Shared spec for checking role security for API controller

secure-controller-shared-spec.rb

shared_examples_for "a secure v1 api" do |endpoints|
  endpoints.each do |endpoint|
    endpoint.each do |action, data|
      http_method = data[:request] || :get
      roles = data[:roles] || []
      roles << 'admin'
      parameters = (data[:with] || {}).merge(format: 'json')

      describe "#{http_method}: #{action}" do
        User::ROLES.each do |role|
          expected_response = roles.include?(role) ? "success" : "failure"

          it "returns #{expected_response} for #{role}" do
            user = FactoryGirl.create(:user, role.to_sym)
            token = FactoryGirl.create(:doorkeeper_access_token, resource_owner_id: user.id)

            parameters.merge!({ access_token: token.token })
            allow(subject).to receive(action) { subject.render nothing: true, status: 200 }
            self.send(http_method, action, parameters)

            if roles.include?(role)
              expect(response).to be_success, "#{http_method} #{action} when authorized as '#{role}' response was #{response.status}"
            else
              expect(response).to_not be_success, "#{http_method} #{action} when NOT authorized (logged in as '#{role}') response was #{response.status}"
            end
          end
        end

        it "returns 401 when not authenticated" do
          self.send(http_method, action, parameters)
          expect(response.response_code).to eq(401)
        end
      end
    end
  end
end


# Usage
describe Api::V1::SomeController  do
  describe "Security" do
    it_should_behave_like "a secure v1 api", [{
      update: { roles: ['hr'], request: :put, with: { id: 1 } },
      create: { roles: ['hr'], request: :post },
      show: { roles: ['hr', 'employee'], with: { id: 1 } },
      index: { roles: ['hr', 'employee'] }
    }]
  end
end