about summary refs log tree commit diff
path: root/spec
diff options
context:
space:
mode:
authorEugen Rochko <eugen@zeonfederated.com>2019-06-04 20:10:26 +0200
committerGitHub <noreply@github.com>2019-06-04 20:10:26 +0200
commit48fee1a800a262ce26171d724c15738d083eb6d6 (patch)
tree83ffc708e37db457e65b14386eb7e9d348417a66 /spec
parent6077eca240d3dc8765380c99896d85ab6e9c4ea9 (diff)
Fix poll API not requiring authentication on non-public polls (#10960)
* Fix poll API not requiring authentication on non-public polls

That API does not reveal the content of the status, i.e. the question
itself, nor who the author is, nor which status it belongs to, but it
does reveal the poll options and how many answers they got

Fix #10959

* Add test
Diffstat (limited to 'spec')
-rw-r--r--spec/controllers/api/v1/polls_controller_spec.rb18
1 files changed, 15 insertions, 3 deletions
diff --git a/spec/controllers/api/v1/polls_controller_spec.rb b/spec/controllers/api/v1/polls_controller_spec.rb
index 2b8d5f3ef..851bccb7e 100644
--- a/spec/controllers/api/v1/polls_controller_spec.rb
+++ b/spec/controllers/api/v1/polls_controller_spec.rb
@@ -10,14 +10,26 @@ RSpec.describe Api::V1::PollsController, type: :controller do
   before { allow(controller).to receive(:doorkeeper_token) { token } }
 
   describe 'GET #show' do
-    let(:poll) { Fabricate(:poll) }
+    let(:poll) { Fabricate(:poll, status: Fabricate(:status, visibility: visibility)) }
 
     before do
       get :show, params: { id: poll.id }
     end
 
-    it 'returns http success' do
-      expect(response).to have_http_status(200)
+    context 'when parent status is public' do
+      let(:visibility) { 'public' }
+
+      it 'returns http success' do
+        expect(response).to have_http_status(200)
+      end
+    end
+
+    context 'when parent status is private' do
+      let(:visibility) { 'private' }
+
+      it 'returns http not found' do
+        expect(response).to have_http_status(404)
+      end
     end
   end
 end