Allow users allowed to view work packages to (un-)watch via API v3 (WIP)

TODO better code style
pull/1611/head
Till Breuer 10 years ago
parent 1c36b1c5e0
commit 7ae0edd315
  1. 12
      lib/api/v3/work_packages/watchers_api.rb
  2. 42
      spec/api/watcher_resource_spec.rb

@ -10,7 +10,11 @@ module API
end
post do
authorize(:add_work_package_watchers, context: @work_package.project)
if current_user.id == params[:user_id].to_i
authorize(:view_work_packages, context: @work_package.project)
else
authorize(:add_work_package_watchers, context: @work_package.project)
end
user = User.find params[:user_id]
@ -32,7 +36,11 @@ module API
namespace ':user_id' do
delete do
authorize(:delete_work_package_watchers, context: @work_package.project)
if current_user.id == params[:user_id]
authorize(:view_work_packages, context: @work_package.project)
else
authorize(:delete_work_package_watchers, context: @work_package.project)
end
user = User.find_by_id params[:user_id]

@ -67,14 +67,25 @@ describe 'API v3 Watcher resource' do
end
context 'unauthorized user' do
let(:current_user) { unauthorized_user }
context 'when the current user is trying to assign another user as watcher' do
let(:current_user) { unauthorized_user }
it 'should respond with 403' do
expect(subject.status).to eq(403)
it 'should respond with 403' do
expect(subject.status).to eq(403)
end
it 'should respond with explanatory error message' do
expect(subject.body).to include_json('not_authorized'.to_json).at_path('title')
end
end
it 'should respond with explanatory error message' do
expect(subject.body).to include_json('not_authorized'.to_json).at_path('title')
context 'when the current user tries to watch the work package her- or himself' do
let(:current_user) { available_watcher }
let(:new_watcher) { available_watcher }
it 'should respond with 201' do
expect(subject.status).to eq(201)
end
end
end
end
@ -116,14 +127,25 @@ describe 'API v3 Watcher resource' do
end
context 'unauthorized user' do
let(:current_user) { unauthorized_user }
context 'when the current user tries to deassign another user from the work package watchers' do
let(:current_user) { unauthorized_user }
it 'should respond with 403' do
expect(subject.status).to eq(403)
end
it 'should respond with 403' do
expect(subject.status).to eq(403)
it 'should respond with explanatory error message' do
expect(subject.body).to include_json('not_authorized'.to_json).at_path('title')
end
end
it 'should respond with explanatory error message' do
expect(subject.body).to include_json('not_authorized'.to_json).at_path('title')
context 'when the current user tries to watch the work package her- or himself' do
let(:current_user) { watcher }
let(:new_watcher) { watcher }
it 'should respond with 204' do
expect(subject.status).to eq(204)
end
end
end

Loading…
Cancel
Save