DEV: Extend specs coverage for non-admin access to admin endpoints (#18833)

Replace base controller class inheritance specs with explicit specs for non-staff and moderator access to admin resources
2025-05-30 04:28:31 +08:00 · 2022-11-03 03:42:44 +00:00
parent 612ab8710a
commit 52be5b3782
31 changed files with 7047 additions and 3433 deletions
--- a/spec/requests/admin/admin_controller_spec.rb
+++ b/spec/requests/admin/admin_controller_spec.rb
@ -1,19 +1,65 @@
 # frozen_string_literal: true

 RSpec.describe Admin::AdminController do
-  describe '#index' do
-    it "needs you to be logged in" do
-      get "/admin.json"
-      expect(response.status).to eq(404)
+  fab!(:admin) { Fabricate(:admin) }
+  fab!(:moderator) { Fabricate(:moderator) }
+
+  describe "#index" do
+    context "when unauthenticated" do
+      it "denies access with a 404 response" do
+        get "/admin.json"
+
+        expect(response.status).to eq(404)
+        expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
+      end
    end

-    it "should return the right response if user isn't a staff" do
-      sign_in(Fabricate(:user))
-      get "/admin", params: { api_key: 'asdiasiduga' }
-      expect(response.status).to eq(404)
+    context "when authenticated" do
+      context "as an admin" do
+        it "permits access with a 200 response" do
+          sign_in(admin)
+          get "/admin.json"

-      get "/admin"
-      expect(response.status).to eq(404)
+          expect(response.status).to eq(200)
+        end
+      end
+
+      context "as a non-admin" do
+        it "denies access with a 403 response" do
+          sign_in(moderator)
+          get "/admin.json"
+
+          expect(response.status).to eq(403)
+          expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
+        end
+      end
+
+      context "when user is admin with api key" do
+        it "permits access with a 200 response" do
+          api_key = Fabricate(:api_key, user: admin)
+
+          get "/admin.json", headers: {
+            HTTP_API_KEY: api_key.key,
+            HTTP_API_USERNAME: admin.username
+          }
+
+          expect(response.status).to eq(200)
+        end
+      end
+
+      context "when user is a non-admin with api key" do
+        it "denies access with a 403 response" do
+          api_key = Fabricate(:api_key, user: moderator)
+
+          get "/admin.json", headers: {
+            HTTP_API_KEY: api_key.key,
+            HTTP_API_USERNAME: moderator.username
+          }
+
+          expect(response.status).to eq(403)
+          expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
+        end
+      end
    end
  end
 end