From fd7b5b6006e6528372e8d6fb0c888e21848b1acf Mon Sep 17 00:00:00 2001
From: Robin Houston <robin.houston@gmail.com>
Date: Mon, 28 May 2012 15:22:46 +0100
Subject: API: test also for refusal conditions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The API must not allow people to update requests that they shouldn’t,
i.e. only requests that were created by the same public body, using
the API, can be added to using the API.
---
 spec/controllers/api_controller_spec.rb | 39 +++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

(limited to 'spec/controllers/api_controller_spec.rb')

diff --git a/spec/controllers/api_controller_spec.rb b/spec/controllers/api_controller_spec.rb
index cf05a0525..b08b1f527 100644
--- a/spec/controllers/api_controller_spec.rb
+++ b/spec/controllers/api_controller_spec.rb
@@ -133,6 +133,45 @@ describe ApiController, "when using the API" do
         followup_message.body.should == followup_body.strip
     end
     
+    it "should not allow internal requests to be updated" do
+        n_incoming_messages = IncomingMessage.count
+        n_outgoing_messages = OutgoingMessage.count
+        
+        expect {
+            post :add_correspondence,
+                :k => public_bodies(:geraldine_public_body).api_key,
+                :id => info_requests(:naughty_chicken_request).id,
+                :correspondence_json => {
+                    "direction" => "request",
+                    "sent_at" => Time.now.iso8601,
+                    "body" => "xxx"
+                }.to_json
+        }.to raise_error ActiveRecord::RecordNotFound
+        
+        IncomingMessage.count.should == n_incoming_messages
+        OutgoingMessage.count.should == n_outgoing_messages
+    end
+    
+    it "should not allow other people’s requests to be updated" do
+        request_id = _create_request
+        n_incoming_messages = IncomingMessage.count
+        n_outgoing_messages = OutgoingMessage.count
+        
+        expect {
+            post :add_correspondence,
+                :k => public_bodies(:humpadink_public_body).api_key,
+                :id => request_id,
+                :correspondence_json => {
+                    "direction" => "request",
+                    "sent_at" => Time.now.iso8601,
+                    "body" => "xxx"
+                }.to_json
+        }.to raise_error ActiveRecord::RecordNotFound
+        
+        IncomingMessage.count.should == n_incoming_messages
+        OutgoingMessage.count.should == n_outgoing_messages
+    end
+    
     it "should allow attachments to be uploaded" do
         
     end
-- 
cgit v1.2.3