From 8cb68ee8a1928bc9fd6f6d44937b3a8ea84b1f43 Mon Sep 17 00:00:00 2001
From: Phil Manavopoulos <phil.manavopoulos@bytemark.co.uk>
Date: Tue, 12 Sep 2017 15:53:55 +0100
Subject: Add test to assert that AJAX calls are also authenticated

---
 test/tc_mauve_web_interface.rb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/test/tc_mauve_web_interface.rb b/test/tc_mauve_web_interface.rb
index 54c9697..d2817d5 100644
--- a/test/tc_mauve_web_interface.rb
+++ b/test/tc_mauve_web_interface.rb
@@ -112,13 +112,21 @@ EOF
     assert last_response.body.include?("Mauve: Login")
     assert session['__FLASH__'].empty?
     
-    # Check we can access this page before logging in.
+    # Check we can't access this page before logging in.
     get '/alerts'
     assert(session['__FLASH__'].has_key?(:error),"The flash error wasn't set following forbidden access")
     follow_redirect!  while last_response.redirect?
     assert_equal(403, last_response.status, "The HTTP status wasn't 403")
     assert last_response.body.include?("Mauve: Login")
     assert session['__FLASH__'].empty?
+    
+    # Check we can't access AJAX requests before logging in.
+    get '/ajax/alerts_table/raised/subject'
+    refute(session['__FLASH__'].has_key?(:error), "The flash error shouldn't have been set from an AJAX call")
+    follow_redirect!  while last_response.redirect?
+    assert_equal(403, last_response.status, "The HTTP status wasn't 403")
+    assert last_response.body.include?('You must be logged in to access this page')
+    assert session['__FLASH__'].empty?
 
     #
     # Try to falsify our login.
-- 
cgit v1.2.1