API: test also for refusal conditions

The API must not allow people to update requests that they shouldn’t, i.e. only requests that were created by the same public body, using the API, can be added to using the API.
author: Robin Houston <robin.houston@gmail.com> 2012-05-28 15:22:46 +0100
committer: Robin Houston <robin.houston@gmail.com> 2012-06-06 19:34:58 +0100
commit: fd7b5b6006e6528372e8d6fb0c888e21848b1acf (patch)
tree: 767d4a05f23d86d93713c0230aaa64733973950f
parent: 8e390112010abe9bb0a1831bae1ae66fcac17d7f (diff)
1 files changed, 39 insertions, 0 deletions
diff --git a/spec/controllers/api_controller_spec.rb b/spec/controllers/api_controller_spec.rb
index cf05a0525..b08b1f527 100644
--- a/spec/controllers/api_controller_spec.rb
+++ b/spec/controllers/api_controller_spec.rb
@@ -133,6 +133,45 @@ describe ApiController, "when using the API" do
         followup_message.body.should == followup_body.strip
     end
     
+    it "should not allow internal requests to be updated" do
+        n_incoming_messages = IncomingMessage.count
+        n_outgoing_messages = OutgoingMessage.count
+        
+        expect {
+            post :add_correspondence,
+                :k => public_bodies(:geraldine_public_body).api_key,
+                :id => info_requests(:naughty_chicken_request).id,
+                :correspondence_json => {
+                    "direction" => "request",
+                    "sent_at" => Time.now.iso8601,
+                    "body" => "xxx"
+                }.to_json
+        }.to raise_error ActiveRecord::RecordNotFound
+        
+        IncomingMessage.count.should == n_incoming_messages
+        OutgoingMessage.count.should == n_outgoing_messages
+    end
+    
+    it "should not allow other people’s requests to be updated" do
+        request_id = _create_request
+        n_incoming_messages = IncomingMessage.count
+        n_outgoing_messages = OutgoingMessage.count
+        
+        expect {
+            post :add_correspondence,
+                :k => public_bodies(:humpadink_public_body).api_key,
+                :id => request_id,
+                :correspondence_json => {
+                    "direction" => "request",
+                    "sent_at" => Time.now.iso8601,
+                    "body" => "xxx"
+                }.to_json
+        }.to raise_error ActiveRecord::RecordNotFound
+        
+        IncomingMessage.count.should == n_incoming_messages
+        OutgoingMessage.count.should == n_outgoing_messages
+    end
+    
     it "should allow attachments to be uploaded" do
         
     end
author	Robin Houston <robin.houston@gmail.com>	2012-05-28 15:22:46 +0100
committer	Robin Houston <robin.houston@gmail.com>	2012-06-06 19:34:58 +0100
commit	fd7b5b6006e6528372e8d6fb0c888e21848b1acf (patch)
tree	767d4a05f23d86d93713c0230aaa64733973950f
parent	8e390112010abe9bb0a1831bae1ae66fcac17d7f (diff)