diff options
| author | Matthew Landauer <matthew@openaustralia.org> | 2013-01-15 17:04:06 +1100 |
|---|---|---|
| committer | Matthew Landauer <matthew@openaustralia.org> | 2013-01-15 17:04:06 +1100 |
| commit | e6c80e93df44a436d9c94a9c076eb321df249b2a (patch) | |
| tree | f2396181cfadeca370446f936f0bc4c1da3888dd /spec/controllers/api_controller_spec.rb | |
| parent | b5f2bed1e406cd7fb6b50259a57be201c797db7d (diff) | |
| parent | 843805e5d92eded943bd2a32b02ac967539245e8 (diff) | |
Merge remote-tracking branch 'mysociety/develop' into rails_xss
Diffstat (limited to 'spec/controllers/api_controller_spec.rb')
| -rw-r--r-- | spec/controllers/api_controller_spec.rb | 134 |
1 files changed, 73 insertions, 61 deletions
diff --git a/spec/controllers/api_controller_spec.rb b/spec/controllers/api_controller_spec.rb index 8d8a39950..1c320f85c 100644 --- a/spec/controllers/api_controller_spec.rb +++ b/spec/controllers/api_controller_spec.rb @@ -2,7 +2,7 @@ require File.expand_path(File.dirname(__FILE__) + '/../spec_helper') def normalise_whitespace(s) - s = s.gsub(/^\s+|\s+$/, "") + s = s.gsub(/\A\s+|\s+\Z/, "") s = s.gsub(/\s+/, " ") return s end @@ -14,23 +14,36 @@ Spec::Matchers.define :be_equal_modulo_whitespace_to do |expected| end describe ApiController, "when using the API" do - it "should check the API key" do - request_data = { + + describe 'checking API keys' do + before do + @number_of_requests = InfoRequest.count + @request_data = { "title" => "Tell me about your chickens", "body" => "Dear Sir,\n\nI should like to know about your chickens.\n\nYours in faith,\nBob\n", - + "external_url" => "http://www.example.gov.uk/foi/chickens_23", "external_user_name" => "Bob Smith", } - - number_of_requests = InfoRequest.count + end + + it 'should check that an API key is given as a param' do expect { - post :create_request, :k => "This is not really an API key", :request_json => request_data.to_json + post :create_request, :request_json => @request_data.to_json }.to raise_error ApplicationController::PermissionDenied - - InfoRequest.count.should == number_of_requests + InfoRequest.count.should == @number_of_requests + end + + it "should check the API key" do + expect { + post :create_request, + :k => "This is not really an API key", + :request_json => @request_data.to_json + }.to raise_error ApplicationController::PermissionDenied + InfoRequest.count.should == @number_of_requests + end end - + it "should create a new request from a POST" do number_of_requests = InfoRequest.count( :conditions => [ @@ -38,61 +51,61 @@ describe ApiController, "when using the API" do public_bodies(:geraldine_public_body).id ] ) - + request_data = { "title" => "Tell me about your chickens", "body" => "Dear Sir,\n\nI should like to know about your chickens.\n\nYours in faith,\nBob\n", - + "external_url" => "http://www.example.gov.uk/foi/chickens_23", "external_user_name" => "Bob Smith", } - + post :create_request, :k => public_bodies(:geraldine_public_body).api_key, :request_json => request_data.to_json response.should be_success response.content_type.should == "application/json" - + response_body = ActiveSupport::JSON.decode(response.body) response_body["errors"].should be_nil response_body["url"].should =~ /^http/ - + InfoRequest.count(:conditions => [ "public_body_id = ?", public_bodies(:geraldine_public_body).id] ).should == number_of_requests + 1 - + new_request = InfoRequest.find(response_body["id"]) new_request.user_id.should be_nil new_request.external_user_name.should == request_data["external_user_name"] new_request.external_url.should == request_data["external_url"] - + new_request.title.should == request_data["title"] new_request.last_event_forming_initial_request.outgoing_message.body.should == request_data["body"].strip - + new_request.public_body_id.should == public_bodies(:geraldine_public_body).id end - + def _create_request post :create_request, :k => public_bodies(:geraldine_public_body).api_key, :request_json => { "title" => "Tell me about your chickens", "body" => "Dear Sir,\n\nI should like to know about your chickens.