mirror of
https://github.com/discourse/discourse.git
synced 2025-05-28 13:51:18 +08:00
DEV: Extend specs coverage for non-admin access to admin endpoints (#18833)
Replace base controller class inheritance specs with explicit specs for non-staff and moderator access to admin resources
This commit is contained in:
@ -1,19 +1,65 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
RSpec.describe Admin::AdminController do
|
||||
describe '#index' do
|
||||
it "needs you to be logged in" do
|
||||
get "/admin.json"
|
||||
expect(response.status).to eq(404)
|
||||
fab!(:admin) { Fabricate(:admin) }
|
||||
fab!(:moderator) { Fabricate(:moderator) }
|
||||
|
||||
describe "#index" do
|
||||
context "when unauthenticated" do
|
||||
it "denies access with a 404 response" do
|
||||
get "/admin.json"
|
||||
|
||||
expect(response.status).to eq(404)
|
||||
expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
|
||||
end
|
||||
end
|
||||
|
||||
it "should return the right response if user isn't a staff" do
|
||||
sign_in(Fabricate(:user))
|
||||
get "/admin", params: { api_key: 'asdiasiduga' }
|
||||
expect(response.status).to eq(404)
|
||||
context "when authenticated" do
|
||||
context "as an admin" do
|
||||
it "permits access with a 200 response" do
|
||||
sign_in(admin)
|
||||
get "/admin.json"
|
||||
|
||||
get "/admin"
|
||||
expect(response.status).to eq(404)
|
||||
expect(response.status).to eq(200)
|
||||
end
|
||||
end
|
||||
|
||||
context "as a non-admin" do
|
||||
it "denies access with a 403 response" do
|
||||
sign_in(moderator)
|
||||
get "/admin.json"
|
||||
|
||||
expect(response.status).to eq(403)
|
||||
expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
|
||||
end
|
||||
end
|
||||
|
||||
context "when user is admin with api key" do
|
||||
it "permits access with a 200 response" do
|
||||
api_key = Fabricate(:api_key, user: admin)
|
||||
|
||||
get "/admin.json", headers: {
|
||||
HTTP_API_KEY: api_key.key,
|
||||
HTTP_API_USERNAME: admin.username
|
||||
}
|
||||
|
||||
expect(response.status).to eq(200)
|
||||
end
|
||||
end
|
||||
|
||||
context "when user is a non-admin with api key" do
|
||||
it "denies access with a 403 response" do
|
||||
api_key = Fabricate(:api_key, user: moderator)
|
||||
|
||||
get "/admin.json", headers: {
|
||||
HTTP_API_KEY: api_key.key,
|
||||
HTTP_API_USERNAME: moderator.username
|
||||
}
|
||||
|
||||
expect(response.status).to eq(403)
|
||||
expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
Reference in New Issue
Block a user