diff options
Diffstat (limited to 'spec/controllers/admin_public_body_controller_spec.rb')
| -rw-r--r-- | spec/controllers/admin_public_body_controller_spec.rb | 41 |
1 files changed, 27 insertions, 14 deletions
diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb index 1e82a0ba4..2fa893a93 100644 --- a/spec/controllers/admin_public_body_controller_spec.rb +++ b/spec/controllers/admin_public_body_controller_spec.rb @@ -84,15 +84,14 @@ describe AdminPublicBodyController, "when administering public bodies and paying @request.env["HTTP_AUTHORIZATION"] = "" n = PublicBody.count post :destroy, { :id => 3 } - response.code.should == "401" + response.should redirect_to(:controller=>'user', :action=>'signin', :token=>PostRedirect.get_last_post_redirect.token) PublicBody.count.should == n session[:using_admin].should == nil end - it "skips admin authorisation when no username/password set" do + it "skips admin authorisation when SKIP_ADMIN_AUTH set" do config = MySociety::Config.load_default() - config['ADMIN_USERNAME'] = '' - config['ADMIN_PASSWORD'] = '' + config['SKIP_ADMIN_AUTH'] = true @request.env["HTTP_AUTHORIZATION"] = "" n = PublicBody.count @@ -101,30 +100,44 @@ describe AdminPublicBodyController, "when administering public bodies and paying session[:using_admin].should == 1 end - it "skips admin authorisation when no username set" do + it "doesn't let people with bad credentials log in" do config = MySociety::Config.load_default() - config['ADMIN_USERNAME'] = '' + config['SKIP_ADMIN_AUTH'] = false + config['ADMIN_USERNAME'] = 'biz' config['ADMIN_PASSWORD'] = 'fuz' @request.env["HTTP_AUTHORIZATION"] = "" - n = PublicBody.count + basic_auth_login(@request, "baduser", "badpassword") post :destroy, { :id => public_bodies(:forlorn_public_body).id } - PublicBody.count.should == n - 1 - session[:using_admin].should == 1 + response.should redirect_to(:controller=>'user', :action=>'signin', :token=>PostRedirect.get_last_post_redirect.token) + PublicBody.count.should == n + session[:using_admin].should == nil end - it "forces authorisation when password and username set" do + + it "allows people with good credentials log in using HTTP Basic Auth" do config = MySociety::Config.load_default() + config['SKIP_ADMIN_AUTH'] = false config['ADMIN_USERNAME'] = 'biz' config['ADMIN_PASSWORD'] = 'fuz' @request.env["HTTP_AUTHORIZATION"] = "" n = PublicBody.count - basic_auth_login(@request, "baduser", "badpassword") + basic_auth_login(@request, "biz", "fuz") + post :show, { :id => public_bodies(:humpadink_public_body).id, :emergency => 1} + session[:using_admin].should == 1 + n = PublicBody.count post :destroy, { :id => public_bodies(:forlorn_public_body).id } - response.code.should == "401" - PublicBody.count.should == n - session[:using_admin].should == nil + session[:using_admin].should == 1 + PublicBody.count.should == n - 1 end + it "allows superusers to do stuff" do + session[:user_id] = users(:admin_user).id + @request.env["HTTP_AUTHORIZATION"] = "" + n = PublicBody.count + post :destroy, { :id => public_bodies(:forlorn_public_body).id } + PublicBody.count.should == n - 1 + session[:using_admin].should == 1 + end end |