diff options
| author | Louise Crow <louise.crow@gmail.com> | 2013-08-22 15:23:46 +0100 |
|---|---|---|
| committer | Louise Crow <louise.crow@gmail.com> | 2013-09-16 12:42:19 +0100 |
| commit | fd0c811cc4e01435ca89a419a521f6ac31a858b1 (patch) | |
| tree | 477952cff8d4aec4e7ae8ca67d91f5ae0f64aeac /spec/integration/download_request_spec.rb | |
| parent | c954d92fe4f558a5f4375016ee6cf517d3ec5ddd (diff) | |
Restore the download for hidden requests
This was disabled for hidden requests as the download was by redirect,
allowing people who have not been authenticated to conceivably access
the download. We'll be moving to send_file instead, so can restore it.
Diffstat (limited to 'spec/integration/download_request_spec.rb')
| -rw-r--r-- | spec/integration/download_request_spec.rb | 55 |
1 files changed, 54 insertions, 1 deletions
diff --git a/spec/integration/download_request_spec.rb b/spec/integration/download_request_spec.rb index 8af1c9ff1..dd492e42a 100644 --- a/spec/integration/download_request_spec.rb +++ b/spec/integration/download_request_spec.rb @@ -56,7 +56,60 @@ describe 'when making a zipfile available' do end end + context 'when a request is "requester_only"' do + + before do + @non_owner = login(FactoryGirl.create(:user)) + @info_request = FactoryGirl.create(:info_request_with_incoming, + :prominence => 'requester_only') + @request_owner = login(@info_request.user) + @admin = login(FactoryGirl.create(:admin_user)) + end + + + it 'should allow a download of the request by the request owner and admin only' do + # Requester can access the zip + inspect_zip_download(@request_owner, @info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.txt').should match('hereisthetext') + end + # Non-owner can't + @non_owner.get_via_redirect "request/#{@info_request.url_title}/download" + @non_owner.response.code.should == '410' + # Admin can + inspect_zip_download(@admin, @info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.txt').should match('hereisthetext') + end + end + end + + context 'when a request is made "hidden"' do + + it 'should not allow a download of the request by an admin only' do + @non_owner = login(FactoryGirl.create(:user)) + @info_request = FactoryGirl.create(:info_request_with_incoming, + :prominence => 'hidden') + @request_owner = login(@info_request.user) + @admin = login(FactoryGirl.create(:admin_user)) + + # Requester can't access the zip + @request_owner.get_via_redirect "request/#{@info_request.url_title}/download" + @request_owner.response.code.should == '410' + # Non-owner can't + @non_owner.get_via_redirect "request/#{@info_request.url_title}/download" + @non_owner.response.code.should == '410' + # Admin can + inspect_zip_download(@admin, @info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.txt').should match('hereisthetext') + end + end + + end + context 'when an incoming message is made "requester_only"' do + it 'should not include the incoming message or attachments in a download of the entire request by a non-request owner' do @@ -90,7 +143,7 @@ describe 'when making a zipfile available' do end - it 'should successfully make a zipfile for an external request', :focus => true do + it 'should successfully make a zipfile for an external request' do external_request = FactoryGirl.create(:external_request) user = login(FactoryGirl.create(:user)) inspect_zip_download(user, external_request){ |zip| zip.count.should == 1 } |