upload avatar: test + implement

removed package-lock because of rebasing problems

.travis.yml

@@ -1,6 +1,6 @@
 language: node_js
 node_js:
-  - 7
+  - 8
 env:
   - NODE_ENV=test CXX="g++-4.8" CC="gcc-4.8"
 services:

README.md

@@ -8,7 +8,7 @@ Follows [JSON API](http://jsonapi.org) specification.
 
 ## Prerequisities
 
-- Node.js v7.0.1 or later. We use cutting-edge EcmaScript features like [async functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/async_function), which are supported since [v7.0.1](http://node.green/#async-functions).
+- Node.js 8.0.0+. We use cutting-edge EcmaScript features like [async functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/async_function), which are supported since [v7.0.1](http://node.green/#async-functions). We use util.promisify, which is supported since node 8.0.0.
 - npm v?
 - Arangodb v3.0 or later
 - maildev

controllers/avatar.js

@@ -1,29 +1,40 @@
 const sharp = require('sharp'),
       fs = require('fs'),
       path = require('path'),
-      q = require('q');
+      { promisify } = require('util');
 
 const multer = require('multer');
 const upload = multer({ dest: 'uploads/' });
 
 // convert fs callback functions to Promises
-const readFile = q.denodeify(fs.readFile),
-      mkdir = q.denodeify(fs.mkdir);
-
-async function patch(req, res) {
-  // read the uploaded file
-  const buffer = await readFile(path.resolve(`./${req.file.path}`));
+const readFile = promisify(fs.readFile),
+      mkdir = promisify(fs.mkdir),
+      unlink = promisify(fs.unlink);
 
+async function patch(req, res, next) {
+  const temporaryFilePath = path.resolve(`./${req.file.path}`);
   const { username } = req.auth;
-
+  // sizes of the profile pictures
   const sizes = [512, 256, 128, 64, 32, 16];
 
-  const imgPromises = sizes.map(size => resizeSaveAvatar(buffer, size, username));
-  await Promise.all(imgPromises);
+  try {
+    // read the uploaded file
+    const buffer = await readFile(temporaryFilePath);
+
+    const imgPromises = sizes.map(size => resizeSaveAvatar(buffer, size, username));
+    await Promise.all(imgPromises);
 
-  return res.status(204).end();
-}
+    // remove the temporary file
+    await unlink(temporaryFilePath);
 
+    return res.status(204).end();
+  } catch (e) {
+    // remove the temporary file
+    await unlink(temporaryFilePath);
+
+    return next(e);
+  }
+}
 
 async function resizeSaveAvatar(buffer, size, username) {
   // create the user directory if not exist
@@ -45,4 +56,11 @@ async function resizeSaveAvatar(buffer, size, username) {
 
 const parseAvatar = upload.single('avatar');
 
-module.exports = { patch, parseAvatar };
+async function removeTemporaryFileOnError(err, req, res, next) {
+  const temporaryFilePath = path.resolve(`./${req.file.path}`);
+  await unlink(temporaryFilePath);
+
+  return next(err);
+}
+
+module.exports = { patch, parseAvatar, removeTemporaryFileOnError };

controllers/validators/schema/avatar.js

@@ -0,0 +1,24 @@
+/**
+ * The first validation on receiving image
+ *
+ */
+const patchAvatarHeaders = {};
+
+/**
+ * The validation after processing the file with multer library
+ */
+const patchAvatarFile = {
+  properties: {
+    file: {
+      properties: {
+        fieldname: { enum: ['avatar'] },
+        mimetype: { enum: ['image/jpeg', 'image/png'] },
+        size: { type: 'integer', maximum: 2*2**20 } // 2 MB
+      },
+      required: ['fieldname', 'mimetype', 'size']
+    }
+  },
+  required: ['file']
+};
+
+module.exports = { patchAvatarHeaders, patchAvatarFile };

controllers/validators/schema/index.js

@@ -6,7 +6,8 @@ const users = require('./users');
 const account = require('./account');
 const contacts = require('./contacts');
 const messages = require('./messages');
+const avatar = require('./avatar');
 
 const definitions = require('./definitions');
 
-module.exports = Object.assign({ definitions }, account, contacts, messages, tags, userTags, users);
+module.exports = Object.assign({ definitions }, account, contacts, messages, tags, userTags, users, avatar);

controllers/validators/users.js

@@ -2,6 +2,13 @@
 
 const validate = require('./validate-by-schema');
 
