DEV: Extend specs coverage for non-admin access to admin endpoints (#18833)

Replace base controller class inheritance specs with explicit specs
for non-staff and moderator access to admin resources
This commit is contained in:
Selase Krakani
2022-11-03 03:42:44 +00:00
committed by GitHub
parent 612ab8710a
commit 52be5b3782
31 changed files with 7047 additions and 3433 deletions

View File

@ -1,19 +1,65 @@
# frozen_string_literal: true
RSpec.describe Admin::AdminController do
describe '#index' do
it "needs you to be logged in" do
get "/admin.json"
expect(response.status).to eq(404)
fab!(:admin) { Fabricate(:admin) }
fab!(:moderator) { Fabricate(:moderator) }
describe "#index" do
context "when unauthenticated" do
it "denies access with a 404 response" do
get "/admin.json"
expect(response.status).to eq(404)
expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
end
end
it "should return the right response if user isn't a staff" do
sign_in(Fabricate(:user))
get "/admin", params: { api_key: 'asdiasiduga' }
expect(response.status).to eq(404)
context "when authenticated" do
context "as an admin" do
it "permits access with a 200 response" do
sign_in(admin)
get "/admin.json"
get "/admin"
expect(response.status).to eq(404)
expect(response.status).to eq(200)
end
end
context "as a non-admin" do
it "denies access with a 403 response" do
sign_in(moderator)
get "/admin.json"
expect(response.status).to eq(403)
expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
end
end
context "when user is admin with api key" do
it "permits access with a 200 response" do
api_key = Fabricate(:api_key, user: admin)
get "/admin.json", headers: {
HTTP_API_KEY: api_key.key,
HTTP_API_USERNAME: admin.username
}
expect(response.status).to eq(200)
end
end
context "when user is a non-admin with api key" do
it "denies access with a 403 response" do
api_key = Fabricate(:api_key, user: moderator)
get "/admin.json", headers: {
HTTP_API_KEY: api_key.key,
HTTP_API_USERNAME: moderator.username
}
expect(response.status).to eq(403)
expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
end
end
end
end
end