From ac803d5f2623f4978688199c478ecaa55fea514d Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 13 Aug 2013 15:47:55 +0100 Subject: Clarify specs. They refer to the case where the request itself is hidden. --- spec/controllers/request_controller_spec.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 2c605a139..959050eb9 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -905,7 +905,7 @@ describe RequestController, "when changing prominence of a request" do get :show, :url_title => 'why_do_you_have_such_a_fancy_dog' end - it "should not download attachments if hidden" do + it "should not download attachments if the request is hidden" do ir = info_requests(:fancy_dog_request) ir.prominence = 'hidden' ir.save! @@ -928,8 +928,8 @@ describe RequestController, "when changing prominence of a request" do response.code.should == '410' end - it 'should not generate an HTML version of an attachment whose prominence is hidden/requester - only even for the requester or an admin but should return a 404' do + it 'should not generate an HTML version of an attachment for a request whose prominence + is hidden/requester_only even for the requester or an admin but should return a 404' do ir = info_requests(:fancy_dog_request) ir.prominence = 'hidden' ir.save! @@ -943,8 +943,8 @@ describe RequestController, "when changing prominence of a request" do end.should raise_error(ActiveRecord::RecordNotFound) end - it 'should not generate an HTML version of an attachment whose prominence is hidden/requester - only even for the requester or an admin but should return a 404' do + it 'should not generate an HTML version of an attachment for a request whose prominence + is hidden/requester only even for the requester or an admin but should return a 404' do ir = info_requests(:fancy_dog_request) ir.prominence = 'hidden' ir.save! -- cgit v1.2.3 From bce687aaa3451460af30ec34f612cfbbb7492b85 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 13 Aug 2013 18:38:06 +0100 Subject: Refactor prominence specs to use factories not fixtures. --- spec/controllers/request_controller_spec.rb | 190 +++++++++++----------------- 1 file changed, 74 insertions(+), 116 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 959050eb9..8631b51cf 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -824,138 +824,96 @@ describe RequestController, "when showing one request" do end end -describe RequestController, "when changing prominence of a request" do - before(:each) do - load_raw_emails_data - end +describe RequestController, "when handling prominence" do - it "should not show hidden requests" do - ir = info_requests(:fancy_dog_request) - ir.prominence = 'hidden' - ir.save! - - get :show, :url_title => 'why_do_you_have_such_a_fancy_dog' - response.should render_template('hidden') - end + context 'when the request is hidden' do - it "should not show hidden requests even if logged in as their owner" do - ir = info_requests(:fancy_dog_request) - ir.prominence = 'hidden' - ir.save! + before(:each) do + @info_request = FactoryGirl.create(:info_request_with_attachments, + prominence: 'hidden') + end - session[:user_id] = ir.user.id # bob_smith_user - get :show, :url_title => 'why_do_you_have_such_a_fancy_dog' - response.should render_template('hidden') - end + it "should not show request if you're not logged in" do + get :show, :url_title => @info_request.url_title + response.should render_template('hidden') + end - it 'should not show hidden requests if requested using json' do - ir = info_requests(:fancy_dog_request) - ir.prominence = 'hidden' - ir.save! + it "should not show request even if logged in as their owner" do + session[:user_id] = @info_request.user.id + get :show, :url_title => @info_request.url_title + response.should render_template('hidden') + end - session[:user_id] = ir.user.id # bob_smith_user - get :show, :url_title => 'why_do_you_have_such_a_fancy_dog', :format => 'json' - response.code.should == '410' - end + it 'should not show request if requested using json' do + session[:user_id] = @info_request.user.id + get :show, :url_title => @info_request.url_title, :format => 'json' + response.code.should == '410' + end - it "should show hidden requests if logged in as super user" do - ir = info_requests(:fancy_dog_request) - ir.prominence = 'hidden' - ir.save! + it "should show request if logged