Skip to content

Add shared example for testing api admin mode

What does this MR do and why?

As you surley know 😆 we are about to finish the api admin mode. You can find the issue with all informations here

The implementation plan is here

This MR is a follow up of !108690 (merged)

This MR includes the addition of a shared example which is used to check access to resources via api calls. Four HTTP methods get, put, delete and post are covered. Additionally two tests are adapted as an example.

The following table shows all possible cases for a user authorized as regular user

admin mode http method outcome (status)
true GET :forbidden
false GET :forbidden
true POST :forbidden
false POST :forbidden
true PUT :forbidden
false PUT :forbidden
true DELETE :forbidden
false DELETE :forbidden

Now all possible cases for a user authorized as admin

admin mode http method outcome (status)
true GET :ok
false GET :forbidden
true POST :created
false POST :forbidden
true PUT :ok
false PUT :forbidden
true DELETE :no_content
false DELETE :forbidden

A simple example would be:

get api("/application/appearance", admin, admin_mode: false) Resulting in :forbidden

In spec/spec_helper.rb is an array named admin_mode_for_api_feature_flag_paths. There are all tests listed which have to be adjusted to fit api admin mode

🛠 with at Siemens

How to set up and validate locally

  1. Run bin/rspec spec/requests/api/appearance_spec.rb => green
  2. Run bin/rspec spec/requests/api/applications_spec.rb => green

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andreas Deicha

Merge request reports

Loading