\n\nYours in faith,\nBob\n", - + "external_url" => "http://www.example.gov.uk/foi/chickens_23", "external_user_name" => "Bob Smith", }.to_json response.content_type.should == "application/json" return ActiveSupport::JSON.decode(response.body)["id"] end - + it "should add a response to a request" do # First we need an external request request_id = info_requests(:external_request).id - + # Initially it has no incoming messages IncomingMessage.count(:conditions => ["info_request_id = ?", request_id]).should == 0 - + # Now add one sent_at = "2012-05-28T12:35:39+01:00" response_body = "Thank you for your request for information, which we are handling in accordance with the Freedom of Information Act 2000. You will receive a response within 20 working days or before the next full moon, whichever is sooner.\n\nYours sincerely,\nJohn Gandermulch,\nExample Council FOI Officer\n" @@ -104,13 +117,13 @@ describe ApiController, "when using the API" do "sent_at" => sent_at, "body" => response_body }.to_json - + # And make sure it worked response.should be_success incoming_messages = IncomingMessage.all(:conditions => ["info_request_id = ?", request_id]) incoming_messages.count.should == 1 incoming_message = incoming_messages[0] - + incoming_message.sent_at.should == Time.iso8601(sent_at) incoming_message.get_main_body_text_folded.should be_equal_modulo_whitespace_to(response_body) end @@ -118,10 +131,10 @@ describe ApiController, "when using the API" do it "should add a followup to a request" do # First we need an external request request_id = info_requests(:external_request).id - + # Initially it has one outgoing message OutgoingMessage.count(:conditions => ["info_request_id = ?", request_id]).should == 1 - + # Add another, as a followup sent_at = "2012-05-29T12:35:39+01:00" followup_body = "Pls answer ASAP.\nkthxbye\n" @@ -133,7 +146,7 @@ describe ApiController, "when using the API" do "sent_at" => sent_at, "body" => followup_body }.to_json - + # Make sure it worked response.should be_success followup_messages = OutgoingMessage.all( @@ -141,15 +154,15 @@ describe ApiController, "when using the API" do ) followup_messages.size.should == 1 followup_message = followup_messages[0] - + followup_message.last_sent_at.should == Time.iso8601(sent_at) followup_message.body.should == followup_body.strip end - + it "should not allow internal requests to be updated" do n_incoming_messages = IncomingMessage.count n_outgoing_messages = OutgoingMessage.count - + request_id = info_requests(:naughty_chicken_request).id post :add_correspondence, :k => public_bodies(:geraldine_public_body).api_key, @@ -159,20 +172,20 @@ describe ApiController, "when using the API" do "sent_at" => Time.now.iso8601, "body" => "xxx" }.to_json - + response.status.should == "500 Internal Server Error" ActiveSupport::JSON.decode(response.body)["errors"].should == [ "Request #{request_id} cannot be updated using the API"] - + IncomingMessage.count.should == n_incoming_messages OutgoingMessage.count.should == n_outgoing_messages end - + it "should not allow other people's requests to be updated" do request_id = _create_request n_incoming_messages = IncomingMessage.count n_outgoing_messages = OutgoingMessage.count - + post :add_correspondence, :k => public_bodies(:humpadink_public_body).api_key, :id => request_id, @@ -181,15 +194,15 @@ describe ApiController, "when using the API" do "sent_at" => Time.now.iso8601, "body" => "xxx" }.to_json - + response.status.should == "500 Internal Server Error" ActiveSupport::JSON.decode(response.body)["errors"].should == [ "You do not own request #{request_id}"] - + IncomingMessage.count.should == n_incoming_messages OutgoingMessage.count.should == n_outgoing_messages end - + it "should not allow files to be attached to a followup" do post :add_correspondence, :k => public_bodies(:geraldine_public_body).api_key, @@ -202,21 +215,21 @@ describe ApiController, "when using the API" do :attachments => [ fixture_file_upload("files/tfl.pdf") ] - - + + # Make sure it worked response.status.to_i.should == 500 errors = ActiveSupport::JSON.decode(response.body)["errors"] errors.should == ["You cannot attach files to messages in the 'request' direction"] end - + it "should allow files to be attached to a response" do # First we need an external request request_id = info_requests(:external_request).id - + # Initially it has no incoming messages IncomingMessage.count(:conditions => ["info_request_id = ?", request_id]).should == 0 - + # Now add one sent_at = "2012-05-28T12:35:39+01:00" response_body = "Thank you for your request for information, which we are handling in accordance with the Freedom of Information Act 2000. You will receive a response within 20 working days or before the next full moon, whichever is sooner.