in as super user" do + session[:user_id] = FactoryGirl.create(:admin_user) + get :show, :url_title => @info_request.url_title + response.should render_template('show') + end - session[:user_id] = users(:admin_user) - get :show, :url_title => 'why_do_you_have_such_a_fancy_dog' - response.should render_template('show') - end + it "should not download attachments" do + incoming_message = @info_request.incoming_messages.first + get :get_attachment, :incoming_message_id => incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf', + :skip_cache => 1 + response.content_type.should == "text/html" + response.should_not contain "thisisthebody" + response.should render_template('request/hidden') + response.code.should == '410' + end - it "should not show requester_only requests if you're not logged in" do - ir = info_requests(:fancy_dog_request) - ir.prominence = 'requester_only' - ir.save! + it 'should not generate an HTML version of an attachment for a request whose prominence + is hidden even for an admin but should return a 404' do + session[:user_id] = FactoryGirl.create(:admin_user) + incoming_message = @info_request.incoming_messages.first + lambda do + get :get_attachment_as_html, :incoming_message_id => incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf' + end.should raise_error(ActiveRecord::RecordNotFound) + end - get :show, :url_title => 'why_do_you_have_such_a_fancy_dog' - response.should render_template('hidden') end - it "should show requester_only requests to requester and admin if logged in" do - ir = info_requests(:fancy_dog_request) - ir.prominence = 'requester_only' - ir.save! + context 'when the request is requester_only' do - session[:user_id] = users(:silly_name_user).id - get :show, :url_title => 'why_do_you_have_such_a_fancy_dog' - response.should render_template('hidden') + before(:each) do + @info_request = FactoryGirl.create(:info_request_with_attachments, + prominence: 'requester_only') + end - session[:user_id] = ir.user.id # bob_smith_user - get :show, :url_title => 'why_do_you_have_such_a_fancy_dog' - response.should render_template('show') + it "should not show request if you're not logged in" do + get :show, :url_title => @info_request.url_title + response.should render_template('hidden') + end - session[:user_id] = users(:admin_user).id - get :show, :url_title => 'why_do_you_have_such_a_fancy_dog' - response.should render_template('show') - end + it "should show request to requester and admin if logged in" do + session[:user_id] = FactoryGirl.create(:user).id + get :show, :url_title => @info_request.url_title + response.should render_template('hidden') - it 'should not cache an attachment on a request whose prominence is requester_only when showing - the request to the requester or admin' do - ir = info_requests(:fancy_dog_request) - ir.prominence = 'requester_only' - ir.save! - session[:user_id] = ir.user.id # bob_smith_user - @controller.should_not_receive(:foi_fragment_cache_write) - get :show, :url_title => 'why_do_you_have_such_a_fancy_dog' - end + session[:user_id] = @info_request.user.id + get :show, :url_title => @info_request.url_title + response.should render_template('show') - it "should not download attachments if the request is hidden" do - ir = info_requests(:fancy_dog_request) - ir.prominence = 'hidden' - ir.save! - receive_incoming_mail('incoming-request-two-same-name.email', ir.incoming_email) - - get :get_attachment, :incoming_message_id => ir.incoming_messages[1].id, - :id => ir.id, - :part => 2, - :skip_cache => 1 - response.content_type.should == "text/html" - response.should_not contain "Second hello" - response.should render_template('request/hidden') - get :get_attachment, :incoming_message_id => ir.incoming_messages[1].id, - :id => ir.id, - :part => 3, - :skip_cache => 1 - response.content_type.should == "text/html" - response.should_not contain "First hello" - response.should render_template('request/hidden') - response.code.should == '410' - end - - it 'should not generate an HTML version of an attachment for a request whose prominence - is hidden/requester_only even for the requester or an admin but should return a 404' do - ir = info_requests(:fancy_dog_request) - ir.prominence = 'hidden' - ir.save! - receive_incoming_mail('incoming-request-two-same-name.email', ir.incoming_email) - session[:user_id] = users(:admin_user).id - lambda do - get :get_attachment_as_html, :incoming_message_id => ir.incoming_messages[1].id, - :id => ir.id, - :part => 2, - :file_name => 'hello world.txt' - end.should raise_error(ActiveRecord::RecordNotFound) - end - - it 'should not generate an HTML version of an attachment for a request whose prominence - is hidden/requester only even for the requester or an admin but should return a 404' do - ir = info_requests(:fancy_dog_request) - ir.prominence = 'hidden' - ir.save! - receive_incoming_mail('incoming-request-two-same-name.email', ir.incoming_email) - session[:user_id] = users(:admin_user).id - lambda do - get :get_attachment_as_html, :incoming_message_id => ir.incoming_messages[1].id, - :id => ir.id, - :part => 2, - :file_name => 'hello world.txt' - end.should raise_error(ActiveRecord::RecordNotFound) + session[:user_id] = FactoryGirl.create(:admin_user).id + get :show, :url_title => @info_request.url_title + response.should render_template('show') + end + + it 'should not cache an attachment when showing the request to the requester or admin' do + session[:user_id] = @info_request.user.id + @controller.should_not_receive(:foi_fragment_cache_write) + get :show, :url_title => @info_request.url_title + end end end -- cgit v1.2.3 From 5f256f104f98ac0aba1234d0dadac4a1f9602e11 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Wed, 14 Aug 2013 11:28:53 +0100 Subject: Refactor expectation into a method Remove expectation of pdf contents - we're looking at the raw file. --- spec/controllers/request_controller_spec.rb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 8631b51cf..32d79ab5a 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -826,6 +826,12 @@ end describe RequestController, "when handling prominence" do + def expect_hidden_attachment(hidden_template) + response.content_type.should == "text/html" + response.should render_template(hidden_template) + response.code.should == '410' + end + context 'when the request is hidden' do before(:each) do @@ -863,10 +869,7 @@ describe RequestController, "when handling prominence" do :part => 2, :file_name => 'interesting.pdf', :skip_cache => 1 - response.content_type.should == "text/html" - response.should_not contain "thisisthebody" - response.should render_template('request/hidden') - response.code.should == '410' + expect_hidden_attachment('request/hidden') end it 'should not generate an HTML version of an attachment for a request whose prominence @@ -886,8 +889,7 @@ describe RequestController, "when handling prominence" do context 'when the request is requester_only' do before(:each) do - @info_request = FactoryGirl.create(:info_request_with_attachments, - prominence: 'requester_only') + @info_request = FactoryGirl.create(:info_request_with_attachments, prominence: 'requester_only') end it "should not show request if you're not logged in" do -- cgit v1.2.3 From 0bb0c97831d22a8ad29fd4c4a9217327c77dfcfd Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Wed, 14 Aug 2013 11:29:55 +0100 Subject: Add new code and specs for hiding attachments. --- spec/controllers/request_controller_spec.rb | 107 +++++++++++++++++++++++++++- 1 file changed, 106 insertions(+), 1 deletion(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 32d79ab5a..26a5de29c 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -918,6 +918,109 @@ describe RequestController, "when handling prominence" do end end + context 'when the incoming message has prominence hidden' do + + before(:each) do + @incoming_message = FactoryGirl.create(:incoming_message_with_attachments, prominence: 'hidden') + @info_request = @incoming_message.info_request + end + + it "should not download attachments for a non-logged in user" do + get :get_attachment, :incoming_message_id => @incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf', + :skip_cache => 1 + expect_hidden_attachment('request/hidden_correspondence') + end + + it 'should not download attachments for the request owner' do + session[:user_id] = @info_request.user.id + get :get_attachment, :incoming_message_id => @incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf', + :skip_cache => 1 + expect_hidden_attachment('request/hidden_correspondence') + end + + it 'should download attachments for an admin user', :focus => true do + session[:user_id] = FactoryGirl.create(:admin_user).id + get :get_attachment, :incoming_message_id => @incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf', + :skip_cache => 1 + response.content_type.should == 'application/pdf' + response.should be_success + end + + it 'should not generate an HTML version of an attachment for a request whose prominence + is hidden even for an admin but should return a 404' do + session[:user_id] = FactoryGirl.create(:admin_user).id + lambda do + get :get_attachment_as_html, :incoming_message_id => @incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf', + :skip_cache => 1 + end.should raise_error(ActiveRecord::RecordNotFound) + end + end + + context 'when the incoming message has prominence requester_only' do + + before(:each) do + @incoming_message = FactoryGirl.create(:incoming_message_with_attachments, + prominence: 'requester_only') + @info_request = @incoming_message.info_request + end + + it "should not download attachments for a non-logged in user" do + get :get_attachment, :incoming_message_id => @incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf', + :skip_cache => 1 + expect_hidden_attachment('request/hidden_correspondence') + end + + it 'should download attachments for the request owner' do + session[:user_id] = @info_request.user.id + get :get_attachment, :incoming_message_id => @incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf', + :skip_cache => 1 + response.content_type.should == 'application/pdf' + response.should be_success + end + + it 'should download attachments for an admin user', :focus => true do + session[:user_id] = FactoryGirl.create(:admin_user).id + get :get_attachment, :incoming_message_id => @incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf', + :skip_cache => 1 + response.content_type.should == 'application/pdf' + response.should be_success + end + + it 'should not generate an HTML version of an attachment for a request whose prominence + is hidden even for an admin but should return a 404' do + session[:user_id] = FactoryGirl.create(:admin_user) + lambda do + get :get_attachment_as_html, :incoming_message_id => @incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf', + :skip_cache => 1 + end.should raise_error(ActiveRecord::RecordNotFound) + end + + end + end # XXX do this for invalid ids @@ -2416,7 +2519,9 @@ describe RequestController, "when caching fragments" do :info_request_id => 132, :id => 44, :get_attachments_for_display => nil, - :html_mask_stuff! => nil) + :html_mask_stuff! => nil, + :user_can_view? => true, + :all_can_view? => true) attachment = mock(FoiAttachment, :display_filename => long_name, :body_as_html => ['some text', 'wrapper']) IncomingMessage.stub!(:find).with("44").and_return(incoming_message) -- cgit v1.2.3 From 55a114c83e2fef9f5dfced86d0030fc2acd4a39a Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Wed, 14 Aug 2013 11:43:56 +0100 Subject: Fix request in spec for hidden attachments not being viewed. Add another spec for the same behaviour when an incoming message is hidden. --- spec/controllers/request_controller_spec.rb | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 26a5de29c..fa37826c8 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -911,10 +911,14 @@ describe RequestController, "when handling prominence" do response.should render_template('show') end - it 'should not cache an attachment when showing the request to the requester or admin' do + it 'should not cache an attachment when showing an attachment to the requester or admin' do session[:user_id] = @info_request.user.id + incoming_message = @info_request.incoming_messages.first @controller.should_not_receive(:foi_fragment_cache_write) - get :show, :url_title => @info_request.url_title + get :get_attachment, :incoming_message_id => incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf' end end @@ -966,6 +970,15 @@ describe RequestController, "when handling prominence" do :skip_cache => 1 end.should raise_error(ActiveRecord::RecordNotFound) end + + it 'should not cache an attachment when showing an attachment to the requester or admin' do + session[:user_id] = @info_request.user.id + @controller.should_not_receive(:foi_fragment_cache_write) + get :get_attachment, :incoming_message_id => @incoming_message.id, + :id => @info_request.id, + :part => 2, + :file_name => 'interesting.pdf' + end end context 'when the incoming