diff options
| author | HombreLaser <sebastian-440@live.com> | 2023-03-11 12:10:57 -0600 |
|---|---|---|
| committer | HombreLaser <sebastian-440@live.com> | 2023-03-11 12:10:57 -0600 |
| commit | 3dae1ce143d006cc75940b746a8eb74982e6e861 (patch) | |
| tree | 5bfa59dfd11bbfc9b8ef2a38da067e0c2ca0da42 | |
| parent | 6b3cc5c3a33643c0e42396142a2d3204ada2bb82 (diff) | |
Añade test de scoping
5 files changed, 31 insertions, 5 deletions
diff --git a/app/controllers/api/companies_controller.rb b/app/controllers/api/companies_controller.rb index 9d6cb1c..21744de 100644 --- a/app/controllers/api/companies_controller.rb +++ b/app/controllers/api/companies_controller.rb @@ -4,7 +4,7 @@ module Api # CompaniesController class CompaniesController < MasterController skip_before_action :validate_jwt, only: %i[show index] - skip_before_action :assert_master_role, onlt: %i[show index] + skip_before_action :assert_master_role, only: %i[show index] def index @companies = Company.all diff --git a/app/controllers/authenticated_controller.rb b/app/controllers/authenticated_controller.rb index de02cab..56159ab 100644 --- a/app/controllers/authenticated_controller.rb +++ b/app/controllers/authenticated_controller.rb @@ -13,6 +13,12 @@ class AuthenticatedController < ApplicationController @current_user_account ||= UserAccount.find_by(email:) end + def current_user_role + return if decoded_token.nil? + + decoded_token[0]['aud'] + end + def authentication_token @authentication_token ||= request.headers[:authorization]&.sub(/^Bearer /, '') end diff --git a/app/controllers/master_controller.rb b/app/controllers/master_controller.rb index b2075d5..38cd441 100644 --- a/app/controllers/master_controller.rb +++ b/app/controllers/master_controller.rb @@ -7,7 +7,7 @@ class MasterController < AuthenticatedController private def assert_master_role - return if current_user_account.role == 'master' + return if current_user_role == 'master' render json: { error_message: 'No cuenta con los permisos necesarios' }, status: :forbidden end diff --git a/spec/requests/companies_controller/create_companies_controller_spec.rb b/spec/requests/companies_controller/create_companies_controller_spec.rb index 53677f2..219868b 100644 --- a/spec/requests/companies_controller/create_companies_controller_spec.rb +++ b/spec/requests/companies_controller/create_companies_controller_spec.rb @@ -3,12 +3,12 @@ require 'rails_helper' RSpec.describe 'POST /api/companies', type: :request do - let(:user) { create(:user_account, role: 'master') } let(:company) { build(:company) } let(:logo) { fixture_file_upload('tres castillos-2.png', 'image/png') } - let(:token) { jwt(user) } it_behaves_like 'a POST request' do + let(:user) { create(:user_account, role: 'master') } + let(:token) { jwt(user) } let(:headers) { { 'CONTENT_TYPE' => 'application/json', 'Authorization' => "Bearer #{token['token']}" } } let(:route) { '/api/companies' } let(:expected_error_messages) do @@ -17,8 +17,18 @@ RSpec.describe 'POST /api/companies', type: :request do let(:desired_error_status) { 422 } let(:expected_text) { [company.name, company.short_name, company.country, 'logo', 'http'] } let(:params) do - { name: company.name, short_name: company.short_name, country: company.country, logo: logo } + { name: company.name, short_name: company.short_name, country: company.country, logo: } end let(:wrong_params) { JSON.generate({ name: '', short_name: '', country: '' }) } end + + it_behaves_like 'a POST request that requires a master user' do + let(:user) { create(:user_account, role: 'regular') } + let(:token) { jwt(user) } + let(:headers) { { 'CONTENT_TYPE' => 'application/json', 'Authorization' => "Bearer #{token['token']}" } } + let(:route) { '/api/companies' } + let(:params) do + JSON.generate({ name: company.name, short_name: company.short_name, country: company.country }) + end + end end diff --git a/spec/support/shared_examples/master_role_required_requests/post_request.rb b/spec/support/shared_examples/master_role_required_requests/post_request.rb new file mode 100644 index 0000000..9df49b1 --- /dev/null +++ b/spec/support/shared_examples/master_role_required_requests/post_request.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +RSpec.shared_examples 'a POST request that requires a master user' do + context 'with a regular user' do + it 'returns 403 http status' do + post(route, params:, headers:) + expect(response).to have_http_status(403) + end + end +end
\ No newline at end of file |