From 17917528f62147c51d908b97ab24e0c47d44d807 Mon Sep 17 00:00:00 2001 From: Raphael Sofaer Date: Mon, 27 Jun 2011 12:31:47 -0700 Subject: [PATCH] IZ, RS, Move AS::Photo controller spec into integration so that rack middleware is run. Make auth failure return 401 rather than 302. --- .../activity_streams/photos_controller.rb | 32 +++++++++++++++---- .../photos_controller_spec.rb | 29 ++++++++++------- 2 files changed, 42 insertions(+), 19 deletions(-) rename spec/{controllers => integration}/activity_streams/photos_controller_spec.rb (66%) diff --git a/app/controllers/activity_streams/photos_controller.rb b/app/controllers/activity_streams/photos_controller.rb index be0d6c07f..64019dac7 100644 --- a/app/controllers/activity_streams/photos_controller.rb +++ b/app/controllers/activity_streams/photos_controller.rb @@ -3,8 +3,28 @@ # the COPYRIGHT file. class ActivityStreams::PhotosController < ApplicationController - authenticate_with_oauth - before_filter :set_user_from_oauth + class AuthenticationFilter + def initialize(scope = nil) + @scope = scope + end + + def filter(controller, &block) + if controller.params[:auth_token] + if controller.current_user + yield + else + controller.fail! + end + else + controller.request.env['oauth2'].authenticate_request! :scope => @scope do |*args| + controller.sign_in controller.request.env['oauth2'].resource_owner + block.call(*args) + end + end + end + end + + around_filter AuthenticationFilter.new skip_before_filter :verify_authenticity_token, :only => :create respond_to :json @@ -39,10 +59,8 @@ class ActivityStreams::PhotosController < ApplicationController end respond_with @photo end - def current_user - @user - end - def set_user_from_oauth - @user = request.env['oauth2'].resource_owner + + def fail! + render :nothing => true, :status => 401 end end diff --git a/spec/controllers/activity_streams/photos_controller_spec.rb b/spec/integration/activity_streams/photos_controller_spec.rb similarity index 66% rename from spec/controllers/activity_streams/photos_controller_spec.rb rename to spec/integration/activity_streams/photos_controller_spec.rb index 8cbea264d..e95a3ae4e 100644 --- a/spec/controllers/activity_streams/photos_controller_spec.rb +++ b/spec/integration/activity_streams/photos_controller_spec.rb @@ -30,24 +30,29 @@ describe ActivityStreams::PhotosController do } } JSON + @url = activity_streams_photos_path end it 'allows oauth authentication' do token = Factory(:oauth_access_token) - get :create, @json.merge!(:oauth_token => token.access_token) + post @url, @json.merge!(:oauth_token => token.access_token) response.should be_success end - # It is unclear why this test fails. An equivalent cucumber feature passes in features/logs_in_and_out.feature. -=begin - it 'does not store a session' do - bob.reset_authentication_token! - get :create, @json.merge!(:auth_token => bob.authentication_token) - photo = ActivityStreams::Photo.where(:author_id => bob.person.id).first - warden.should be_authenticated - get :show, :id => photo.id - warden.should_not be_authenticated - response.should redirect_to new_user_session_path + it 'denies an invalid oauth token' do + post @url, @json.merge!(:oauth_token => "aoijgosidjg") + response.status.should == 401 + response.body.should be_empty + end + + it 'allows token authentication' do + bob.reset_authentication_token! + post @url, @json.merge!(:auth_token => bob.authentication_token) + response.should be_success + end + + it 'correctly denies an invalid token' do + post @url, @json.merge!(:auth_token => "iudsfghpsdifugh") + response.status.should == 401 end -=end end end