diff options
| author | Timothy Andrew <mail@timothyandrew.net> | 2017-06-20 10:40:24 +0300 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-06-28 10:17:13 +0300 |
| commit | 6f1922500bc9e2c6d53c46dfcbd420687dfe6e6b (patch) | |
| tree | b9de79a82757d00156ddf2f86453ae5b2ee7944d /spec/requests/api/users_spec.rb | |
| parent | 08ad0af49c017d740b43588c0809b3811d25a448 (diff) | |
Initial attempt at refactoring API scope declarations.
- Declaring an endpoint's scopes in a `before` block has proved to be
unreliable. For example, if we're accessing the `API::Users` endpoint - code
in a `before` block in `API::API` wouldn't be able to see the scopes set in
`API::Users` since the `API::API` `before` block runs first.
- This commit moves these declarations to the class level, since they don't need
to change once set.
Diffstat (limited to 'spec/requests/api/users_spec.rb')
| -rw-r--r-- | spec/requests/api/users_spec.rb | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb index c0174b304c8..c8e22799ba4 100644 --- a/spec/requests/api/users_spec.rb +++ b/spec/requests/api/users_spec.rb @@ -50,6 +50,28 @@ describe API::Users do end['username']).to eq(username) end + context "scopes" do + context 'when the requesting token has the "read_user" scope' do + let(:token) { create(:personal_access_token, scopes: ['read_user']) } + + it 'returns a "200" response' do + get api("/users", user, personal_access_token: token) + + expect(response).to have_http_status(200) + end + end + + context 'when the requesting token does not have any required scope' do + let(:token) { create(:personal_access_token, scopes: ['read_registry']) } + + it 'returns a "401" response' do + get api("/users", user, personal_access_token: token) + + expect(response).to have_http_status(401) + end + end + end + it "returns an array of blocked users" do ldap_blocked_user create(:user, state: 'blocked') |