Users & Auth

test/controllers/v1/authentication_controller_test.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class AuthenticationControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    @user = users(:admin)
+  end
+
+  test "should return token" do
+    post v1_authenticate_url, params: { email: @user.email, password: 'password' }
+    assert_response :success
+  end
+
+  test "should fail auth" do
+    post v1_authenticate_url, params: { email: @user.email, password: 'BAD PASSWORD' }
+    assert_response :unauthorized
+  end
+end

test/controllers/v1/users_controller_test.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class UsersControllerTest < ActionDispatch::IntegrationTest
+  test "admin can list users" do
+    get v1_users_url, headers: auth_headers(users(:admin))
+
+    assert_response :success
+  end
+
+  test "admin can create user" do
+    assert_difference('User.count') do
+      post v1_users_url, params: { user: {
+        display_name: 'some user',
+        email: 'new.user@mailinator.com',
+        password: 'password',
+        password_confirmation: 'password'
+      } }, headers: auth_headers(users(:admin))
+    end
+
+    assert_response :created
+  end
+
+  test "admin can view users" do
+    get v1_user_url(users(:admin)), headers: auth_headers(users(:admin))
+
+    assert_response :success
+  end
+
+  test "admin can update user" do
+    patch v1_user_url(users(:admin)), params: { user: {
+      display_name: 'I am admin'
+    } }, headers: auth_headers(users(:admin))
+
+    assert_response :ok
+  end
+
+  test "admin can destroy user" do
+    assert_difference('User.count', -1) do
+      delete v1_user_url(users(:admin)), headers: auth_headers(users(:admin))
+    end
+
+    assert_response :no_content
+  end
+
+  test "author can view herself" do
+    get v1_user_url(users(:author)), headers: auth_headers(users(:author))
+
+    assert_response :success
+  end
+
+  test "author can update herself" do
+    patch v1_user_url(users(:author)), params: { user: {
+      display_name: 'I am author!'
+    } }, headers: auth_headers(users(:author))
+
+    assert_response :ok
+  end
+
+  test "sally CANNOT update phil" do
+    patch v1_user_url(users(:author)), params: { user: {
+      display_name: 'I am author!'
+    } }, headers: auth_headers(users(:sally))
+
+    assert_response :unauthorized
+  end
+end

test/fixtures/users.yml

@@ -0,0 +1,42 @@
+# == Schema Information
+#
+# Table name: users
+#
+#  id              :integer          not null, primary key
+#  display_name    :string           not null
+#  email           :string           not null
+#  password_digest :string           not null
+#  role            :integer          default("author"), not null
+#  created_at      :datetime         not null
+#  updated_at      :datetime         not null
+#
+# Indexes
+#
+#  index_users_on_email  (email)
+#
+
+# Read about fixtures at http://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
+
+admin:
+  display_name: Awesome Admin
+  email: awesome.admin@mailinator.com
+  password_digest: <%= BCrypt::Password.create("password", cost: 4) %>
+  role: admin
+
+author:
+  display_name: lePhil
+  email: lephil@mailinator.com
+  password_digest: <%= BCrypt::Password.create("password", cost: 4) %>
+  role: author
+
+sally:
+  display_name: Sally String
+  email: sally.string@mailinator.com
+  password_digest: <%= BCrypt::Password.create("password", cost: 4) %>
+  role: author
+
+michelle:
+  display_name: Mighty Michelle
+  email: mighty.michelle@mailinator.com
+  password_digest: <%= BCrypt::Password.create("password", cost: 4) %>
+  role: author

test/models/user_test.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class UserTest < ActiveSupport::TestCase
+  test "higer roles can act as lower roles" do
+    assert users(:admin).acts_as_admin?
+    assert users(:admin).acts_as_author?
+
+    assert users(:author).acts_as_author?
+  end
+
+  test "lower roles can NOT act as higher roles" do
+    assert_not users(:author).acts_as_admin?
+  end
+end

test/policies/application_policy_test.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class ApplicationPolicyTest < PolicyAssertions::Test
+  # Verify default policies are most restrictive
+
+  test 'should not permit by default' do
+    admin = users(:admin)
+    assert_not ApplicationPolicy.new(admin, nil).show?
+    assert_not ApplicationPolicy.new(admin, nil).index?
+    assert_not ApplicationPolicy.new(admin, nil).create?
+    assert_not ApplicationPolicy.new(admin, nil).new?
+    assert_not ApplicationPolicy.new(admin, nil).update?
+    assert_not ApplicationPolicy.new(admin, nil).edit?
+    assert_not ApplicationPolicy.new(admin, nil).destroy?
+  end
+end

test/policies/user_policy_test.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class UserPolicyTest < PolicyAssertions::Test
+  test 'must authenticate for actions' do
+    assert_raise Pundit::NotAuthorizedError do
+      %w[create show update destroy].each do |action|
+        UserPolicy.new(nil, User.new).send("#{action}?")
+      end
+    end
+  end
+
+  test 'should allow admin to scope' do
+    scope = UserPolicy::Scope.new(users(:admin), User).resolve
+    assert_equal User.count, scope.count
+  end
+
+  test 'non admins can only scope themselves' do
+    %i[author].each do |user|
+      scope = UserPolicy::Scope.new(users(user), User).resolve
+      assert_equal 1, scope.count, "Scope did not have 1 result for #{user}"
+      assert_equal users(user), scope.first, "Scope did not contain self for #{user}"
+    end
+  end
+
+  test 'admins have role in permitted params' do
+    policy = UserPolicy.new users(:admin), nil
+    assert policy.permitted_attributes.include?(:role)
+  end
+
+  test 'non-admins can not edit roles' do
+    %i[author].each do |user|
+      policy = UserPolicy.new users(user), nil
+      assert_not policy.permitted_attributes.include?(:role)
+    end
+  end
+
+  # create
+  test 'only admins can create' do
+    assert_permit users(:admin), User, :create?
+
+    %i[author].each do |user|
+      assert_not_permitted users(user), User, :create?
+    end
+  end
+
+  # delete
+  test 'only admins can destroy' do
+    assert_permit users(:admin), User, :destroy?
+
+    %i[author].each do |user|
+      assert_not_permitted users(user), User, :destroy?
+    end
+  end
+
+  # show
+  test 'admin can view any role' do
+    %i[admin author].each do |user|
+      assert_permit users(:admin), users(user), :show?
+    end
+  end
+
+  test 'non-admins can view themselves' do
+    %i[author].each do |user|
+      assert_permit users(user), users(user), :show?
+    end
+  end
+
+  test 'author roles can only view themselves' do
+    %i[admin sally michelle].each do |user|
+      assert_not_permitted users(:author), users(user), :show?
+    end
+  end
+
+  # updates
+  test 'admin can update any role' do
+    %i[admin author].each do |user|
+      assert_permit users(:admin), users(user), :update?
+    end
+  end
+
+  test 'non-admins can update themselves' do
+    %i[author].each do |user|
+      assert_permit users(user), users(user), :update?
+    end
+  end
+
+  test 'authors can not update other roles' do
+    %i[admin sally michelle].each do |user|
+      assert_not_permitted users(:author), users(user), :update?
+    end
+  end
+end