diff options
| -rw-r--r-- | app/controllers/api_controller.rb | 72 | ||||
| -rw-r--r-- | spec/controllers/api_controller_spec.rb | 25 |
2 files changed, 55 insertions, 42 deletions
diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index aa5e85db3..15fb4f5f9 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -1,30 +1,30 @@ class ApiController < ApplicationController before_filter :check_api_key - + def show_request @request = InfoRequest.find(params[:id]) raise PermissionDenied if @request.public_body_id != @public_body.id - + @request_data = { :id => @request.id, :url => make_url("request", @request.url_title), :title => @request.title, - + :created_at => @request.created_at, :updated_at => @request.updated_at, - + :status => @request.calculate_status, - + :public_body_url => make_url("body", @request.public_body.url_name), :requestor_url => make_url("user", @request.user.url_name), :request_email => @request.incoming_email, - + :request_text => @request.last_event_forming_initial_request.outgoing_message.body, } - + render :json => @request_data end - + def create_request json = ActiveSupport::JSON.decode(params[:request_json]) request = InfoRequest.new( @@ -34,7 +34,7 @@ class ApiController < ApplicationController :external_user_name => json["external_user_name"], :external_url => json["external_url"] ) - + outgoing_message = OutgoingMessage.new( :status => 'ready', :message_type => 'initial_request', @@ -44,7 +44,7 @@ class ApiController < ApplicationController :info_request => request ) request.outgoing_messages << outgoing_message - + # Return an error if the request is invalid # (Can this ever happen?) if !request.valid? @@ -53,7 +53,7 @@ class ApiController < ApplicationController } return end - + # Save the request, and add the corresponding InfoRequestEvent request.save! request.log_event("sent", @@ -62,69 +62,69 @@ class ApiController < ApplicationController :outgoing_message_id => outgoing_message.id, :smtp_message_id => nil ) - + # Return the URL and ID number. render :json => { 'url' => make_url("request", request.url_title), 'id' => request.id } - + end - + def add_correspondence request = InfoRequest.find_by_id(params[:id]) if request.nil? render :json => { "errors" => ["Could not find request #{params[:id]}"] }, :status => 404 return end - + json = ActiveSupport::JSON.decode(params[:correspondence_json]) attachments = params[:attachments] - + direction = json["direction"] body = json["body"] sent_at_str = json["sent_at"] - + errors = [] - + if !request.is_external? render :json => { "errors" => ["Request #{params[:id]} cannot be updated using the API"] }, :status => 500 return end - + if request.public_body_id != @public_body.id render :json => { "errors" => ["You do not own request #{params[:id]}"] }, :status => 500 return end - + if !["request", "response"].include?(direction) errors << "The direction parameter must be 'request' or 'response'" end - + if body.nil? errors << "The 'body' is missing" elsif body.empty? errors << "The 'body' is empty" end - + begin sent_at = Time.iso8601(sent_at_str) rescue ArgumentError errors << "Failed to parse 'sent_at' field as ISO8601 time: #{sent_at_str}" end - + if direction == "request" && !attachments.nil? errors << "You cannot attach files to messages in the 'request' direction" end - + if !errors.empty? render :json => { "errors" => errors }, :status => 500 return end - + if direction == "request" # In the 'request' direction, i.e. what we (Alaveteli) regard as outgoing - + outgoing_message = OutgoingMessage.new( :info_request => request, :status => 'ready', @@ -154,19 +154,19 @@ class ApiController < ApplicationController :filename => filename ) end - + mail = RequestMailer.create_external_response(request, body, sent_at, attachment_hashes) request.receive(mail, mail.encoded, true) end render :json => { 'url' => make_url("request", request.url_title), - } + } end - + def body_request_events feed_type = params[:feed_type] raise PermissionDenied.new("#{@public_body.id} != #{params[:id]}") if @public_body.id != params[:id].to_i - + since_date_str = params[:since_date] if since_date_str.nil? @events = InfoRequestEvent.find_by_sql([ @@ -213,7 +213,7 @@ class ApiController < ApplicationController @event_data = [] @events.each do |event| break if event.id == @since_event_id - + request = event.info_request this_event = { :request_id => request.id, @@ -224,13 +224,13 @@ class ApiController < ApplicationController :request_email => request.incoming_email, :title => request.title, :body => event.outgoing_message.body, - + :user_name => request.user_name, } if request.user this_event[:user_url] = main_url(user_url(request.user)) end - + @event_data.push(this_event) end render :json => @event_data @@ -238,14 +238,14 @@ class ApiController < ApplicationController raise ActiveRecord::RecordNotFound.new("Unrecognised feed type: #{feed_type}") end end - + protected def check_api_key - raise "Missing required parameter 'k'" if params[:k].nil? + raise PermissionDenied.new("Missing required parameter 'k'") if params[:k].nil? @public_body = PublicBody.find_by_api_key(params[:k].gsub(' ', '+')) raise PermissionDenied if @public_body.nil? end - + private def make_url(*args) "http://" + Configuration::domain + "/" + args.join("/") diff --git a/spec/controllers/api_controller_spec.rb b/spec/controllers/api_controller_spec.rb index 85cb8bb29..5e148a9f5 100644 --- a/spec/controllers/api_controller_spec.rb +++ b/spec/controllers/api_controller_spec.rb @@ -14,21 +14,34 @@ Spec::Matchers.define :be_equal_modulo_whitespace_to do |expected| end describe ApiController, "when using the API" do - it "should check the API key" do - request_data = { + + describe 'checking API keys' do + before do + @number_of_requests = InfoRequest.count + @request_data = { "title" => "Tell me about your chickens", "body" => "Dear Sir,\n\nI should like to know about your chickens.\n\nYours in faith,\nBob\n", "external_url" => "http://www.example.gov.uk/foi/chickens_23", "external_user_name" => "Bob Smith", } + end - number_of_requests = InfoRequest.count + it 'should check that an API key is given as a param' do expect { - post :create_request, :k => "This is not really an API key", :request_json => request_data.to_json + post :create_request, :request_json => @request_data.to_json }.to raise_error ApplicationController::PermissionDenied - - InfoRequest.count.should == number_of_requests + InfoRequest.count.should == @number_of_requests + end + + it "should check the API key" do + expect { + post :create_request, + :k => "This is not really an API key", + :request_json => @request_data.to_json + }.to raise_error ApplicationController::PermissionDenied + InfoRequest.count.should == @number_of_requests + end end it "should create a new request from a POST" do |