Add authentication to API, but not sure it is best way.

2 files changed, 8 insertions, 3 deletions

diff --git a/users/app/controllers/v1/messages_controller.rb b/users/app/controllers/v1/messages_controller.rb
index 42a88f7..b58dfe9 100644
--- a/users/app/controllers/v1/messages_controller.rb
+++ b/users/app/controllers/v1/messages_controller.rb
@@ -1,7 +1,7 @@
 module V1
   class MessagesController < ApplicationController
 
-    # TODO need to add authentication
+    before_filter :authorize_admin # not sure this is best way
     respond_to :json
 
     # for now, will not pass unseen, so unseen will always be true
diff --git a/users/test/functional/v1/messages_controller_test.rb b/users/test/functional/v1/messages_controller_test.rb
index 7666ba3..0bc09be 100644
--- a/users/test/functional/v1/messages_controller_test.rb
+++ b/users/test/functional/v1/messages_controller_test.rb
@@ -2,14 +2,13 @@ require 'test_helper'
 
 class V1::MessagesControllerTest < ActionController::TestCase
 
-  #TODO ensure authentication for all tests here
-
   setup do
     @message = Message.new(:text => 'a test message')
     @message.save
     @user = FactoryGirl.build(:user)
     @user.message_ids_to_see << @message.id
     @user.save
+    login :is_admin? => true
   end
 
   teardown do
@@ -52,4 +51,10 @@ class V1::MessagesControllerTest < ActionController::TestCase
     assert_json_response false
  end
 
+  test "fails if not admin" do
+    login :is_admin? => false
+    get :user_messages, :user_id => @user.id
+    assert_access_denied
+  end
+
 end