discourse/spec/requests/admin/api_controller_spec.rb
Robin Ward 3bb4f4c5ef Adds test to make sure moderators can't make master keys
It wasn't obvious from the code, plus we'd never want this to regress!
2018-09-11 12:02:06 -04:00

77 lines
1.9 KiB
Ruby

require 'rails_helper'
describe Admin::ApiController do
it "is a subclass of AdminController" do
expect(Admin::ApiController < Admin::AdminController).to eq(true)
end
let(:admin) { Fabricate(:admin) }
context "as an admin" do
before do
sign_in(admin)
end
describe '#index' do
it "succeeds" do
get "/admin/api/keys.json"
expect(response.status).to eq(200)
end
end
describe '#regenerate_key' do
let(:api_key) { Fabricate(:api_key) }
it "returns 404 when there is no key" do
put "/admin/api/key.json", params: { id: 1234 }
expect(response.status).to eq(404)
end
it "delegates to the api key's `regenerate!` method" do
prev_value = api_key.key
put "/admin/api/key.json", params: { id: api_key.id }
expect(response.status).to eq(200)
api_key.reload
expect(api_key.key).not_to eq(prev_value)
expect(api_key.created_by.id).to eq(admin.id)
end
end
describe '#revoke_key' do
let(:api_key) { Fabricate(:api_key) }
it "returns 404 when there is no key" do
delete "/admin/api/key.json", params: { id: 1234 }
expect(response.status).to eq(404)
end
it "delegates to the api key's `regenerate!` method" do
delete "/admin/api/key.json", params: { id: api_key.id }
expect(response.status).to eq(200)
expect(ApiKey.where(key: api_key.key).count).to eq(0)
end
end
end
describe '#create_master_key' do
it "creates a record" do
sign_in(admin)
expect do
post "/admin/api/key.json"
end.to change(ApiKey, :count).by(1)
expect(response.status).to eq(200)
end
it "doesn't allow moderators to create master keys" do
sign_in(Fabricate(:moderator))
expect do
post "/admin/api/key.json"
end.to change(ApiKey, :count).by(0)
expect(response.status).to eq(404)
end
end
end