From afd5697f17a90654b6c058611896e3542a601ef5 Mon Sep 17 00:00:00 2001
From: jessib <jessib@leap.se>
Date: Tue, 29 Jan 2013 12:09:38 -0800
Subject: A user's public_key is the only attribute they should be able to
 update via API.

---
 users/test/integration/api/account_flow_test.rb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'users/test/integration')

diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb
index b763be5..653f7d9 100644
--- a/users/test/integration/api/account_flow_test.rb
+++ b/users/test/integration/api/account_flow_test.rb
@@ -96,7 +96,15 @@ class AccountFlowTest < ActiveSupport::TestCase
     test_public_key = 'asdlfkjslfdkjasd'
     put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => test_public_key}, :format => :json
     @user.reload
-    assert_equal @user.public_key, test_public_key
+    assert_equal test_public_key, @user.public_key
+  end
+
+  test "cannot update login via api" do
+    server_auth = @srp.authenticate(self)
+    original_login = @user.login
+    put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:login => 'failed_login_name'}, :format => :json
+    @user.reload
+    assert_equal original_login, @user.login
   end
 
 end
-- 
cgit v1.2.3