From 3bb4f4c5efff46f3aa1607af53a0b0b3f7a02346 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Tue, 11 Sep 2018 12:02:06 -0400
Subject: [PATCH] Adds test to make sure moderators can't make master keys

It wasn't obvious from the code, plus we'd never want this to regress!
---
 spec/requests/admin/api_controller_spec.rb | 87 +++++++++++++---------
 1 file changed, 50 insertions(+), 37 deletions(-)

diff --git a/spec/requests/admin/api_controller_spec.rb b/spec/requests/admin/api_controller_spec.rb
index feee32728b4..9cf3b6dc730 100644
--- a/spec/requests/admin/api_controller_spec.rb
+++ b/spec/requests/admin/api_controller_spec.rb
@@ -7,57 +7,70 @@ describe Admin::ApiController do
   end
 
   let(:admin) { Fabricate(:admin) }
-  before do
-    sign_in(admin)
-  end
 
-  describe '#index' do
-    it "succeeds" do
-      get "/admin/api/keys.json"
-      expect(response.status).to eq(200)
-    end
-  end
-
-  describe '#regenerate_key' do
-    let(:api_key) { Fabricate(:api_key) }
-
-    it "returns 404 when there is no key" do
-      put "/admin/api/key.json", params: { id: 1234 }
-      expect(response.status).to eq(404)
+  context "as an admin" do
+    before do
+      sign_in(admin)
     end
 
-    it "delegates to the api key's `regenerate!` method" do
-      prev_value = api_key.key
-      put "/admin/api/key.json", params: { id: api_key.id }
-      expect(response.status).to eq(200)
-
-      api_key.reload
-      expect(api_key.key).not_to eq(prev_value)
-      expect(api_key.created_by.id).to eq(admin.id)
-    end
-  end
-
-  describe '#revoke_key' do
-    let(:api_key) { Fabricate(:api_key) }
-
-    it "returns 404 when there is no key" do
-      delete "/admin/api/key.json", params: { id: 1234 }
-      expect(response.status).to eq(404)
+    describe '#index' do
+      it "succeeds" do
+        get "/admin/api/keys.json"
+        expect(response.status).to eq(200)
+      end
     end
 
-    it "delegates to the api key's `regenerate!` method" do
-      delete "/admin/api/key.json", params: { id: api_key.id }
-      expect(response.status).to eq(200)
-      expect(ApiKey.where(key: api_key.key).count).to eq(0)
+    describe '#regenerate_key' do
+      let(:api_key) { Fabricate(:api_key) }
+
+      it "returns 404 when there is no key" do
+        put "/admin/api/key.json", params: { id: 1234 }
+        expect(response.status).to eq(404)
+      end
+
+      it "delegates to the api key's `regenerate!` method" do
+        prev_value = api_key.key
+        put "/admin/api/key.json", params: { id: api_key.id }
+        expect(response.status).to eq(200)
+
+        api_key.reload
+        expect(api_key.key).not_to eq(prev_value)
+        expect(api_key.created_by.id).to eq(admin.id)
+      end
+    end
+
+    describe '#revoke_key' do
+      let(:api_key) { Fabricate(:api_key) }
+
+      it "returns 404 when there is no key" do
+        delete "/admin/api/key.json", params: { id: 1234 }
+        expect(response.status).to eq(404)
+      end
+
+      it "delegates to the api key's `regenerate!` method" do
+        delete "/admin/api/key.json", params: { id: api_key.id }
+        expect(response.status).to eq(200)
+        expect(ApiKey.where(key: api_key.key).count).to eq(0)
+      end
     end
   end
 
   describe '#create_master_key' do
     it "creates a record" do
+      sign_in(admin)
       expect do
         post "/admin/api/key.json"
       end.to change(ApiKey, :count).by(1)
       expect(response.status).to eq(200)
     end
+
+    it "doesn't allow moderators to create master keys" do
+      sign_in(Fabricate(:moderator))
+      expect do
+        post "/admin/api/key.json"
+      end.to change(ApiKey, :count).by(0)
+      expect(response.status).to eq(404)
+    end
+
   end
 end