summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/controllers/api/companies_controller.rb2
-rw-r--r--app/controllers/authenticated_controller.rb6
-rw-r--r--app/controllers/master_controller.rb2
-rw-r--r--spec/requests/companies_controller/create_companies_controller_spec.rb16
-rw-r--r--spec/support/shared_examples/master_role_required_requests/post_request.rb10
5 files changed, 31 insertions, 5 deletions
diff --git a/app/controllers/api/companies_controller.rb b/app/controllers/api/companies_controller.rb
index 9d6cb1c..21744de 100644
--- a/app/controllers/api/companies_controller.rb
+++ b/app/controllers/api/companies_controller.rb
@@ -4,7 +4,7 @@ module Api
# CompaniesController
class CompaniesController < MasterController
skip_before_action :validate_jwt, only: %i[show index]
- skip_before_action :assert_master_role, onlt: %i[show index]
+ skip_before_action :assert_master_role, only: %i[show index]
def index
@companies = Company.all
diff --git a/app/controllers/authenticated_controller.rb b/app/controllers/authenticated_controller.rb
index de02cab..56159ab 100644
--- a/app/controllers/authenticated_controller.rb
+++ b/app/controllers/authenticated_controller.rb
@@ -13,6 +13,12 @@ class AuthenticatedController < ApplicationController
@current_user_account ||= UserAccount.find_by(email:)
end
+ def current_user_role
+ return if decoded_token.nil?
+
+ decoded_token[0]['aud']
+ end
+
def authentication_token
@authentication_token ||= request.headers[:authorization]&.sub(/^Bearer /, '')
end
diff --git a/app/controllers/master_controller.rb b/app/controllers/master_controller.rb
index b2075d5..38cd441 100644
--- a/app/controllers/master_controller.rb
+++ b/app/controllers/master_controller.rb
@@ -7,7 +7,7 @@ class MasterController < AuthenticatedController
private
def assert_master_role
- return if current_user_account.role == 'master'
+ return if current_user_role == 'master'
render json: { error_message: 'No cuenta con los permisos necesarios' }, status: :forbidden
end
diff --git a/spec/requests/companies_controller/create_companies_controller_spec.rb b/spec/requests/companies_controller/create_companies_controller_spec.rb
index 53677f2..219868b 100644
--- a/spec/requests/companies_controller/create_companies_controller_spec.rb
+++ b/spec/requests/companies_controller/create_companies_controller_spec.rb
@@ -3,12 +3,12 @@
require 'rails_helper'
RSpec.describe 'POST /api/companies', type: :request do
- let(:user) { create(:user_account, role: 'master') }
let(:company) { build(:company) }
let(:logo) { fixture_file_upload('tres castillos-2.png', 'image/png') }
- let(:token) { jwt(user) }
it_behaves_like 'a POST request' do
+ let(:user) { create(:user_account, role: 'master') }
+ let(:token) { jwt(user) }
let(:headers) { { 'CONTENT_TYPE' => 'application/json', 'Authorization' => "Bearer #{token['token']}" } }
let(:route) { '/api/companies' }
let(:expected_error_messages) do
@@ -17,8 +17,18 @@ RSpec.describe 'POST /api/companies', type: :request do
let(:desired_error_status) { 422 }
let(:expected_text) { [company.name, company.short_name, company.country, 'logo', 'http'] }
let(:params) do
- { name: company.name, short_name: company.short_name, country: company.country, logo: logo }
+ { name: company.name, short_name: company.short_name, country: company.country, logo: }
end
let(:wrong_params) { JSON.generate({ name: '', short_name: '', country: '' }) }
end
+
+ it_behaves_like 'a POST request that requires a master user' do
+ let(:user) { create(:user_account, role: 'regular') }
+ let(:token) { jwt(user) }
+ let(:headers) { { 'CONTENT_TYPE' => 'application/json', 'Authorization' => "Bearer #{token['token']}" } }
+ let(:route) { '/api/companies' }
+ let(:params) do
+ JSON.generate({ name: company.name, short_name: company.short_name, country: company.country })
+ end
+ end
end
diff --git a/spec/support/shared_examples/master_role_required_requests/post_request.rb b/spec/support/shared_examples/master_role_required_requests/post_request.rb
new file mode 100644
index 0000000..9df49b1
--- /dev/null
+++ b/spec/support/shared_examples/master_role_required_requests/post_request.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'a POST request that requires a master user' do
+ context 'with a regular user' do
+ it 'returns 403 http status' do
+ post(route, params:, headers:)
+ expect(response).to have_http_status(403)
+ end
+ end
+end \ No newline at end of file