我有一个admin命名空间,只允许管理员访问。使用knock gem通过JWT令牌设置身份验证,并从基本控制器调用before操作:
class Api::Admin::BaseController < ApplicationController
before_action :authenticate_admin
end
namespace :api, defaults: { format: :json }, constraints: { subdomain: 'api' }, path: '/' do
post 'admin-token', to: 'admin_token#create'
namespace :admin do
resources :restaurants
...
end
end
当我设置我的请求规格时,我想知道是否应该为每个端点的每个REST操作编写测试以检查授权?例如:
RSpec.describe Restaurant, type: :request do
describe 'GET /admin/restaurants' do
context "when the request contains an authentication header" do
get api_admin_restaurants_url, headers: authenticated_header
it { expect(response).to have_http_status(:ok) }
end
context "when the request doesn't contain an authentication header" do
get api_admin_restaurants_url
expect(response).to have_http_status(:unauthorized)
end
end
end
是否会建议这样的事情,因为整个命名空间需要授权才能开始?