diff options
| author | Seb Bacon <seb.bacon@gmail.com> | 2011-07-27 15:27:22 +0100 |
|---|---|---|
| committer | Seb Bacon <seb.bacon@gmail.com> | 2011-07-27 15:28:58 +0100 |
| commit | 44ffca31030651ca9d816cfd7d0784d0652c4ee5 (patch) | |
| tree | 6fc1a8dd5ff33947584f0e32b6d676f14860e386 /spec/controllers/admin_public_body_controller_spec.rb | |
| parent | cace286e2d92ad50c4253c5765055e9da4da3871 (diff) | |
Don't treat CSRF tokens as optional session data for administrators (they're needed to allow them to edit anything! Fixes #95
(Also change wording of test namess to match usual rspec convention)
Diffstat (limited to 'spec/controllers/admin_public_body_controller_spec.rb')
| -rw-r--r-- | spec/controllers/admin_public_body_controller_spec.rb | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb index 3a768686d..6b88fe39d 100644 --- a/spec/controllers/admin_public_body_controller_spec.rb +++ b/spec/controllers/admin_public_body_controller_spec.rb @@ -42,21 +42,27 @@ describe AdminPublicBodyController, "when administering public bodies" do pb.name.should == "Renamed" end - it "destroy a public body" do + it "destroys a public body" do PublicBody.count.should == 2 post :destroy, { :id => 3 } PublicBody.count.should == 1 end - it "don't allow non-authenticated users to do anything" do + it "sets a using_admin flag" do + get :show, :id => 2 + session[:using_admin].should == 1 + end + + it "disallows non-authenticated users to do anything" do @request.env["HTTP_AUTHORIZATION"] = "" PublicBody.count.should == 2 post :destroy, { :id => 3 } response.code.should == "401" PublicBody.count.should == 2 + session[:using_admin].should == nil end - it "when no username/password set, skip admin authorisation" do + it "skips admin authorisation when no username/password set" do config = MySociety::Config.load_default() config['ADMIN_USERNAME'] = '' config['ADMIN_PASSWORD'] = '' @@ -64,8 +70,9 @@ describe AdminPublicBodyController, "when administering public bodies" do PublicBody.count.should == 2 post :destroy, { :id => 3 } PublicBody.count.should == 1 + session[:using_admin].should == 1 end - it "when no username set, skip admin authorisation" do + it "skips admin authorisation when no username set" do config = MySociety::Config.load_default() config['ADMIN_USERNAME'] = '' config['ADMIN_PASSWORD'] = 'fuz' @@ -73,6 +80,7 @@ describe AdminPublicBodyController, "when administering public bodies" do PublicBody.count.should == 2 post :destroy, { :id => 3 } PublicBody.count.should == 1 + session[:using_admin].should == 1 end |