propel_api 0.1.4 → 0.2.1

data/lib/generators/propel_api/templates/tests/controller_test_template.rb.tt

@@ -7,12 +7,23 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
   def setup
     @organization = organizations(:acme_org)
     @user = users(:john_user)
+    @agency = agencies(:marketing_agency)
+<% if singular_table_name == 'organization' -%>
+    @<%= singular_table_name %> = <%= table_name %>(:acme_org)
+<% elsif singular_table_name == 'user' -%>
+    @<%= singular_table_name %> = <%= table_name %>(:john_user)
+<% elsif singular_table_name == 'agency' -%>
+    @<%= singular_table_name %> = <%= table_name %>(:marketing_agency)
+<% else -%>
     @<%= singular_table_name %> = <%= table_name %>(:one)
+<% end -%>
     @token = @user.generate_jwt_token
     @auth_headers = { 'Authorization' => "Bearer #{@token}" }
     
     # Ensure test <%= singular_table_name %> belongs to test user's organization
+<% unless singular_table_name == 'organization' -%>
     @<%= singular_table_name %>.update!(organization: @organization)
+<% end -%>
   end
 
   # === AUTHENTICATION TESTS ===
@@ -34,7 +45,7 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
   end
   
   test "should not access show without authentication" do
-    get <%= api_route_helper %>_url(@<%= singular_table_name %>)
+    get <%= api_singular_route_helper %>_url(@<%= singular_table_name %>)
     assert_response :unauthorized
   end
   
@@ -46,13 +57,13 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
   end
   
   test "should not update without authentication" do
-    patch <%= api_route_helper %>_url(@<%= singular_table_name %>), params: { data: { title: "Updated" } }
+    patch <%= api_singular_route_helper %>_url(@<%= singular_table_name %>), params: { data: { title: "Updated" } }
     assert_response :unauthorized
   end
   
   test "should not destroy without authentication" do
     assert_no_difference('<%= class_name %>.count') do
-      delete <%= api_route_helper %>_url(@<%= singular_table_name %>)
+      delete <%= api_singular_route_helper %>_url(@<%= singular_table_name %>)
     end
     assert_response :unauthorized
   end
@@ -79,19 +90,19 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
     pagination = response_body['pagination']
     
     # Should include pagination metadata
-    assert_includes pagination.keys, 'page'
-    assert_includes pagination.keys, 'items'
-    assert_includes pagination.keys, 'count'
-    assert_includes pagination.keys, 'pages'
-    assert_includes pagination.keys, 'last'
-    assert_includes pagination.keys, 'next'
-    assert_includes pagination.keys, 'prev'
+    assert_includes pagination.keys, 'current_page'
+    assert_includes pagination.keys, 'per_page'
+    assert_includes pagination.keys, 'total_count'
+    assert_includes pagination.keys, 'total_pages'
+    assert_includes pagination.keys, 'next_page'
+    assert_includes pagination.keys, 'prev_page'
   end
   
   test "should only show records for user's organization" do
     # Create record for different organization
     other_org = Organization.create!(name: "Other Organization")
     other_<%= singular_table_name %> = <%= class_name %>.create!(
+
 <% attributes.each_with_index do |attribute, index| -%>
 <% if attribute.name == "organization" && attribute.type == :references -%>
       <%= attribute.name %>: other_org<%= ',' if index < attributes.length - 1 %>
@@ -100,7 +111,13 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
 <% elsif attribute.type == :references -%>
       <%= attribute.name %>: @<%= attribute.name %><%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :string -%>
+<% if attribute.name.to_s.match?(/email/) -%>
+      <%= attribute.name %>: "other@example.com"<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.name.to_s.match?(/password/) -%>
+      <%= attribute.name %>: "password123"<%= ',' if index < attributes.length - 1 %>
+<% else -%>
       <%= attribute.name %>: "Other Org <%= attribute.name.humanize %>"<%= ',' if index < attributes.length - 1 %>
+<% end -%>
 <% elsif attribute.type == :text -%>
       <%= attribute.name %>: "Other org <%= attribute.name.humanize %> content"<%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :integer -%>
@@ -109,6 +126,10 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
       <%= attribute.name %>: true<%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :decimal || attribute.type == :float -%>
       <%= attribute.name %>: 99.99<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.type == :datetime -%>
+      <%= attribute.name %>: Time.current<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.type == :json -%>
+      <%= attribute.name %>: {}<%= ',' if index < attributes.length - 1 %>
 <% else -%>
       <%= attribute.name %>: "other_value"<%= ',' if index < attributes.length - 1 %>
 <% end -%>
@@ -131,7 +152,7 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
   # === SHOW TESTS ===
   
