Logo: Relish

  1. Sign in

Project: Checkout v2.0

  • Change version

    1. v2.0

Restrict access to order related resources for owners

As an API product owner
I want to restrict order related resources for owners
So that only the order owner can see their orders

Background
Given
the following clients exist
ID product platform version account country
1 PlanetVO2 server 1.0 user1 France
2 PlanetVO2 server 1.0 user2 Belgique
And
the following orders exist
ID gateway-id status client-id
1 129825289 completed 1
2 398498099 pending 2
And
the following billings exist
ID plan gateway status order-id
1 subscription-package argus ok 1
2 subscription-package argus rejected 2
And
this valorizations have the following relations
ID version packs equipments standard-value custom-value displayed-value btob-transaction-value btoc-transaction-value order
1 76 [34,442] [324,234] 1 2 1
2 98763 [398,3487] 3 2
3 3789 39487 4 5 6 7 8 2
Scenarios
Given
I use a valid token which authorizes access to the "Checkout::V2::OrderResource,Checkout::V2::ValorizationResource,Checkout::V2::ValueResource,Checkout::V2::ClientResource,Checkout::V2::BillingResource" scope
When
I send a GET request for "checkout/2.0/resource-name/1"
Then
the response status should be "401"
And
the response should be a JSON API error
Examples:
resource-name
orders
billings
clients
valorizations
values
Given
I authenticate as the following proxy user "proxy-user"
And
I use a valid token which authorizes access to the "Checkout::V2::OrderResource,Checkout::V2::ValorizationResource,Checkout::V2::ValueResource,Checkout::V2::ClientResource,Checkout::V2::BillingResource" scope
When
I send a GET request for "checkout/2.0/resource-name/resource-ID"
Then
the response status should be "403"
And
the response should be a JSON API error
Examples:
resource-ID resource-name proxy-user
1 orders user2
2 orders user1
1 billings user2
2 billings user1
1 clients user2
2 clients user1
1 valorizations user2
2 valorizations user1
3 valorizations user1
1 values user2
2 values user2
3 values user1
4 values user1
5 values user1
6 values user1
7 values user1
8 values user1
Given
I authenticate as the following proxy user "proxy-user"
And
I use a valid token which authorizes access to the "Checkout::V2::OrderResource,Checkout::V2::ValorizationResource,Checkout::V2::ValueResource,Checkout::V2::ClientResource,Checkout::V2::BillingResource" scope
When
I send a GET request for "checkout/2.0/resource-name/resource-ID"
Then
the response status should be "200"
And
the response should be a JSON API resource of type "resource-name"
Examples:
resource-ID resource-name proxy-user
1 orders user1
2 orders user2
1 billings user1
2 billings user2
1 clients user1
2 clients user2
1 valorizations user1
2 valorizations user2
3 valorizations user2
1 values user1
2 values user1
3 values user2
4 values user2
5 values user2
6 values user2
7 values user2
8 values user2

Last published over 4 years ago by Donaldo.