+const { promisify } = require('util');
+const typeOf = require('image-type');
+const fs = require('fs');
+const path = require('path');
+
+const readFile = promisify(fs.readFile);
+
 const getUsersWithTags = validate('getUsersWithTags');
 const getNewUsersWithMyTags = validate('newUsersWithMyTags');
 const getUsersWithLocation = validate('getUsersWithLocation', [['query.filter.location[0]', 'query.filter.location[1]', ([loc00, loc01], [loc10, loc11]) => {
@@ -13,6 +20,37 @@ const patch = validate('patchUser', [['params.username', 'body.id']]);
 const getUsersWithMyTags = validate('getUsersWithMyTags');
 const getNewUsers = validate('newUsers');
 
+
+/*
+ * Patching avatar
+ */
+const patchAvatarHeaders = validate('patchAvatarHeaders');
+const patchAvatarFile = validate('patchAvatarFile');
+
+/**
+ * Express middleware to check whether image has a supported mime-type
+ */
+const patchAvatarFileType = async function (req, res, next) {
+  const supportedMimes = ['image/png', 'image/jpeg'];
+
+  // validate file type
+  const filePath = path.resolve(`./${req.file.path}`);
+  // - read the image
+  const fileBuffer = await readFile(filePath);
+  // - check the image mime type
+  const type = typeOf(fileBuffer);
+
+  if (type && supportedMimes.includes(type.mime)) {
+    return next();
+  }
+
+  return next([{
+    param: 'mime type',
+    msg: `unsupported image mime type (supports only ${supportedMimes.join(', ')})`
+  }]);
+
+};
+
 module.exports = {
   get,
   patch,
@@ -21,5 +59,8 @@ module.exports = {
   getUsersWithTags,
   getNewUsers,
   getNewUsersWithMyTags,
-  getUsersWithLocation
+  getUsersWithLocation,
+  patchAvatarHeaders,
+  patchAvatarFile,
+  patchAvatarFileType
 };

jobs/files.js

@@ -0,0 +1,27 @@
+'use strict';
+
+const path = require('path'),
+      { promisify } = require('util'),
+      rimraf = promisify(require('rimraf')),
+      fs = require('fs');
+
+// fs promisified
+const fsp = {
+  mkdir: promisify(fs.mkdir)
+};
+
+/**
+ * clear the ./uploads folder (temporary files for uploading avatar)
+ * the files are cleared automatically after success or catched error, but on an uncaught error they'll stay.
+ * @returns Promise<void>
+ */
+async function clearTemporary() {
+  const temp = path.resolve('./uploads');
+
+  // rm -rf the temp folder
+  await rimraf(temp);
+  // recreate the temp folder
+  await fsp.mkdir(temp);
+}
+
+module.exports = { clearTemporary };

jobs/index.js

@@ -7,7 +7,7 @@
  */
 
 const cron = require('node-cron'),
-      _ = require('lodash'),
+      files = require('./files'),
       tags = require('./tags'),
       users = require('./users'),
       notifications = require('./notifications');
@@ -19,10 +19,14 @@ exports.start = function () {
   // every day at 4 am delete all abandoned tags
   tasks.push(cron.schedule('0 0 4 * * *', tags.deleteAbandoned));
 
+  // every day at 3 am delete everything in ./uploads
+  // TODO only older than 1 minute
+  tasks.push(cron.schedule('0 0 3 * * *', files.clearTemporary));
+
   // every 5 minutes send notifications about unread messages
   tasks.push(cron.schedule('0 */5 * * * *', notifications.messages));
 
-  // every 2 minutes send notifications about unread messages
+  // every 2 minutes send notifications about contact requests
   tasks.push(cron.schedule('0 */2 * * * *', notifications.contactRequests));
 
