assert_response 403
end
- test "specimens token can see exactly owned specimens" do
- get_args = {params: {}, headers: auth(:active_specimens)}
- get(v1_url('specimens'), **get_args)
+ test "collections token can see exactly owned collections" do
+ get_args = {params: {}, headers: auth(:active_all_collections)}
+ get(v1_url('collections'), **get_args)
assert_response 403
- get(v1_url('specimens', specimens(:owned_by_active_user).uuid), **get_args)
+ get(v1_url('collections', collections(:collection_owned_by_active).uuid), **get_args)
assert_response :success
- head(v1_url('specimens', specimens(:owned_by_active_user).uuid), **get_args)
+ head(v1_url('collections', collections(:collection_owned_by_active).uuid), **get_args)
assert_response :success
- get(v1_url('specimens', specimens(:owned_by_spectator).uuid), **get_args)
+ get(v1_url('collections', collections(:collection_owned_by_foo).uuid), **get_args)
assert_includes(403..404, @response.status)
end
token_count = get_token_count
# Test the POST scope.
post(v1_url('api_client_authorizations'),
- params: {api_client_authorization: {user_id: users(:active).id}},
+ params: {api_client_authorization: {owner_uuid: users(:active).uuid}},
headers: auth(:active_apitokens))
assert_response :success
assert_equal(token_count + 1, get_token_count,