show API が提供する情報が許可されたものであるかをテストするテスト作成

fjordllc · Feb 4, 2025 · 43ca3d7 · 43ca3d7
1 parent 6c58a9a
commit 43ca3d7
Showing 1 changed file with 53 additions and 0 deletions.
diff --git a/test/integration/api/users_test.rb b/test/integration/api/users_test.rb
@@ -5,6 +5,14 @@
 class API::UsersTest < ActionDispatch::IntegrationTest
   fixtures :users
 
+  def setup
+    @application = Doorkeeper::Application.create!(
+      name: 'Sample Application',
+      redirect_uri: 'https://example.com/callback',
+      scopes: 'read'
+    )
+  end
+
   test 'GET /api/users.json' do
     get api_users_path(format: :json)
     assert_response :unauthorized
@@ -80,4 +88,49 @@ class API::UsersTest < ActionDispatch::IntegrationTest
     assert_response :ok
     assert_nil(JSON.parse(@response.body)['mentor_memo'])
   end
+
+  test 'returns only authorized user information for admin user with doorkeeper token' do
+    user = users(:komagata)
+    doorkeeper_token = Doorkeeper::AccessToken.create!(
+      application_id: @application.id,
+      resource_owner_id: user.id,
+      scopes: 'read'
+    )
+    get api_user_path(id: 'show'), headers: { Authorization: "Bearer #{doorkeeper_token.token}", Accept: 'application/json' }
+    assert_response :ok
+
+    response_body = JSON.parse(@response.body)
+    authorized_keys = %w[id login_name email long_name url roles primary_role icon_title adviser avatar_url company]
+    assert_equal authorized_keys.sort, response_body.keys.sort
+  end
+
+  test 'returns only authorized user information for authorized mentor with doorkeeper token' do
+    user = users(:mentormentaro)
+    doorkeeper_token = Doorkeeper::AccessToken.create!(
+      application_id: @application.id,
+      resource_owner_id: user.id,
+      scopes: 'read'
+    )
+    get api_user_path(id: 'show'), headers: { Authorization: "Bearer #{doorkeeper_token.token}", Accept: 'application/json' }
+    assert_response :ok
+
+    response_body = JSON.parse(@response.body)
+    authorized_keys = %w[id login_name email long_name url roles primary_role icon_title adviser avatar_url]
+    assert_equal authorized_keys.sort, response_body.keys.sort
+  end
+
+  test 'returns only authorized user information for student with doorkeeper token' do
+    user = users(:hatsuno)
+    doorkeeper_token = Doorkeeper::AccessToken.create!(
+      application_id: @application.id,
+      resource_owner_id: user.id,
+      scopes: 'read'
+    )
+    get api_user_path(id: 'show'), headers: { Authorization: "Bearer #{doorkeeper_token.token}", Accept: 'application/json' }
+    assert_response :ok
+
+    response_body = JSON.parse(@response.body)
+    authorized_keys = %w[id login_name email long_name url roles primary_role icon_title adviser avatar_url]
+    assert_equal authorized_keys.sort, response_body.keys.sort
+  end
 end