Merge branch 'development' into centralize-error-handling

Author: begedin

Gemfile

@@ -10,6 +10,7 @@ gem 'rails-api'
 gem 'spring', :group => :development
 
 gem 'rack-cors'
+gem "paranoia", "~> 2.0"
 
 gem 'pg'
 gem 'active_model_serializers', github: 'rails-api/active_model_serializers'
@@ -19,6 +20,7 @@ gem 'devise'
 gem 'simple_token_authentication', '~> 1.0'
 gem 'cancancan'
 gem 'stripe', '1.20.1'
+gem 'has_secure_token'
 
 group :development, :test do
   gem 'pry-rails'

Gemfile.lock

@@ -72,6 +72,8 @@ GEM
       railties (>= 3.0.0)
     globalid (0.3.5)
       activesupport (>= 4.1.0)
+    has_secure_token (1.0.0)
+      activerecord (>= 3.0)
     hashie (3.4.1)
     http-cookie (1.0.2)
       domain_name (~> 0.5)
@@ -95,6 +97,8 @@ GEM
     nokogiri (1.6.6.2)
       mini_portile (~> 0.6.0)
     orm_adapter (0.5.0)
+    paranoia (2.1.2)
+      activerecord (~> 4.0)
     pg (0.18.1)
     pry (0.10.1)
       coderay (~> 1.1.0)
@@ -199,7 +203,9 @@ DEPENDENCIES
   devise
   dotenv-rails
   factory_girl_rails
+  has_secure_token
   hashie
+  paranoia (~> 2.0)
   pg
   pry
   pry-rails

app/controllers/teams_controller.rb

@@ -1,4 +1,5 @@
 require 'team_playbook/scenario/create_team'
+require 'team_playbook/scenario/delete_team'
 require 'team_playbook/scenario/change_plan_for_team'
 require 'team_playbook/scenario/add_card_to_team'
 require 'errors/credit_card_required_error'
@@ -20,7 +21,12 @@ def create
   end
 
   def show
-    render json: current_team, status: 200
+    if has_team_subdomain?
+      authorize! :read, current_team
+      render json: current_team, status: 200
+    else
+      forbidden
+    end
   end
 
   def destroy
@@ -45,4 +51,4 @@ def team_params
   def credit_card_required
     render json: {error: "A credit card is required for a paid plan."}, status: :unprocessable_entity
   end
-end
+end

app/models/ability.rb

@@ -6,6 +6,7 @@ def initialize(user, team)
 
       current_users_team_membership_in_current_team = TeamMembership.find_by(team: team, user: user)
 
+      can :read, Team if current_users_team_membership_in_current_team.present?
       can :destroy, Team, owner: user
 
       can :create, TeamMembership, team: team if team.owner ==  user
@@ -15,4 +16,4 @@ def initialize(user, team)
       can :destroy, TeamMembership, team: team, user: user unless current_users_team_membership_in_current_team.owner?
     end
   end
-end
+end

app/models/team.rb

@@ -1,4 +1,6 @@
 class Team < ActiveRecord::Base
+  acts_as_paranoid
+
   validates :subdomain, presence: true, exclusion: { in: Settings.reserved_subdomains,
     message: "%{value} is not a valid subdomain." }
   validates :name, presence: true
@@ -13,4 +15,4 @@ class Team < ActiveRecord::Base
   delegate :name, to: :plan, prefix: true
   delegate :slug, to: :plan, prefix: true
 
-end
+end

app/models/user.rb

@@ -1,26 +1,12 @@
 class User < ActiveRecord::Base
+  has_secure_token :authentication_token
   acts_as_token_authenticatable
-  
+
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable and :omniauthable
   devise :database_authenticatable, :registerable,
          :recoverable, :trackable, :validatable
 
-  before_save :ensure_authentication_token
-
   has_many :team_memberships
   has_many :teams, through: :team_memberships
-
-  def ensure_authentication_token
-    if authentication_token.blank?
-      self.authentication_token = generate_authentication_token
-    end
-  end
-
-  private
-
-  def generate_authentication_token
-    Devise.friendly_token
-  end
-
 end

db/migrate/20150518073824_add_deleted_at_to_teams.rb

@@ -0,0 +1,6 @@
+class AddDeletedAtToTeams < ActiveRecord::Migration
+  def change
+    add_column :teams, :deleted_at, :datetime
+    add_index :teams, :deleted_at
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20150515071915) do
+ActiveRecord::Schema.define(version: 20150518073824) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -52,8 +52,11 @@
     t.integer  "owner_id"
     t.string   "stripe_customer_id"
     t.integer  "status",             default: 1
+    t.datetime "deleted_at"
   end
 
+  add_index "teams", ["deleted_at"], name: "index_teams_on_deleted_at", using: :btree
+
   create_table "users", force: :cascade do |t|
     t.string   "email",                  default: "", null: false
     t.string   "encrypted_password",     default: "", null: false

spec/api/teams_spec.rb

@@ -1,8 +1,55 @@
 require 'rails_helper'
 
 describe "Teams service" do
-  describe "POST to create" do
+  describe "GET /team" do
+    it "should return a 403 Forbidden when called from non-team subdomain" do
+      user = create(:user)
+      team = create(:team)
+
+      host! "www.example.com"
+
+      get "/team", {}, {"X-User-Email" => user.email, "X-User-Token" => user.authentication_token}
+
+      expect(response.code).to eq "403"
+    end
+
+    it "should return a 401 Not Authorized when called from a team subdomain by an unauthenticated user" do
+      team = create(:team)
+
+      host! "#{team.subdomain}.example.com"
+
+      get "/team"
+
+      expect(response.code).to eq "401"
+    end
+
+    it "should return a 401 Not Authorized when called from a team subdomain by an authenticated non-member of the team" do
+      user = create(:user)
+      team = create(:team)
+
+      host! "#{team.subdomain}.example.com"
+
+      get "/team", {}, {"X-User-Email" => user.email, "X-User-Token" => user.authentication_token}
+
+      expect(response.code).to eq "401"
+    end
+
+    it "should fetch the team when called from a team subdomain by an authenticated team member" do
+      member = create(:user)
+      team = create(:team)
+      team_membership = create(:team_membership, user: member, team: team, role: :member)
+
+      host! "#{team.subdomain}.example.com"
+
+      get "/team", {}, {"X-User-Email" => member.email, "X-User-Token" => member.authentication_token}
 
+      expect(response.code).to eq "200"
+      expect(json.data.subdomain).to eq team.subdomain
+      expect(json.data.name).to eq team.name
+    end
+  end
+
+  describe "POST to create" do
     before do
       create(:plan, slug: "free_plan", name: "Free Plan", amount: 0)
       create(:plan, slug: "pro_plan", name: "Pro Plan")
@@ -49,7 +96,6 @@
       get "/team", {}, {"X-User-Email" => user.email, "X-User-Token" => user.authentication_token}
       expect(json.data.plan_name).to eq "Free Plan"
     end
-
   end
 
   describe "Post to change_plan" do
@@ -186,6 +232,12 @@
       }
 
       expect(response.code).to eq "204"
+
+      get "/team", {}, {
+        "X-User-Email" => owner.email, "X-User-Token" => owner.authentication_token
+      }
+
+      expect(response.code).to eq "404"
     end
   end
-end
+end

spec/factories/subscriptions.rb

@@ -1,6 +1,6 @@
 FactoryGirl.define do
   factory :subscription do
-    
+    association :plan
   end
 
 end