Add shared example for testing api admin mode
What does this MR do and why?
As you surley know api admin mode
. You can find the issue with all informations here
The implementation plan is here
This MR is a follow up of !108690 (merged)
This MR includes the addition of a shared example which is used to check access to resources via api calls. Four HTTP methods get
, put
, delete
and post
are covered. Additionally two tests are adapted as an example.
The following table shows all possible cases for a user authorized as regular user
admin mode | http method | outcome (status) |
---|---|---|
true | GET | :forbidden |
false | GET | :forbidden |
true | POST | :forbidden |
false | POST | :forbidden |
true | PUT | :forbidden |
false | PUT | :forbidden |
true | DELETE | :forbidden |
false | DELETE | :forbidden |
Now all possible cases for a user authorized as admin
admin mode | http method | outcome (status) |
---|---|---|
true | GET | :ok |
false | GET | :forbidden |
true | POST | :created |
false | POST | :forbidden |
true | PUT | :ok |
false | PUT | :forbidden |
true | DELETE | :no_content |
false | DELETE | :forbidden |
A simple example would be:
get api("/application/appearance", admin, admin_mode: false)
Resulting in :forbidden
In spec/spec_helper.rb
is an array named admin_mode_for_api_feature_flag_paths
. There are all tests listed which have to be adjusted to fit api admin mode
How to set up and validate locally
- Run
bin/rspec spec/requests/api/appearance_spec.rb
=> green - Run
bin/rspec spec/requests/api/applications_spec.rb
=> green
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.