bterkuile/mozo-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Secure product_categories and add example test for other supplier resources and fix hack attempts included in test

Browse Source
This commit is contained in:
Benjamin ter Kuile
2012-12-06 12:21:38 +01:00
parent 382f91b1d6
commit 180b6deb4d
8 changed files with 207 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
spec/controllers/suppliers/product_categories_controller_spec.rb
+173
View File
@@ -0,0 +1,173 @@
# encoding: UTF-8
require 'spec_helper'
describe Suppliers::ProductCategoriesController do
before :each do
@supplier = Supplier.find_by_email('supplier@qwaiter.com') || Supplier.create(name: 'Supplier', email: 'supplier@qwaiter.com', password: 'secret')
sign_in @supplier
end
describe "GET #index" do
it "populates an array of product_categories" do
product_category = create :product_category, supplier: @supplier
get :index
assigns(:product_categories).should eq([product_category])
end
it "does not include product_categories from another supplier" do
product_category1 = create :product_category, supplier: @supplier
product_category2 = create :product_category
get :index
assigns(:product_categories).should eq([product_category1])
end
it "should render without errors when no objects are present" do
get :index
expect{ render_template :index }.not_to raise_error
end
it "renders the :index view" do
get :index
response.should render_template :index
end
end
describe "GET #show" do
it "assigns the requested product_category to @product_category" do
product_category = create :product_category, supplier: @supplier
get :show, id: product_category
assigns(:product_category).should eq(product_category)
end
it "should not display a product_category of another supplier" do
product_category = create :product_category
get :show, id: product_category
response.status.should == 404
end
it "renders the #show view" do
product_category = create :product_category, supplier: @supplier
get :show, id: product_category
response.should render_template :show
end
end
describe "GET #new" do
it "assigns a new product_category to @product_category" do
get :new
assigns(:product_category).should be_a ProductCategory
end
it "renders the #show view" do
get :new
response.should render_template :new
end
end
describe "POST #create" do
context "with valid attributes" do
it "creates a new product_category" do
expect{
post :create, product_category: attributes_for(:product_category, supplier: @supplier)
}.to change(ProductCategory, :count).by(1)
end
it "redirects to the new product_category" do
post :create, product_category: attributes_for(:product_category, supplier: @supplier)
response.should redirect_to [:suppliers, ProductCategory.last]
end
it "should not be possible to create a product category for another supplier" do
supplier2 = create :supplier
post :create, product_category: attributes_for(:product_category, name: 'Trying to hack', supplier: supplier2)
ProductCategory.find_by_name('Trying to hack').supplier_id.should == @supplier.id
end
end
context "with invalid attributes" do
it "does not save the new product_category" do
expect{
post :create, product_category: {name: ''}
}.to_not change(ProductCategory, :count)
end
it "re-renders the new method" do
post :create, product_category: {name: ''}
response.should render_template :new
end
end
end
describe 'PUT update' do
before :each do
@product_category = create :product_category, supplier: @supplier
end
context "valid attributes" do
it "located the requested product_category" do
put :update, id: @product_category, product_category: attributes_for(:product_category, supplier: @supplier)
@product_category.reload
assigns(:product_category).should eq(@product_category)
end
it "changes @product_category's attributes" do
put :update, id: @product_category, product_category: attributes_for(:product_category, name: "ChangedByTest", supplier: @supplier)
@product_category.reload
@product_category.name.should eq("ChangedByTest")
end
it "redirects to the updated product_category" do
put :update, id: @product_category, product_category: attributes_for(:product_category, supplier: @supplier)
response.should redirect_to [:suppliers, @product_category]
end
it "should not be possible to update a product category to another supplier" do
supplier2 = create :supplier
put :update, id: @product_category, product_category: attributes_for(:product_category, name: "Trying to hack", supplier: supplier2)
ProductCategory.find_by_name('Trying to hack').supplier_id.should == @supplier.id
end
it "should not be possible to update a product_category of another supplier" do
product_category = create :product_category, name: 'Other supplier product_category'
put :update, id: product_category, product_category: {name: "Trying to hack"}
product_category.reload
product_category.name.should == 'Other supplier product_category'
end
end
context "invalid attributes" do
it "locates the requested product_category" do
put :update, id: @product_category, product_category: {name: ''}
assigns(:product_category).should eq(@product_category)
end
it "re-renders the edit method" do
put :update, id: @product_category, product_category: {name: ''}
response.should render_template :edit
end
end
end
describe 'DELETE destroy' do
before :each do
@product_category = create :product_category, supplier: @supplier
end
it "deletes the product_category" do
expect{
delete :destroy, id: @product_category
}.to change(ProductCategory, :count).by(-1)
end
it "redirects to product_categories#index" do
delete :destroy, id: @product_category
response.should redirect_to [:suppliers, :product_categories]
end
it "should not be possible to delete a product category of another supplier" do
product_category = create :product_category
expect{
delete :destroy, id: product_category
}.to_not change(ProductCategory, :count)
end
end
end