   // every 30 minutes delete unverified users
@@ -30,5 +34,5 @@ exports.start = function () {
 };
 
 exports.stop = function () {
-  _.each(tasks, task => { task.destroy(); });
+  tasks.forEach(task => { task.destroy(); });
 };

package.json

@@ -23,6 +23,7 @@
     "gulp": "^3.9.1",
     "helmet": "^3.1.0",
     "identicon.js": "^2.1.0",
+    "image-type": "^3.0.0",
     "jsonapi-serializer": "^3.4.1",
     "lodash": "^4.16.4",
     "multer": "^1.3.0",
@@ -34,12 +35,14 @@
     "passport-oauth2": "^1.3.0",
     "prompt": "^1.0.0",
     "q": "^1.4.1",
+    "rimraf": "^2.6.1",
     "serve-favicon": "~2.3.0",
     "sharp": "^0.18.2"
   },
   "devDependencies": {
     "eslint": "^3.13.0",
     "gulp-eslint": "^3.0.1",
+    "image-size": "^0.6.1",
     "maildev": "^0.14.0",
     "mocha": "^3.1.2",
     "should": "^11.1.1",

routes/users.js

@@ -56,6 +56,6 @@ router.route('/:username/tags/:tagname')
 
 router.route('/:username/avatar')
   .get(authorize.onlyLogged, userController.getAvatar)
-  .patch(authorize.onlyLoggedMe, avatarController.parseAvatar, avatarController.patch);
+  .patch(authorize.onlyLoggedMe, validators.users.patchAvatarHeaders, avatarController.parseAvatar, validators.users.patchAvatarFile, validators.users.patchAvatarFileType, avatarController.patch, avatarController.removeTemporaryFileOnError);
 
 module.exports = router;

