discourse/plugins/chat/spec/integration/custom_api_key_scopes_spec.rb

93 lines
2.7 KiB
Ruby

# frozen_string_literal: true
describe "API keys scoped to chat#create_message" do
before do
SiteSetting.chat_enabled = true
SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:everyone]
end
fab!(:admin)
fab!(:chat_channel) { Fabricate(:category_channel) }
fab!(:chat_channel_2) { Fabricate(:category_channel) }
let(:chat_api_key) do
key = ApiKey.create!
ApiKeyScope.create!(resource: "chat", action: "create_message", api_key_id: key.id)
key
end
let(:chat_channel_2_api_key) do
key = ApiKey.create!
ApiKeyScope.create!(
resource: "chat",
action: "create_message",
api_key_id: key.id,
allowed_parameters: {
"chat_channel_id" => [chat_channel_2.id.to_s],
},
)
key
end
it "cannot hit any other endpoints" do
get "/admin/users/list/active.json",
headers: {
"Api-Key" => chat_api_key.key,
"Api-Username" => admin.username,
}
expect(response.status).to eq(404)
get "/latest.json", headers: { "Api-Key" => chat_api_key.key, "Api-Username" => admin.username }
expect(response.status).to eq(403)
end
it "can create chat messages" do
Chat::UserChatChannelMembership.create(user: admin, chat_channel: chat_channel, following: true)
expect {
post "/chat/#{chat_channel.id}.json",
headers: {
"Api-Key" => chat_api_key.key,
"Api-Username" => admin.username,
},
params: {
message: "asdfasdf asdfasdf",
}
}.to change { Chat::Message.where(chat_channel: chat_channel).count }.by(1)
expect(response.status).to eq(200)
end
it "cannot post in a channel it is not scoped for" do
Chat::UserChatChannelMembership.create(user: admin, chat_channel: chat_channel, following: true)
expect {
post "/chat/#{chat_channel.id}.json",
headers: {
"Api-Key" => chat_channel_2_api_key.key,
"Api-Username" => admin.username,
},
params: {
message: "asdfasdf asdfasdf",
}
}.not_to change { Chat::Message.where(chat_channel: chat_channel).count }
expect(response.status).to eq(403)
end
it "can only post in scoped channels" do
Chat::UserChatChannelMembership.create(
user: admin,
chat_channel: chat_channel_2,
following: true,
)
expect {
post "/chat/#{chat_channel_2.id}.json",
headers: {
"Api-Key" => chat_channel_2_api_key.key,
"Api-Username" => admin.username,
},
params: {
message: "asdfasdf asdfasdf",
}
}.to change { Chat::Message.where(chat_channel: chat_channel_2).count }.by(1)
expect(response.status).to eq(200)
end
end