Secure product_categories and add example test for other supplier resources and fix hack attempts included in test

2012-12-06 12:21:38 +01:00
parent 382f91b1d6
commit 180b6deb4d
8 changed files with 207 additions and 8 deletions
@@ -9,7 +9,7 @@ GIT

 GIT
  remote: git://github.com/bterkuile/simply_stored.git
-  revision: 04f58b15bb308420f78c66d27ce4d4d3b58183ff
+  revision: fe749c792e303817f825fa4964936cc68a62b14b
  specs:
    simply_stored (1.0.0)
      activesupport
@@ -1,10 +1,9 @@
 class ApplicationController < ActionController::Base
  before_filter :set_locale
  layout :layout_by_resource
-  
-  
  protect_from_forgery

+  rescue_from SimplyStored::RecordNotFound, with: :show_404
 private

  def broadcast_user(uid, event, data = {})
@@ -62,4 +61,8 @@ private
    "http://#{Rails.env.production? ? 'events.qwaiter.com' : 'localhost'}:9296/faye"
  end
  helper_method :event_host
+
+  def show_404
+    render 'dashboard/404', layout: true, status: 404
+  end
 end
@@ -15,7 +15,7 @@ module Suppliers
    # GET /product_categories/1
    # GET /product_categories/1.json
    def show
-      @product_category = ProductCategory.find(params[:id])
+      @product_category = ProductCategory.find_by_supplier_id_and_id!(current_supplier.id, params[:id])

      respond_to do |format|
        format.html # show.html.erb
@@ -59,7 +59,7 @@ module Suppliers
    # PUT /product_categories/1
    # PUT /product_categories/1.json
    def update
-      @product_category = ProductCategory.find(params[:id])
+      @product_category = ProductCategory.find_by_supplier_id_and_id!(current_supplier.id, params[:id])

      respond_to do |format|
        if @product_category.update_attributes(params[:product_category])
@@ -75,7 +75,7 @@ module Suppliers
    # DELETE /product_categories/1
    # DELETE /product_categories/1.json
    def destroy
-      @product_category = ProductCategory.find(params[:id])
+      @product_category = ProductCategory.find_by_supplier_id_and_id!(current_supplier.id, params[:id])
      @product_category.destroy

      respond_to do |format|
@@ -87,7 +87,7 @@ module Suppliers
    # POST /supplier/product_categories/sort
    #   params ~= product_category: ['abc', 'def', 'another id', ...]
    def sort
-      @product_categories = ProductCategory.find(params[:product_category])
+      @product_categories = ProductCategory.find(params[:product_category]).select{|pc| pc.supplier_id == current_supplier.id} # The select is hack prevention
      1.upto(@product_categories.size){|i| @product_categories[i-1].position = i}
      CouchPotato.database.couchrest_database.bulk_save(@product_categories)
      render nothing: true
@@ -12,6 +12,7 @@ class ProductCategory
  validates :name, presence: true
  validates :position, numericality: true
  validates :supplier_id, presence: true
+  view :by_supplier_id_and_id, key: [:supplier_id, :_id]

  def self.for_user(user, options = {})
    table = options[:table]
@@ -0,0 +1,2 @@
+h2 404
+p The requested page could not be found
@@ -0,0 +1,21 @@
+require 'acceptance/acceptance_helper'
+
+feature 'Supplier product categories spec', %q{
+  In order to manage product categories 
+  As a supplier
+  I want to have control over product categories and associated products
+} do
+  background do
+    create_supplier 'supplier@qwaiter.com'
+  end
+  context "GET #index" do
+    background do
+      @product_category = create :product_category, supplier: @supplier
+    end
+    scenario "I can see a drag handle having class .handle for sorting the product categories" do
+      login_supplier_as 'supplier@qwaiter.com'
+      visit '/supplier/product_categories'
+      page.should have_selector '.handle'
+    end
+  end
+end
@@ -1,6 +1,5 @@
 require 'acceptance/acceptance_helper'