test/avatar.js

@@ -0,0 +1,311 @@
+const supertest = require('supertest'),
+      should = require('should'),
+      fs = require('fs'),
+      crypto = require('crypto'),
+      { promisify } = require('util'),
+      path = require('path'),
+      rimraf = promisify(require('rimraf')),
+      sizeOf = promisify(require('image-size')),
+      typeOf = require('image-type');
+
+const app = require(path.resolve('./app')),
+      dbHandle = require(path.resolve('./test/handleDatabase')),
+      { clearTemporary } = require(path.resolve('./jobs/files'));
+
+const agent = supertest.agent(app);
+
+describe('/users/:username/avatar', function () {
+
+  let dbData;
+
+  function beforeEachPopulate(data) {
+    // put pre-data into database
+    beforeEach(async function () {
+      // create data in database
+      dbData = await dbHandle.fill(data);
+    });
+
+    afterEach(async function () {
+      await dbHandle.clear();
+    });
+  }
+
+  let loggedUser, otherUser;
+
+  beforeEachPopulate({
+    users: 2, // how many users to make
+    verifiedUsers: [0, 1] // which  users to make verified
+  });
+
+  beforeEach(function () {
+    [loggedUser, otherUser] = dbData.users;
+  });
+
+  describe('GET', function () {
+
+    context('logged', function () {
+
+      context(':username exists', function () {
+
+        it('[nothing uploaded] responds with 200 and a default identicon (identicon.js)', async function () {
+          const response = await agent
+            .get(`/users/${otherUser.username}/avatar`)
+            .set('Content-Type', 'application/vnd.api+json')
+            .auth(loggedUser.username, loggedUser.password)
+            .expect(200)
+            .expect('Content-Type', /^application\/vnd\.api\+json/);
+
+          // the request returns a json:
+          // {
+          //    data: {
+          //      type: 'user-avatars'
+          //      id: username
+          //      attributes: {
+          //        format,
+          //        base64
+          //      }
+          //    }
+          // }
+          // check the proper format attribute
+
+          should(response).have.propertyByPath('body', 'data', 'type').eql('user-avatars');
+          should(response).have.propertyByPath('body', 'data', 'id').eql('user1');
+          should(response).have.propertyByPath('body', 'data', 'attributes', 'format').eql('png');
+          should(response).have.propertyByPath('body', 'data', 'attributes', 'base64');
+
+          // compare hash of the base64 image representation
+          const data = response.body.data.attributes.base64;
+          const hash = crypto.createHash('sha256').update(data).digest('hex');
+
+          should(hash).equal('7d76d24aee7faf11a3494ae91b577d94cbb5320cec1b2fd04187fff1197915bb');
+
+        });
+
+        it('[png uploaded] responds with 200 and a jpeg image');
+
+        it('[jpeg uploaded] responds with 200 and a jpeg image');
+
+      });
+
+      context(':username doesn\'t exist', function () {
+
+        it('responds with 404', async function () {
+          await agent
+            .get('/users/nonexistent-user/avatar')
+            .set('Content-Type', 'application/vnd.api+json')
+            .auth(loggedUser.username, loggedUser.password)
+            .expect(404)
+            .expect('Content-Type', /^application\/vnd\.api\+json/);
+        });
+
+      });
+    });
+
+    context('not logged', function () {
+
+      it('responds with 403', async function () {
+        await agent
+          .get('/users/nonexistent-user/avatar')
+          .set('Content-Type', 'application/vnd.api+json')
+          .expect(403)
+          .expect('Content-Type', /^application\/vnd\.api\+json/);
+      });
+
+    });
+  });
+
+  describe('PATCH', function () {
+
+
+    // fs functions changed to promise
+    const stat = promisify(fs.stat);
+    const readdir = promisify(fs.readdir);
+    const unlink = promisify(fs.unlink);
+    const readFile = promisify(fs.readFile);
+    const fsp = { // fs promisified
+      open: promisify(fs.open),
+      close: promisify(fs.close)
+    };
+
+    // clear ./uploads/ folder
+    afterEach(async () => {
+      const files = await readdir(path.resolve('./uploads'));
+      const filePromises = files.map(file => unlink(path.resolve(`./uploads/${file}`)));
+      await Promise.all(filePromises);
+      const filesAfter = await readdir(path.resolve('./uploads'));
+
+      // check that the /uploads folder is empty
+      should(filesAfter).Array().length(0);
+    });
+
+    // clear ./files/avatars/
+    afterEach(async () => {
+
+      const avatarsDir = path.resolve('./files/avatars');
+      const folders = await readdir(avatarsDir);
+      const delPromises = folders.map(folder => rimraf(`./files/avatars/${folder}`));
+      await Promise.all(delPromises);
+
+      // check that the /files/avatars folder is empty
+      should(await readdir(avatarsDir)).Array().length(0);
+    });
+
+    context('logged as :username', function () {
+
+      context('good data type (png, jpeg)', function () {
+
+        it('[png] responds with 204 and saves the image as jpg', async () => {
+          await agent
+            .patch(`/users/${loggedUser.username}/avatar`)
+            .attach('avatar', './test/img/avatar.png')
