danbarber/chess
1
0
Fork 0
mirror of https://github.com/danbee/chess synced 2025-03-04 08:39:06 +00:00
Code Issues Releases Wiki Activity

Restrict access to API update endpoint

Browse Source
This commit is contained in:
Daniel Barber 2018-02-21 22:03:30 -05:00
parent 3f3943ee5d
commit 7d31ebdc98
Signed by: danbarber
GPG Key ID: 931D8112E0103DD8
2 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/chess_web/controllers/api/game_controller.ex
View File

@ -17,8 +17,16 @@ defmodule ChessWeb.Api.GameController do
end end
def update(conn, %{"id" => id, "move" => move_params}) do def update(conn, %{"id" => id, "move" => move_params}) do
game = Repo.get!(Game, id) query =
changeset = Game.changeset(game, %{board: new_board(game.board, move_params)}) from(game in Game, preload: [:user, :opponent])
|> Game.for_user(current_user(conn))
game =
query
|> Repo.get!(id)
changeset = Game.changeset(
game, %{board: new_board(game.board, move_params)}
)
case Repo.update(changeset) do case Repo.update(changeset) do
{:ok, game} -> {:ok, game} ->

24
test/chess_web/controllers/api/game_controller_test.exs
View File

@ -31,7 +31,7 @@ defmodule Chess.ApiGameControllerTest do
|> login(other_user) |> login(other_user)
assert_error_sent 404, fn -> assert_error_sent 404, fn ->
get conn, api_game_path(conn, :show, game.id) get(conn, api_game_path(conn, :show, game.id))
end end
end end
@ -47,12 +47,32 @@ defmodule Chess.ApiGameControllerTest do
assert json_response(conn, 403) assert json_response(conn, 403)
end end
test "does not update a game if the user is not a player", %{conn: conn} do
user = create_user()
opponent = create_user("revali", "vahmedoh")
game = create_game_for(user, opponent)
other_user = create_user("mipha", "ilovelink")
conn =
conn
|> login(other_user)
assert_error_sent 404, fn ->
patch(
conn,
api_game_path(conn, :update, game.id),
%{move: %{from: [1, 1], to: [2, 1]}}
)
end
end
test "renders page not found when id is nonexistent", %{conn: conn} do test "renders page not found when id is nonexistent", %{conn: conn} do
user = create_user() user = create_user()
conn = login(conn, user) conn = login(conn, user)
assert_error_sent 404, fn -> assert_error_sent 404, fn ->
get conn, api_game_path(conn, :show, -1) get(conn, api_game_path(conn, :show, -1))
end end
end end