From 7206f1b29882d800bf310b301395f88297f32be6 Mon Sep 17 00:00:00 2001
From: Martin <martin@sharypic.com>
Date: Thu, 19 Jan 2023 17:33:19 +0100
Subject: [PATCH] bug(api): token, not checked

---
 spec/controllers/api/v2/graphql_controller_spec.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/spec/controllers/api/v2/graphql_controller_spec.rb b/spec/controllers/api/v2/graphql_controller_spec.rb
index f51609339..9f46cd85c 100644
--- a/spec/controllers/api/v2/graphql_controller_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_spec.rb
@@ -151,6 +151,17 @@ describe API::V2::GraphqlController do
         }
       end
 
+      context "when the does not belong to an admin of the procedure" do
+        let(:another_administrateur) { create(:administrateur) }
+        before do
+          request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(APIToken.generate(another_administrateur)[1])
+        end
+
+        it {
+          expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
+        }
+      end
+
       context "when the token is revoked" do
         before do
           admin.api_tokens.destroy_all