message has prominence requester_only' do -- cgit v1.2.3 From fdf40f654c7d8ff45cfd6d5af179def8389f9d3a Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Wed, 14 Aug 2013 12:07:07 +0100 Subject: Use expectation for hidden responses more generally. --- spec/controllers/request_controller_spec.rb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index fa37826c8..a15fb035f 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -826,7 +826,7 @@ end describe RequestController, "when handling prominence" do - def expect_hidden_attachment(hidden_template) + def expect_hidden(hidden_template) response.content_type.should == "text/html" response.should render_template(hidden_template) response.code.should == '410' @@ -841,13 +841,13 @@ describe RequestController, "when handling prominence" do it "should not show request if you're not logged in" do get :show, :url_title => @info_request.url_title - response.should render_template('hidden') + expect_hidden('hidden') end it "should not show request even if logged in as their owner" do session[:user_id] = @info_request.user.id get :show, :url_title => @info_request.url_title - response.should render_template('hidden') + expect_hidden('hidden') end it 'should not show request if requested using json' do @@ -869,7 +869,7 @@ describe RequestController, "when handling prominence" do :part => 2, :file_name => 'interesting.pdf', :skip_cache => 1 - expect_hidden_attachment('request/hidden') + expect_hidden('request/hidden') end it 'should not generate an HTML version of an attachment for a request whose prominence @@ -894,13 +894,13 @@ describe RequestController, "when handling prominence" do it "should not show request if you're not logged in" do get :show, :url_title => @info_request.url_title - response.should render_template('hidden') + expect_hidden('hidden') end it "should show request to requester and admin if logged in" do session[:user_id] = FactoryGirl.create(:user).id get :show, :url_title => @info_request.url_title - response.should render_template('hidden') + expect_hidden('hidden') session[:user_id] = @info_request.user.id get :show, :url_title => @info_request.url_title @@ -935,7 +935,7 @@ describe RequestController, "when handling prominence" do :part => 2, :file_name => 'interesting.pdf', :skip_cache => 1 - expect_hidden_attachment('request/hidden_correspondence') + expect_hidden('request/hidden_correspondence') end it 'should not download attachments for the request owner' do @@ -945,7 +945,7 @@ describe RequestController, "when handling prominence" do :part => 2, :file_name => 'interesting.pdf', :skip_cache => 1 - expect_hidden_attachment('request/hidden_correspondence') + expect_hidden('request/hidden_correspondence') end it 'should download attachments for an admin user', :focus => true do @@ -995,7 +995,7 @@ describe RequestController, "when handling prominence" do :part => 2, :file_name => 'interesting.pdf', :skip_cache => 1 - expect_hidden_attachment('request/hidden_correspondence') + expect_hidden('request/hidden_correspondence') end it 'should download attachments for the request owner' do -- cgit v1.2.3 From 910dcce60088a2d0e07b67be9f272a7afc5fbfed Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Wed, 14 Aug 2013 12:09:06 +0100 Subject: Replace fixture-based spec with factory-based equivalent. --- spec/controllers/request_controller_spec.rb | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index a15fb035f..7e26d0ada 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -770,16 +770,6 @@ describe RequestController, "when showing one request" do describe 'when making a zipfile available' do - it 'should return a 410 for a request that is hidden' do - title = 'why_do_you_have_such_a_fancy_dog' - ir = info_requests(:fancy_dog_request) - ir.prominence = 'hidden' - ir.save! - get :download_entire_request, {:url_title => title}, { :user_id => ir.user.id } - response.should render_template('request/hidden') - response.code.should == '410' - end - it "should have a different zipfile URL when the request changes" do title = 'why_do_you_have_such_a_fancy_dog' ir = info_requests(:fancy_dog_request) @@ -911,6 +901,12 @@ describe RequestController, "when handling prominence" do response.should render_template('show') end + it 'should not allow download of the entire request by admin user (or anyone)' do + session[:user_id] = FactoryGirl.create(:admin_user).id + get :download_entire_request, :url_title => @info_request.url_title + expect_hidden('hidden') + end + it 'should not cache an attachment when showing an attachment to the requester or admin' do session[:user_id] = @info_request.user.id incoming_message = @info_request.incoming_messages.first -- cgit v1.2.3 From a9363f6c3926d5a8cba8db79176c1b76bc4118e7 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Wed, 14 Aug 2013 14:56:21 +0100 Subject: Rewrite download spec Make it an integration spec so we don't need to touch the internals so much. --- spec/controllers/request_controller_spec.rb | 48 ++--------------------------- 1 file changed, 3 insertions(+), 45 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 7e26d0ada..8f8e3afa0 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -191,7 +191,6 @@ describe RequestController, "when showing one request" do before(:each) do load_raw_emails_data - FileUtils.rm_rf File.join(File.dirname(__FILE__), "../../cache/zips") end it "should be successful" do @@ -768,49 +767,7 @@ describe RequestController, "when showing one request" do end end - describe 'when making a zipfile available' do - it "should have a different zipfile URL when the request changes" do - title = 'why_do_you_have_such_a_fancy_dog' - ir = info_requests(:fancy_dog_request) - session[:user_id] = ir.user.id # bob_smith_user - get :download_entire_request, :url_title => title - assigns[:url_path].should contain /#{title}.zip$/ - old_path = assigns[:url_path] - response.location.should contain /#{assigns[:url_path]}$/ - zipfile = Zip::ZipFile.open(File.join(File.dirname(__FILE__), "../../cache/zips", old_path)) { |zipfile| - zipfile.count.should == 1 # just the message - } - receive_incoming_mail('incoming-request-two-same-name.email', ir.incoming_email) - get :download_entire_request, :url_title => title - assigns[:url_path].should contain /#{title}.zip$/ - old_path = assigns[:url_path] - response.location.should contain /#{assigns[:url_path]}$/ - zipfile = Zip::ZipFile.open(File.join(File.dirname(__FILE__), "../../cache/zips", old_path)) { |zipfile| - zipfile.count.should == 3 # the message plus two "hello-world.txt" files - } - - # The path of the zip file is based on the hash of the timestamp of the last request - # in the thread, so we wait for a second to make sure this one will have a different - # timestamp than the previous. - sleep 1 - receive_incoming_mail('incoming-request-attachment-unknown-extension.email', ir.incoming_email) - get :download_entire_request, :url_title => title - assigns[:url_path].should contain /#{title}.zip$/ - assigns[:url_path].should_not == old_path - response.location.should contain assigns[:url_path] - zipfile = Zip::ZipFile.open(File.join(File.dirname(__FILE__), "../../cache/zips", assigns[:url_path])) { |zipfile| - zipfile.count.should == 4 # the message, two hello-world.txt plus the unknown attachment - } - end - - it 'should successfully make a zipfile for an external request' do - info_request = info_requests(:external_request) - get :download_entire_request, { :url_title => info_request.url_title }, - { :user_id => users(:bob_smith_user) } - response.location.should contain /#{assigns[:url_path]}$/ - end - end end end @@ -825,7 +782,7 @@ describe RequestController, "when handling prominence" do context 'when the request is hidden' do before(:each) do - @info_request = FactoryGirl.create(:info_request_with_attachments, + @info_request = FactoryGirl.create(:info_request_with_incoming_attachments, prominence: 'hidden') end @@ -879,7 +836,7 @@ describe RequestController, "when handling prominence" do context 'when the request is requester_only' do before(:each) do - @info_request = FactoryGirl.create(:info_request_with_attachments, prominence: 'requester_only') + @info_request = FactoryGirl.create(:info_request_with_incoming_attachments, prominence: 'requester_only') end it "should not show request if you're not logged in" do @@ -975,6 +932,7 @@ describe RequestController, "when handling prominence" do :part => 2, :file_name => 'interesting.pdf' end + end context 'when the incoming message has prominence requester_only' do -- cgit v1.2.3 From fd0c811cc4e01435ca89a419a521f6ac31a858b1 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Thu, 22 Aug 2013 15:23:46 +0100 Subject: Restore the download for hidden requests This was disabled for hidden requests as the download was by redirect, allowing people who have not been authenticated to conceivably access the download. We'll be moving to send_file instead, so can restore it. --- spec/controllers/request_controller_spec.rb | 6 ------ 1 file changed, 6 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 8f8e3afa0..c5ee8cbf7 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -858,12 +858,6 @@ describe RequestController, "when handling prominence" do response.should render_template('show') end - it 'should not allow download of the entire request by admin user (or anyone)' do - session[:user_id] = FactoryGirl.create(:admin_user).id - get :download_entire_request, :url_title => @info_request.url_title - expect_hidden('hidden') - end - it 'should not cache an attachment when showing an attachment to the requester or admin' do session[:user_id] = @info_request.user.id incoming_message = @info_request.incoming_messages.first -- cgit v1.2.3 From bc743d9fc8c8f740f37b91cbe374c6ae20b10619 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Tue, 27 Aug 2013 16:13:02 +0100 Subject: Add public criteria for message event access methods get_last_response_event and get_last_outgoing_event are used in various places to determine which events to link to, use in queries etc. Restrict them to refer to the last publicly visible event of the relevant type, and rename them to make that clear. --- spec/controllers/request_controller_spec.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index c5ee8cbf7..ec10d99d8 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -1596,7 +1596,7 @@ describe RequestController, "when classifying an information request" do @dog_request.reload @dog_request.awaiting_description.should == false @dog_request.described_state.should == 'rejected' - @dog_request.get_last_response_event.should == info_request_events(:useless_incoming_message_event) + @dog_request.get_last_public_response_event.should == info_request_events(:useless_incoming_message_event) @dog_request.info_request_events.last.event_type.should == "status_update" @dog_request.info_request_events.last.calculated_state.should == 'rejected' end @@ -1749,13 +1749,13 @@ describe RequestController, "when classifying an information request" do it 'should redirect to the "response url" when there is a last response' do incoming_message = mock_model(IncomingMessage) - @dog_request.stub!(:get_last_response).and_return(incoming_message) + @dog_request.stub!(:get_last_public_response).and_return(incoming_message) expect_redirect('waiting_clarification', "request/#{@dog_request.id}/response/#{incoming_message.id}") end it 'should redirect to the "response no followup url" when there are no events needing description' do - @dog_request.stub!(:get_last_response).and_return(nil) + @dog_request.stub!(:get_last_public_response).and_return(nil) expect_redirect('waiting_clarification', "request/#{@dog_request.id}/response") end @@ -1794,7 +1794,7 @@ describe RequestController, "when classifying an information request" do context 'when status is updated to "gone postal"' do it 'should redirect to the "respond to last url"' do - expect_redirect('gone_postal', "request/#{@dog_request.id}/response/#{@dog_request.get_last_response.id}?gone_postal=1") + expect_redirect('gone_postal', "request/#{@dog_request.id}/response/#{@dog_request.get_last_public_response.id}?gone_postal=1") end end @@ -1836,7 +1836,7 @@ describe RequestController, "when classifying an information request" do context 'when status is updated to "user_withdrawn"' do it 'should redirect to the "respond to last url url" ' do - expect_redirect('user_withdrawn', "request/#{@dog_request.id}/response/#{@dog_request.get_last_response.id}") + expect_redirect('user_withdrawn', "request/#{@dog_request.id}/response/#{@dog_request.get_last_public_response.id}") end end @@ -1889,7 +1889,7 @@ describe RequestController, "when sending a followup message" do # fake that this is a clarification info_requests(:fancy_dog_request).set_described_state('waiting_clarification') info_requests(:fancy_dog_request).described_state.should == 'waiting_clarification' - info_requests(:fancy_dog_request).get_last_response_event.calculated_state.should == 