discourse/spec/controllers/application_controller_spec.rb

require 'spec_helper'

describe 'api' do
  describe PostsController do
    let(:user) do
      Fabricate(:user)
    end

    let(:post) do
      Fabricate(:post)
    end

    let(:api_key) { user.generate_api_key(user) }
    let(:master_key) { ApiKey.create_master_key }

    # choosing an arbitrarily easy to mock trusted activity
    it 'allows users with api key to bookmark posts' do
      PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once
      put :bookmark, bookmarked: "true", post_id: post.id, api_key: api_key.key, format: :json
      response.should be_success
    end

    it 'raises an error with a user key that does not match an optionally specified username' do
      PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never
      put :bookmark, bookmarked: "true", post_id: post.id, api_key: api_key.key, api_username: 'made_up', format: :json
      response.should_not be_success
    end

    it 'allows users with a master api key to bookmark posts' do
      PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once
      put :bookmark, bookmarked: "true", post_id: post.id, api_key: master_key.key, api_username: user.username, format: :json
      response.should be_success
    end

    it 'disallows phonies to bookmark posts' do
      PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never
      lambda do
        put :bookmark, bookmarked: "true", post_id: post.id, api_key: SecureRandom.hex(32), api_username: user.username, format: :json
      end.should raise_error Discourse::NotLoggedIn
    end

    it 'disallows blank api' do
      PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never
      lambda do
        put :bookmark, bookmarked: "true", post_id: post.id, api_key: "", api_username: user.username, format: :json
      end.should raise_error Discourse::NotLoggedIn
    end
  end
end
basic api support 2013-03-25 21:04:28 -04:00			`require 'spec_helper'`

FIX: [security bug] XHR check bypass 2013-04-29 20:34:19 -04:00			`describe 'api' do`
basic api support 2013-03-25 21:04:28 -04:00			`describe PostsController do`
			`let(:user) do`
			`Fabricate(:user)`
			`end`

FIX: [security bug] XHR check bypass 2013-04-29 20:34:19 -04:00			`let(:post) do`
basic api support 2013-03-25 21:04:28 -04:00			`Fabricate(:post)`
			`end`
FIX: [security bug] XHR check bypass 2013-04-29 20:34:19 -04:00
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`let(:api_key) { user.generate_api_key(user) }`
			`let(:master_key) { ApiKey.create_master_key }`

basic api support 2013-03-25 21:04:28 -04:00			`# choosing an arbitrarily easy to mock trusted activity`
			`it 'allows users with api key to bookmark posts' do`
FIX: [security bug] XHR check bypass 2013-04-29 20:34:19 -04:00			`PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`put :bookmark, bookmarked: "true", post_id: post.id, api_key: api_key.key, format: :json`
Raise an error if a `api_username` is supplied and does not match the key 2013-10-23 11:05:49 -04:00			`response.should be_success`
			`end`

			`it 'raises an error with a user key that does not match an optionally specified username' do`
			`PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never`
			`put :bookmark, bookmarked: "true", post_id: post.id, api_key: api_key.key, api_username: 'made_up', format: :json`
			`response.should_not be_success`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`end`

			`it 'allows users with a master api key to bookmark posts' do`
			`PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once`
			`put :bookmark, bookmarked: "true", post_id: post.id, api_key: master_key.key, api_username: user.username, format: :json`
Raise an error if a `api_username` is supplied and does not match the key 2013-10-23 11:05:49 -04:00			`response.should be_success`
basic api support 2013-03-25 21:04:28 -04:00			`end`

			`it 'disallows phonies to bookmark posts' do`
FIX: [security bug] XHR check bypass 2013-04-29 20:34:19 -04:00			`PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never`
			`lambda do`
			`put :bookmark, bookmarked: "true", post_id: post.id, api_key: SecureRandom.hex(32), api_username: user.username, format: :json`
basic api support 2013-03-25 21:04:28 -04:00			`end.should raise_error Discourse::NotLoggedIn`
			`end`
FIX: [security bug] XHR check bypass 2013-04-29 20:34:19 -04:00
basic api support 2013-03-25 21:04:28 -04:00			`it 'disallows blank api' do`
FIX: [security bug] XHR check bypass 2013-04-29 20:34:19 -04:00			`PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never`
			`lambda do`
			`put :bookmark, bookmarked: "true", post_id: post.id, api_key: "", api_username: user.username, format: :json`
basic api support 2013-03-25 21:04:28 -04:00			`end.should raise_error Discourse::NotLoggedIn`
			`end`
			`end`
			`end`