsed_body.keys, "direct_upload"
|
|
end
|
|
|
|
test "create with valid access token" do
|
|
post rails_direct_uploads_path,
|
|
params: @blob_params,
|
|
headers: bearer_token_header(identity_access_tokens(:davids_api_token).token),
|
|
as: :json
|
|
|
|
assert_response :success
|
|
assert_includes response.parsed_body.keys, "direct_upload"
|
|
end
|
|
|
|
test "create with read-only access token" do
|
|
post rails_direct_uploads_path,
|
|
params: @blob_params,
|
|
headers: bearer_token_header(identity_access_tokens(:jasons_api_token).token),
|
|
as: :json
|
|
|
|
assert_response :unauthorized
|
|
end
|
|
|
|
test "create with invalid access token" do
|
|
post rails_direct_uploads_path,
|
|
params: @blob_params,
|
|
headers: bearer_token_header("invalid_token"),
|
|
as: :json
|
|
|
|
assert_response :unauthorized
|
|
end
|
|
|
|
test "create unauthenticated" do
|
|
post rails_direct_uploads_path,
|
|
params: @blob_params,
|
|
as: :json
|
|
|
|
assert_response :redirect
|
|
end
|
|
|
|
test "create in another account is forbidden" do
|
|
sign_in_as :david
|
|
|
|
post rails_direct_uploads_path(script_name: "/#{ActiveRecord::FixtureSet.identify("initech")}"),
|
|
params: @blob_params,
|
|
as: :json
|
|
|
|
assert_response :forbidden
|
|
end
|
|
|
|
test "create with valid access token in another account is forbidden" do
|
|
post rails_direct_uploads_path(script_name: "/#{ActiveRecord::FixtureSet.identify("initech")}"),
|
|
params: @blob_params,
|
|
headers: bearer_token_header(identity_access_tokens(:davids_api_token).token),
|
|
as: :json
|
|
|
|
assert_response :forbidden
|
|
end
|
|
|
|
private
|
|
def bearer_token_header(token)
|
|
{ "Authorization" => "Bearer #{token}" }
|
|
end
|
|
end
|