+            .auth(loggedUser.username, loggedUser.password)
+            .set('Content-Type', 'image/jpeg')
+            .expect(204);
+
+          // check images' existence
+          const expectedSizes = [16, 32, 64, 128, 256, 512];
+          const imagePromises = expectedSizes.map(size => stat(path.resolve(`./files/avatars/${loggedUser.username}/${size}`)));
+
+          await Promise.all(imagePromises);
+
+          const buffer512 = await readFile(path.resolve(`./files/avatars/${loggedUser.username}/512`));
+          should(typeOf(buffer512)).deepEqual({ ext: 'jpg', mime: 'image/jpeg' });
+        });
+
+        it('[jpeg] responds with 204 and saves the image', async () => {
+          await agent
+            .patch(`/users/${loggedUser.username}/avatar`)
+            .attach('avatar', './test/img/avatar.jpg')
+            .auth(loggedUser.username, loggedUser.password)
+            .set('Content-Type', 'image/jpeg')
+            .expect(204);
+
+          // check images' existence
+          const expectedSizes = [16, 32, 64, 128, 256, 512];
+          const imagePromises = expectedSizes.map(size => stat(path.resolve(`./files/avatars/${loggedUser.username}/${size}`)));
+
+          await Promise.all(imagePromises);
+        });
+
+        it('delete the temporary file from ./uploads', async () => {
+          await agent
+            .patch(`/users/${loggedUser.username}/avatar`)
+            .attach('avatar', './test/img/avatar.jpg')
+            .auth(loggedUser.username, loggedUser.password)
+            .set('Content-Type', 'image/jpeg')
+            .expect(204);
+
+          const files = await readdir(path.resolve('./uploads'));
+          should(files).Array().length(0);
+
+        });
+
+        it('crops and resizes the image to square 512x512px before saving', async () => {
+          await agent
+            .patch(`/users/${loggedUser.username}/avatar`)
+            .attach('avatar', './test/img/avatar.jpg')
+            .auth(loggedUser.username, loggedUser.password)
+            .set('Content-Type', 'image/jpeg')
+            .expect(204);
+
+          const { width, height } = await sizeOf(path.resolve(`./files/avatars/${loggedUser.username}/512`));
+          should(width).eql(512);
+          should(height).eql(512);
+        });
+      });
+
+      context('bad data', function () {
+
+        it('[unsupported mime type] 400', async () => {
+          await agent
+            .patch(`/users/${loggedUser.username}/avatar`)
+            .attach('avatar', './test/img/bad-avatar.jpg')
+            .auth(loggedUser.username, loggedUser.password)
+            .set('Content-Type', 'image/jpeg')
+            .expect(400);
+        });
+
+        it('[too large image (over 2MB)] 400', async () => {
+          await agent
+            .patch(`/users/${loggedUser.username}/avatar`)
+            .attach('avatar', './test/img/large-avatar.jpg')
+            .auth(loggedUser.username, loggedUser.password)
+            .set('Content-Type', 'image/jpeg')
+            .expect(400);
+        });
+
+        it('deletes the temporary file from ./uploads', async () => {
+          await agent
+            .patch(`/users/${loggedUser.username}/avatar`)
+            .attach('avatar', './test/img/bad-avatar.jpg')
+            .auth(loggedUser.username, loggedUser.password)
+            .set('Content-Type', 'image/jpeg')
+            .expect(400);
+
+          await agent
+            .patch(`/users/${loggedUser.username}/avatar`)
+            .attach('avatar', './test/img/large-avatar.jpg')
+            .auth(loggedUser.username, loggedUser.password)
+            .set('Content-Type', 'image/jpeg')
+            .expect(400);
+
+          const files = await readdir(path.resolve('./uploads'));
+          should(files).Array().length(0);
+        });
+
+      });
+    });
+
+    context('not logged as :username', function () {
+
+      it('responds with 403', async () => {
+        await agent
+          .patch(`/users/${otherUser.username}/avatar`)
+          .attach('avatar', './test/img/avatar.jpg')
+          .auth(loggedUser.username, loggedUser.password)
+          .set('Content-Type', 'image/jpeg')
+          .expect(403);
+      });
+
+    });
+
+    describe('job: regularly clear all temp files older than 1 minute', () => {
+      it('should leave the /uploads folder empty', async () => {
+        const uploads = path.resolve('./uploads');
+
+        // first there should be some files
+        const filePromises = [0, 1, 2, 3, 4].map(async name => fsp.close(await fsp.open(path.resolve(`./uploads/${name}`), 'w')));
+        await Promise.all(filePromises);
+
+        const files = await readdir(uploads);
+        should(files).Array().length(5);
+
+        // then we run the job
+        await clearTemporary();
+
+        // then there should be no files
+        const filesAfter = await readdir(uploads);
+        should(filesAfter).Array().length(0);
+      });
+    });
+
+  });
+
+  describe('DELETE', function () {
+
+    context('logged as :username', function () {
+
+      it('[data on server] responds with 204 and deletes the avatar from server');
+
+      it('[no user image] responds with 204');
+
+    });
+
+    context('not logged as :username', function () {
+
+      it('responds with 403');
+
+    });
+
+  });
+});