'waiting_clarification' + info_requests(:fancy_dog_request).get_last_public_response_event.calculated_state.should == 'waiting_clarification' # make the followup session[:user_id] = users(:bob_smith_user).id @@ -1907,7 +1907,7 @@ describe RequestController, "when sending a followup message" do # and that the status changed info_requests(:fancy_dog_request).reload info_requests(:fancy_dog_request).described_state.should == 'waiting_response' - info_requests(:fancy_dog_request).get_last_response_event.calculated_state.should == 'waiting_clarification' + info_requests(:fancy_dog_request).get_last_public_response_event.calculated_state.should == 'waiting_clarification' end it "should give an error if the same followup is submitted twice" do -- cgit v1.2.3 From 6b29b23dc1690d09e1ef5bd9cc277562483c9ef8 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Wed, 28 Aug 2013 10:50:23 +0100 Subject: Use earlier factory_girl syntax --- spec/controllers/request_controller_spec.rb | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index ec10d99d8..854ce09c6 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -783,7 +783,7 @@ describe RequestController, "when handling prominence" do before(:each) do @info_request = FactoryGirl.create(:info_request_with_incoming_attachments, - prominence: 'hidden') + :prominence => 'hidden') end it "should not show request if you're not logged in" do @@ -836,7 +836,8 @@ describe RequestController, "when handling prominence" do context 'when the request is requester_only' do before(:each) do - @info_request = FactoryGirl.create(:info_request_with_incoming_attachments, prominence: 'requester_only') + @info_request = FactoryGirl.create(:info_request_with_incoming_attachments, + :prominence => 'requester_only') end it "should not show request if you're not logged in" do @@ -872,7 +873,8 @@ describe RequestController, "when handling prominence" do context 'when the incoming message has prominence hidden' do before(:each) do - @incoming_message = FactoryGirl.create(:incoming_message_with_attachments, prominence: 'hidden') + @incoming_message = FactoryGirl.create(:incoming_message_with_attachments, + :prominence => 'hidden') @info_request = @incoming_message.info_request end @@ -933,7 +935,7 @@ describe RequestController, "when handling prominence" do before(:each) do @incoming_message = FactoryGirl.create(:incoming_message_with_attachments, - prominence: 'requester_only') + :prominence => 'requester_only') @info_request = @incoming_message.info_request end -- cgit v1.2.3 From a176da3b7611153421fc6a33bb502297ae50a0e2 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Mon, 16 Sep 2013 12:55:39 +0100 Subject: Use 403, not 410, for hidden items. As @mhl points out, this more clearly indicates that they may come back at some point. --- spec/controllers/request_controller_spec.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'spec/controllers/request_controller_spec.rb') diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb index 854ce09c6..d324670c4 100644 --- a/spec/controllers/request_controller_spec.rb +++ b/spec/controllers/request_controller_spec.rb @@ -776,7 +776,7 @@ describe RequestController, "when handling prominence" do def expect_hidden(hidden_template) response.content_type.should == "text/html" response.should render_template(hidden_template) - response.code.should == '410' + response.code.should == '403' end context 'when the request is hidden' do @@ -800,7 +800,7 @@ describe RequestController, "when handling prominence" do it 'should not show request if requested using json' do session[:user_id] = @info_request.user.id get :show, :url_title => @info_request.url_title, :format => 'json' - response.code.should == '410' + response.code.should == '403' end it "should show request if logged in as super user" do @@ -1319,12 +1319,12 @@ describe RequestController, "when viewing an individual response for reply/follo response.should render_template('request/hidden') end - it 'should respond to a json request for a hidden request with a 410 code and no body' do + it 'should respond to a json request for a hidden request with a 403 code and no body' do get :show_response, :id => info_requests(:fancy_dog_request).id, :incoming_message_id => incoming_messages(:useless_incoming_message), :format => 'json' - response.code.should == '410' + response.code.should == '403' end end -- cgit v1.2.3