From fd0c811cc4e01435ca89a419a521f6ac31a858b1 Mon Sep 17 00:00:00 2001 From: Louise Crow Date: Thu, 22 Aug 2013 15:23:46 +0100 Subject: Restore the download for hidden requests This was disabled for hidden requests as the download was by redirect, allowing people who have not been authenticated to conceivably access the download. We'll be moving to send_file instead, so can restore it. --- spec/integration/download_request_spec.rb | 55 ++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) (limited to 'spec/integration/download_request_spec.rb') diff --git a/spec/integration/download_request_spec.rb b/spec/integration/download_request_spec.rb index 8af1c9ff1..dd492e42a 100644 --- a/spec/integration/download_request_spec.rb +++ b/spec/integration/download_request_spec.rb @@ -56,7 +56,60 @@ describe 'when making a zipfile available' do end end + context 'when a request is "requester_only"' do + + before do + @non_owner = login(FactoryGirl.create(:user)) + @info_request = FactoryGirl.create(:info_request_with_incoming, + :prominence => 'requester_only') + @request_owner = login(@info_request.user) + @admin = login(FactoryGirl.create(:admin_user)) + end + + + it 'should allow a download of the request by the request owner and admin only' do + # Requester can access the zip + inspect_zip_download(@request_owner, @info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.txt').should match('hereisthetext') + end + # Non-owner can't + @non_owner.get_via_redirect "request/#{@info_request.url_title}/download" + @non_owner.response.code.should == '410' + # Admin can + inspect_zip_download(@admin, @info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.txt').should match('hereisthetext') + end + end + end + + context 'when a request is made "hidden"' do + + it 'should not allow a download of the request by an admin only' do + @non_owner = login(FactoryGirl.create(:user)) + @info_request = FactoryGirl.create(:info_request_with_incoming, + :prominence => 'hidden') + @request_owner = login(@info_request.user) + @admin = login(FactoryGirl.create(:admin_user)) + + # Requester can't access the zip + @request_owner.get_via_redirect "request/#{@info_request.url_title}/download" + @request_owner.response.code.should == '410' + # Non-owner can't + @non_owner.get_via_redirect "request/#{@info_request.url_title}/download" + @non_owner.response.code.should == '410' + # Admin can + inspect_zip_download(@admin, @info_request) do |zip| + zip.count.should == 1 + zip.read('correspondence.txt').should match('hereisthetext') + end + end + + end + context 'when an incoming message is made "requester_only"' do + it 'should not include the incoming message or attachments in a download of the entire request by a non-request owner' do @@ -90,7 +143,7 @@ describe 'when making a zipfile available' do end - it 'should successfully make a zipfile for an external request', :focus => true do + it 'should successfully make a zipfile for an external request' do external_request = FactoryGirl.create(:external_request) user = login(FactoryGirl.create(:user)) inspect_zip_download(user, external_request){ |zip| zip.count.should == 1 } -- cgit v1.2.3