Adds test to make sure moderators can't make master keys

It wasn't obvious from the code, plus we'd never want this to regress!
2018-09-11 12:02:06 -04:00 · 2018-09-11 12:02:06 -04:00 · 3bb4f4c5ef
parent 1a01385e88
commit 3bb4f4c5ef
1 changed files with 50 additions and 37 deletions
--- a/spec/requests/admin/api_controller_spec.rb
+++ b/spec/requests/admin/api_controller_spec.rb
@ -7,57 +7,70 @@ describe Admin::ApiController do
  end
  let(:admin) { Fabricate(:admin) }
  before do
    sign_in(admin)
  end
-  describe '#index' do
+  context "as an admin" do
-    it "succeeds" do
+    before do
-      get "/admin/api/keys.json"
+      sign_in(admin)
      expect(response.status).to eq(200)
    end
  end
  describe '#regenerate_key' do
    let(:api_key) { Fabricate(:api_key) }
    it "returns 404 when there is no key" do
      put "/admin/api/key.json", params: { id: 1234 }
      expect(response.status).to eq(404)
    end
-    it "delegates to the api key's `regenerate!` method" do
+    describe '#index' do
-      prev_value = api_key.key
+      it "succeeds" do
-      put "/admin/api/key.json", params: { id: api_key.id }
+        get "/admin/api/keys.json"
-      expect(response.status).to eq(200)
+        expect(response.status).to eq(200)
-
+      end
      api_key.reload
      expect(api_key.key).not_to eq(prev_value)
      expect(api_key.created_by.id).to eq(admin.id)
    end
  end
  describe '#revoke_key' do
    let(:api_key) { Fabricate(:api_key) }
    it "returns 404 when there is no key" do
      delete "/admin/api/key.json", params: { id: 1234 }
      expect(response.status).to eq(404)
    end
-    it "delegates to the api key's `regenerate!` method" do
+    describe '#regenerate_key' do
-      delete "/admin/api/key.json", params: { id: api_key.id }
+      let(:api_key) { Fabricate(:api_key) }
-      expect(response.status).to eq(200)
+
-      expect(ApiKey.where(key: api_key.key).count).to eq(0)
+      it "returns 404 when there is no key" do
        put "/admin/api/key.json", params: { id: 1234 }
        expect(response.status).to eq(404)
      end
      it "delegates to the api key's `regenerate!` method" do
        prev_value = api_key.key
        put "/admin/api/key.json", params: { id: api_key.id }
        expect(response.status).to eq(200)
        api_key.reload
        expect(api_key.key).not_to eq(prev_value)
        expect(api_key.created_by.id).to eq(admin.id)
      end
    end
    describe '#revoke_key' do
      let(:api_key) { Fabricate(:api_key) }
      it "returns 404 when there is no key" do
        delete "/admin/api/key.json", params: { id: 1234 }
        expect(response.status).to eq(404)
      end
      it "delegates to the api key's `regenerate!` method" do
        delete "/admin/api/key.json", params: { id: api_key.id }
        expect(response.status).to eq(200)
        expect(ApiKey.where(key: api_key.key).count).to eq(0)
      end
    end
  end
  describe '#create_master_key' do
    it "creates a record" do
      sign_in(admin)
      expect do
        post "/admin/api/key.json"
      end.to change(ApiKey, :count).by(1)
      expect(response.status).to eq(200)
    end
    it "doesn't allow moderators to create master keys" do
      sign_in(Fabricate(:moderator))
      expect do
        post "/admin/api/key.json"
      end.to change(ApiKey, :count).by(0)
      expect(response.status).to eq(404)
    end
  end
 end