Fix poll API not requiring authentication on non-public polls (#10960)

* Fix poll API not requiring authentication on non-public polls That API does not reveal the content of the status, i.e. the question itself, nor who the author is, nor which status it belongs to, but it does reveal the poll options and how many answers they got Fix #10959 * Add test
2019-06-04 20:10:26 +02:00 · 2019-06-04 20:10:26 +02:00 · 48fee1a800
commit 48fee1a800
parent 6077eca240
2 changed files with 32 additions and 5 deletions
--- a/spec/controllers/api/v1/polls_controller_spec.rb
+++ b/spec/controllers/api/v1/polls_controller_spec.rb
@ -10,14 +10,26 @@ RSpec.describe Api::V1::PollsController, type: :controller do
  before { allow(controller).to receive(:doorkeeper_token) { token } }

  describe 'GET #show' do
-    let(:poll) { Fabricate(:poll) }
+    let(:poll) { Fabricate(:poll, status: Fabricate(:status, visibility: visibility)) }

    before do
      get :show, params: { id: poll.id }
    end

-    it 'returns http success' do
-      expect(response).to have_http_status(200)
+    context 'when parent status is public' do
+      let(:visibility) { 'public' }
+
+      it 'returns http success' do
+        expect(response).to have_http_status(200)
+      end
+    end
+
+    context 'when parent status is private' do
+      let(:visibility) { 'private' }
+
+      it 'returns http not found' do
+        expect(response).to have_http_status(404)
+      end
    end
  end
 end