\n\nYours sincerely,\nJohn Gandermulch,\nExample Council FOI Officer\n" @@ -231,34 +244,33 @@ describe ApiController, "when using the API" do :attachments => [ fixture_file_upload("files/tfl.pdf") ] - + # And make sure it worked response.should be_success incoming_messages = IncomingMessage.all(:conditions => ["info_request_id = ?", request_id]) incoming_messages.count.should == 1 incoming_message = incoming_messages[0] - + incoming_message.sent_at.should == Time.iso8601(sent_at) incoming_message.get_main_body_text_folded.should be_equal_modulo_whitespace_to(response_body) - + # Get the attachment attachments = incoming_message.get_attachments_for_display attachments.size.should == 1 attachment = attachments[0] - attachment.filename.should == "tfl.pdf" - attachment.body.should == load_file_fixture("tfl.pdf") + attachment.body.should == load_file_fixture("tfl.pdf", as_binary=true) end - + it "should show information about a request" do info_request = info_requests(:naughty_chicken_request) get :show_request, :k => public_bodies(:geraldine_public_body).api_key, :id => info_request.id - + response.should be_success assigns[:request].id.should == info_request.id - + r = ActiveSupport::JSON.decode(response.body) r["title"].should == info_request.title # Let’s not test all the fields here, because it would @@ -266,13 +278,13 @@ describe ApiController, "when using the API" do # assigns them and changing assignment to an equality # check, which does not really test anything at all. end - + it "should show an Atom feed of new request events" do get :body_request_events, :id => public_bodies(:geraldine_public_body).id, :k => public_bodies(:geraldine_public_body).api_key, :feed_type => "atom" - + response.should be_success response.should render_template("api/request_events.atom") assigns[:events].size.should > 0 @@ -288,7 +300,7 @@ describe ApiController, "when using the API" do :id => public_bodies(:geraldine_public_body).id, :k => public_bodies(:geraldine_public_body).api_key, :feed_type => "json" - + response.should be_success assigns[:events].size.should > 0 assigns[:events].each do |event| @@ -296,13 +308,13 @@ describe ApiController, "when using the API" do event.outgoing_message.should_not be_nil event.event_type.should satisfy {|x| ['sent', 'followup_sent', 'resent', 'followup_resent'].include?(x)} end - + assigns[:event_data].size.should == assigns[:events].size assigns[:event_data].each do |event_record| event_record[:event_type].should satisfy {|x| ['sent', 'followup_sent', 'resent', 'followup_resent'].include?(x)} end end - + it "should honour the since_event_id parameter" do get :body_request_events, :id => public_bodies(:geraldine_public_body).id, @@ -311,7 +323,7 @@ describe ApiController, "when using the API" do response.should be_success first_event = assigns[:event_data][0] second_event_id = assigns[:event_data][1][:event_id] - + get :body_request_events, :id => public_bodies(:geraldine_public_body).id, :k => public_bodies(:geraldine_public_body).api_key, @@ -320,14 +332,14 @@ describe ApiController, "when using the API" do response.should be_success assigns[:event_data].should == [first_event] end - + it "should honour the since_date parameter for the Atom feed" do get :body_request_events, :id => public_bodies(:humpadink_public_body).id, :k => public_bodies(:humpadink_public_body).api_key, :since_date => "2010-01-01", :feed_type => "atom" - + response.should be_success response.should render_template("api/request_events.atom") assigns[:events].size.should > 0 @@ -335,7 +347,7 @@ describe ApiController, "when using the API" do event.created_at.should >= Date.new(2010, 1, 1) end end - + it "should return a JSON 404 error for non-existent requests" do request_id = 123459876 # Let's hope this doesn't exist! sent_at = "2012-05-28T12:35:39+01:00" @@ -351,7 +363,7 @@ describe ApiController, "when using the API" do response.status.should == "404 Not Found" ActiveSupport::JSON.decode(response.body)["errors"].should == ["Could not find request 123459876"] end - + it "should return a JSON 500 error if we try to add correspondence to a request we don't own" do request_id = info_requests(:naughty_chicken_request).id sent_at = "2012-05-28T12:35:39+01:00" |