cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use CanCanCan for changeset comments

Browse source 
This introduces different deny_access handlers for web and api requests, since we want to avoid sending redirects as API responses. See #2064 for discussion.
This commit is contained in:
Andy Allan 2018-11-14 15:45:30 +01:00
parent b29c173ac7
commit 8f70fb2114
6 changed files with 89 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

42
test/abilities/capability_test.rb
View file

@ -12,6 +12,48 @@ class CapabilityTest < ActiveSupport::TestCase
end
end
class ChangesetCommentCapabilityTest < CapabilityTest
test "as a normal user with permissionless token" do
token = create(:access_token)
capability = Capability.new token
[:create, :destroy, :restore].each do |action|
assert capability.cannot? action, ChangesetComment
end
end
test "as a normal user with allow_write_api token" do
token = create(:access_token, :allow_write_api => true)
capability = Capability.new token
[:destroy, :restore].each do |action|
assert capability.cannot? action, ChangesetComment
end
[:create].each do |action|
assert capability.can? action, ChangesetComment
end
end
test "as a moderator with permissionless token" do
token = create(:access_token, :user => create(:moderator_user))
capability = Capability.new token
[:create, :destroy, :restore].each do |action|
assert capability.cannot? action, ChangesetComment
end
end
test "as a moderator with allow_write_api token" do
token = create(:access_token, :user => create(:moderator_user), :allow_write_api => true)
capability = Capability.new token
[:create, :destroy, :restore].each do |action|
assert capability.can? action, ChangesetComment
end
end
end
class UserCapabilityTest < CapabilityTest
test "user preferences" do
# a user with no tokens

6
test/factories/access_tokens.rb Normal file
View file

@ -0,0 +1,6 @@
FactoryBot.define do
factory :access_token do
user
client_application
end
end