To add a collaborator to this project you will need to use the Relish gem to add the collaborator via a terminal command. Soon you'll be able to also add collaborators here!
More about adding a collaboratorRestrict access to order related resources for owners
As an API product owner
I want to restrict order related resources for owners
So that only the order owner can see their orders
- Background
-
- Given
-
the following clients exist
ID product platform version account country 1 PlanetVO2 server 1.0 user1 France 2 PlanetVO2 server 1.0 user2 Belgique - And
-
the following orders exist
ID gateway-id status client-id 1 129825289 completed 1 2 398498099 pending 2 - And
-
the following billings exist
ID plan gateway status order-id 1 subscription-package argus ok 1 2 subscription-package argus rejected 2 - And
-
this valorizations have the following relations
ID version packs equipments standard-value custom-value displayed-value btob-transaction-value btoc-transaction-value order 1 76 [34,442] [324,234] 1 2 1 2 98763 [398,3487] 3 2 3 3789 39487 4 5 6 7 8 2
- Scenarios
-
- Reject access to order related resources if no X-Proxy-Authorization meta is provided
- Reject access to order related resources if the provided X-Proxy-Authorization meta doesn't match the owner
- Allow access to order related resources if the given X-Proxy-Authorization meta matchs the owner
-
- Given
- I use a valid token which authorizes access to the "Checkout::V2::OrderResource,Checkout::V2::ValorizationResource,Checkout::V2::ValueResource,Checkout::V2::ClientResource,Checkout::V2::BillingResource" scope
- When
- I send a GET request for "checkout/2.0/resource-name/1"
- Then
- the response status should be "401"
- And
- the response should be a JSON API error
Examples: resource-name orders billings clients valorizations values -
- Given
- I authenticate as the following proxy user "proxy-user"
- And
- I use a valid token which authorizes access to the "Checkout::V2::OrderResource,Checkout::V2::ValorizationResource,Checkout::V2::ValueResource,Checkout::V2::ClientResource,Checkout::V2::BillingResource" scope
- When
- I send a GET request for "checkout/2.0/resource-name/resource-ID"
- Then
- the response status should be "403"
- And
- the response should be a JSON API error
Examples: resource-ID resource-name proxy-user 1 orders user2 2 orders user1 1 billings user2 2 billings user1 1 clients user2 2 clients user1 1 valorizations user2 2 valorizations user1 3 valorizations user1 1 values user2 2 values user2 3 values user1 4 values user1 5 values user1 6 values user1 7 values user1 8 values user1 -
- Given
- I authenticate as the following proxy user "proxy-user"
- And
- I use a valid token which authorizes access to the "Checkout::V2::OrderResource,Checkout::V2::ValorizationResource,Checkout::V2::ValueResource,Checkout::V2::ClientResource,Checkout::V2::BillingResource" scope
- When
- I send a GET request for "checkout/2.0/resource-name/resource-ID"
- Then
- the response status should be "200"
- And
- the response should be a JSON API resource of type "resource-name"
Examples: resource-ID resource-name proxy-user 1 orders user1 2 orders user2 1 billings user1 2 billings user2 1 clients user1 2 clients user2 1 valorizations user1 2 valorizations user2 3 valorizations user2 1 values user1 2 values user1 3 values user2 4 values user2 5 values user2 6 values user2 7 values user2 8 values user2
Last published almost 5 years ago by Donaldo.