test/img/bad-avatar.jpg

@@ -0,0 +1 @@
+this is not a jpeg image

test/users.username.avatar.js

@@ -1,186 +0,0 @@
-const supertest = require('supertest'),
-      should = require('should'),
-      fs = require('fs'),
-      crypto = require('crypto'),
-      q = require('q'),
-      path = require('path');
-
-const app = require(path.resolve('./app')),
-      dbHandle = require(path.resolve('./test/handleDatabase'));
-
-const agent = supertest.agent(app);
-
-describe('/users/:username/avatar', function () {
-
-  let dbData;
-
-  function beforeEachPopulate(data) {
-    // put pre-data into database
-    beforeEach(async function () {
-      // create data in database
-      dbData = await dbHandle.fill(data);
-    });
-
-    afterEach(async function () {
-      await dbHandle.clear();
-    });
-  }
-
-  let loggedUser, otherUser;
-
-  beforeEachPopulate({
-    users: 2, // how many users to make
-    verifiedUsers: [0, 1] // which  users to make verified
-  });
-
-  beforeEach(function () {
-    [loggedUser, otherUser] = dbData.users;
-  });
-
-  describe('GET', function () {
-
-    context('logged', function () {
-
-      context(':username exists', function () {
-
-        it('[nothing uploaded] responds with 200 and a default identicon (identicon.js)', async function () {
-          const response = await agent
-            .get(`/users/${otherUser.username}/avatar`)
-            .set('Content-Type', 'application/vnd.api+json')
-            .auth(loggedUser.username, loggedUser.password)
-            .expect(200)
-            .expect('Content-Type', /^application\/vnd\.api\+json/);
-
-          // the request returns a json:
-          // {
-          //    data: {
-          //      type: 'user-avatars'
-          //      id: username
-          //      attributes: {
-          //        format,
-          //        base64
-          //      }
-          //    }
-          // }
-          // check the proper format attribute
-
-          should(response).have.propertyByPath('body', 'data', 'type').eql('user-avatars');
-          should(response).have.propertyByPath('body', 'data', 'id').eql('user1');
-          should(response).have.propertyByPath('body', 'data', 'attributes', 'format').eql('png');
-          should(response).have.propertyByPath('body', 'data', 'attributes', 'base64');
-
-          // compare hash of the base64 image representation
-          const data = response.body.data.attributes.base64;
-          const hash = crypto.createHash('sha256').update(data).digest('hex');
-
-          should(hash).equal('7d76d24aee7faf11a3494ae91b577d94cbb5320cec1b2fd04187fff1197915bb');
-
-        });
-
-        it('[png uploaded] responds with 200 and a jpeg image');
-
-        it('[jpeg uploaded] responds with 200 and a jpeg image');
-
-      });
-
-      context(':username doesn\'t exist', function () {
-
-        it('responds with 404', async function () {
-          await agent
-            .get('/users/nonexistent-user/avatar')
-            .set('Content-Type', 'application/vnd.api+json')
-            .auth(loggedUser.username, loggedUser.password)
-            .expect(404)
-            .expect('Content-Type', /^application\/vnd\.api\+json/);
-        });
-
-      });
-    });
-
-    context('not logged', function () {
-
-      it('responds with 403', async function () {
-        await agent
-          .get('/users/nonexistent-user/avatar')
-          .set('Content-Type', 'application/vnd.api+json')
-          .expect(403)
-          .expect('Content-Type', /^application\/vnd\.api\+json/);
-      });
-
-    });
-  });
-
-  describe('PATCH', function () {
-
-    context('logged as :username', function () {
-
-      context('good data type (png, jpeg)', function () {
-
-        it('[png] responds with 200 and saves the image as jpg');
-
-        it('[jpeg] responds with 200 and saves the image', async () => {
-          await agent
-            .patch(`/users/${loggedUser.username}/avatar`)
-            .attach('avatar', './test/img/avatar.jpg')
-            .auth(loggedUser.username, loggedUser.password)
-            .set('Content-Type', 'image/jpeg')
-            .expect(204);
-
-          const stat = q.denodeify(fs.stat);
-
-          const expectedSizes = [16, 32, 64, 128, 256, 512];
-          const imagePromises = expectedSizes.map(size => stat(path.resolve(`./files/avatars/${loggedUser.username}/${size}`)));
-
-          await Promise.all(imagePromises);
-        });
-
-        it('deletes the temporary file from ./uploads');
-
-        it('crops and resizes the image to square 512x512px before saving');
-
-        it('gets rid of any previous avatar of the user');
-
-      });
-
-      context('bad data', function () {
-
-        it('[bad data type] 400');
-
-        it('[too large image] 400');
-
-      });
-    });
-
-    context('not logged as :username', function () {
-
-      it('responds with 403', async () => {
-        await agent
-          .patch(`/users/${otherUser.username}/avatar`)
-          .attach('avatar', './test/img/avatar.jpg')
-          .auth(loggedUser.username, loggedUser.password)
-          .set('Content-Type', 'image/jpeg')
-          .expect(403);
-      });
-
-    });
-
-  });
-
-  describe('DELETE', function () {
-
-    context('logged as :username', function () {
-
-      it('[data on server] responds with 204 and deletes the avatar from server');
-
-      it('[no user image] responds with 204');
-
-    });
-
-    context('not logged as :username', function () {
-
-      it('responds with 403');
-
-    });
-
-  });
-});