-@javascript
 feature 'Supplier main board spec.rb', %q{
  In order to manage active list and orders
  As a supplier
@@ -0,0 +1,173 @@
+# encoding: UTF-8
+require 'spec_helper'
+
+describe Suppliers::ProductCategoriesController do
+  before :each do
+    @supplier = Supplier.find_by_email('supplier@qwaiter.com') || Supplier.create(name: 'Supplier', email: 'supplier@qwaiter.com', password: 'secret')
+    sign_in @supplier
+  end
+
+  describe "GET #index" do
+    it "populates an array of product_categories" do
+      product_category = create :product_category, supplier: @supplier
+      get :index
+      assigns(:product_categories).should eq([product_category])
+    end
+
+    it "does not include product_categories from another supplier" do
+      product_category1 = create :product_category, supplier: @supplier
+      product_category2 = create :product_category
+      get :index
+      assigns(:product_categories).should eq([product_category1])
+    end
+
+    it "should render without errors when no objects are present" do
+      get :index
+      expect{ render_template :index }.not_to raise_error
+    end
+
+    it "renders the :index view" do
+      get :index
+      response.should render_template :index
+    end
+  end
+
+  describe "GET #show" do
+    it "assigns the requested product_category to @product_category" do
+      product_category = create :product_category, supplier: @supplier
+      get :show, id: product_category
+      assigns(:product_category).should eq(product_category)
+    end
+
+    it "should not display a product_category of another supplier" do
+      product_category = create :product_category
+      get :show, id: product_category
+      response.status.should == 404
+    end
+
+    it "renders the #show view" do
+      product_category = create :product_category, supplier: @supplier
+      get :show, id: product_category
+      response.should render_template :show
+    end
+  end
+
+  describe "GET #new" do
+    it "assigns a new product_category to @product_category" do
+      get :new
+      assigns(:product_category).should be_a ProductCategory
+    end
+
+    it "renders the #show view" do
+      get :new
+      response.should render_template :new
+    end
+  end
+
+  describe "POST #create" do
+    context "with valid attributes" do
+      it "creates a new product_category" do
+        expect{
+          post :create, product_category: attributes_for(:product_category, supplier: @supplier)
+        }.to change(ProductCategory, :count).by(1)
+      end
+
+      it "redirects to the new product_category" do
+        post :create, product_category: attributes_for(:product_category, supplier: @supplier)
+        response.should redirect_to [:suppliers, ProductCategory.last]
+      end
+
+      it "should not be possible to create a product category for another supplier" do
+        supplier2 = create :supplier
+        post :create, product_category: attributes_for(:product_category, name: 'Trying to hack', supplier: supplier2)
+        ProductCategory.find_by_name('Trying to hack').supplier_id.should == @supplier.id
+      end
+    end
+
+    context "with invalid attributes" do
+      it "does not save the new product_category" do
+        expect{
+          post :create, product_category: {name: ''}
+        }.to_not change(ProductCategory, :count)
+      end
+
+      it "re-renders the new method" do
+        post :create, product_category: {name: ''}
+        response.should render_template :new
+      end
+    end
+  end
+
+  describe 'PUT update' do
+    before :each do
+      @product_category = create :product_category, supplier: @supplier
+    end
+
+    context "valid attributes" do
+      it "located the requested product_category" do
+        put :update, id: @product_category, product_category: attributes_for(:product_category, supplier: @supplier)
+        @product_category.reload
+        assigns(:product_category).should eq(@product_category)
+      end
+
+      it "changes @product_category's attributes" do
+        put :update, id: @product_category, product_category: attributes_for(:product_category, name: "ChangedByTest", supplier: @supplier)
+        @product_category.reload
+        @product_category.name.should eq("ChangedByTest")
+      end
+
+      it "redirects to the updated product_category" do
+        put :update, id: @product_category, product_category: attributes_for(:product_category, supplier: @supplier)
+        response.should redirect_to [:suppliers, @product_category]
+      end
+      it "should not be possible to update a product category to another supplier" do
+        supplier2 = create :supplier
+        put :update, id: @product_category, product_category: attributes_for(:product_category, name: "Trying to hack", supplier: supplier2)
+        ProductCategory.find_by_name('Trying to hack').supplier_id.should == @supplier.id
+      end
+
+      it "should not be possible to update a product_category of another supplier" do
+        product_category = create :product_category, name: 'Other supplier product_category'
+        put :update, id: product_category, product_category: {name: "Trying to hack"}
+        product_category.reload
+        product_category.name.should == 'Other supplier product_category'
+      end
+    end
+
+    context "invalid attributes" do
+      it "locates the requested product_category" do
+        put :update, id: @product_category, product_category: {name: ''}
+        assigns(:product_category).should eq(@product_category)
+      end
+
+      it "re-renders the edit method" do
+        put :update, id: @product_category, product_category: {name: ''}
+        response.should render_template :edit
+      end
+    end
+  end
+
+  describe 'DELETE destroy' do
+    before :each do
+      @product_category = create :product_category, supplier: @supplier
+    end
+
+    it "deletes the product_category" do
+      expect{
+        delete :destroy, id: @product_category        
+      }.to change(ProductCategory, :count).by(-1)
+    end
+
+    it "redirects to product_categories#index" do
+      delete :destroy, id: @product_category
+      response.should redirect_to [:suppliers, :product_categories]
+    end
+
+    it "should not be possible to delete a product category of another supplier" do
+      product_category = create :product_category
+      expect{
+        delete :destroy, id: product_category
+      }.to_not change(ProductCategory, :count)
+    end
+  end
+end