v3(services): Add request test to ensure service credential binding sharing permissions

Brian Butz · Brian Butz · commit cc49c78326d9 · 2020-07-27T10:00:13.000+01:00
[#173473714](https://www.pivotaltracker.com/story/show/173473714)
diff --git a/spec/request/service_credential_bindings_spec.rb b/spec/request/service_credential_bindings_spec.rb
@@ -63,7 +63,8 @@
   end
 
   describe 'GET /v3/service_credential_bindings/:app_guid' do
-    let(:app_binding) { VCAP::CloudController::ServiceBinding.make(service_instance: instance) }
+    let(:app_to_bind_to) { VCAP::CloudController::AppModel.make(space: space) }
+    let(:app_binding) { VCAP::CloudController::ServiceBinding.make(service_instance: instance, app: app_to_bind_to) }
     let(:instance) { VCAP::CloudController::ManagedServiceInstance.make(space: space) }
     let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{app_binding.guid}", nil, user_headers } }
     let(:expected_object) { { guid: app_binding.guid, type: 'app' } }
@@ -77,15 +78,15 @@
     end
 
     context 'local roles' do
-      context 'user is in the original space of the service instance' do
-        let(:expected_codes_and_responses) do
-          Hash.new({ code: 200, response_object: expected_object }).tap do |h|
-            h['org_auditor'] = { code: 404 }
-            h['org_billing_manager'] = { code: 404 }
-            h['no_role'] = { code: 404 }
-          end
+      let(:expected_codes_and_responses) do
+        Hash.new({ code: 200, response_object: expected_object }).tap do |h|
+          h['org_auditor'] = { code: 404 }
+          h['org_billing_manager'] = { code: 404 }
+          h['no_role'] = { code: 404 }
         end
+      end
 
+      context 'user is in the original space of the service instance' do
         it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
       end
 
@@ -96,13 +97,19 @@
           instance.add_shared_space(space)
         end
 
-        let(:api_call) { ->(user_headers) { get "/v3/service_credential_bindings/#{app_binding.guid}", nil, user_headers } }
-
-        let(:expected_codes_and_responses) do
-          Hash.new(code: 404)
+        context 'the app is in the users space' do
+          it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
         end
 
-        it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
+        context 'the app is not in the users space' do
+          let(:app_to_bind_to) { VCAP::CloudController::AppModel.make(space: other_space) }
+
+          let(:expected_codes_and_responses) do
+            Hash.new(code: 404)
+          end
+
+          it_behaves_like 'permissions for single object endpoint', LOCAL_ROLES
+        end
       end
     end
   end