   test "should show <%= singular_table_name %> with authentication" do
-    get <%= api_route_helper %>_url(@<%= singular_table_name %>), headers: @auth_headers
+    get <%= api_singular_route_helper %>_url(@<%= singular_table_name %>), headers: @auth_headers
     assert_response :success
     
     response_body = JSON.parse(response.body)
@@ -142,13 +163,14 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
   end
   
   test "should return 404 for non-existent <%= singular_table_name %>" do
-    get <%= api_route_helper %>_url(0), headers: @auth_headers
+    get <%= api_singular_route_helper %>_url(0), headers: @auth_headers
     assert_response :not_found
   end
   
   test "should not show <%= singular_table_name %> from different organization" do
     other_org = Organization.create!(name: "Other Organization")
     other_<%= singular_table_name %> = <%= class_name %>.create!(
+
 <% attributes.each_with_index do |attribute, index| -%>
 <% if attribute.name == "organization" && attribute.type == :references -%>
       <%= attribute.name %>: other_org<%= ',' if index < attributes.length - 1 %>
@@ -157,7 +179,13 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
 <% elsif attribute.type == :references -%>
       <%= attribute.name %>: @<%= attribute.name %><%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :string -%>
+<% if attribute.name.to_s.match?(/email/) -%>
+      <%= attribute.name %>: "other@example.com"<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.name.to_s.match?(/password/) -%>
+      <%= attribute.name %>: "password123"<%= ',' if index < attributes.length - 1 %>
+<% else -%>
       <%= attribute.name %>: "Other Org <%= attribute.name.humanize %>"<%= ',' if index < attributes.length - 1 %>
+<% end -%>
 <% elsif attribute.type == :text -%>
       <%= attribute.name %>: "Other org <%= attribute.name.humanize %> content"<%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :integer -%>
@@ -166,18 +194,39 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
       <%= attribute.name %>: true<%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :decimal || attribute.type == :float -%>
       <%= attribute.name %>: 99.99<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.type == :datetime -%>
+      <%= attribute.name %>: Time.current<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.type == :json -%>
+      <%= attribute.name %>: {}<%= ',' if index < attributes.length - 1 %>
 <% else -%>
       <%= attribute.name %>: "other_value"<%= ',' if index < attributes.length - 1 %>
 <% end -%>
 <% end -%>
     )
     
-    get <%= api_route_helper %>_url(other_<%= singular_table_name %>), headers: @auth_headers
+    get <%= api_singular_route_helper %>_url(other_<%= singular_table_name %>), headers: @auth_headers
     assert_response :not_found
   end
 
   # === CREATE TESTS ===
   
+<% if class_name == 'Organization' -%>
+  test "should block <%= singular_table_name %> creation and direct to signup" do
+    assert_no_difference('<%= class_name %>.count') do
+      post <%= api_route_helper %>_url, 
+           params: { data: valid_<%= singular_table_name %>_params },
+           headers: @auth_headers
+    end
+    
+    assert_response :forbidden
+    
+    response_body = JSON.parse(response.body)
+    assert_includes response_body.keys, 'error'
+    assert_includes response_body.keys, 'message'
+    assert_includes response_body['message'], 'signup'
+    assert_equal 'ORGANIZATION_CREATION_BLOCKED', response_body['code']
+  end
+<% else -%>
   test "should create <%= singular_table_name %> with valid params" do
     assert_difference('<%= class_name %>.count', 1) do
       post <%= api_route_helper %>_url, 
@@ -191,10 +240,43 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
     assert_includes response_body.keys, 'data'
     
     created_<%= singular_table_name %> = response_body['data']
-    assert_equal @organization.id, created_<%= singular_table_name %>['organization']['id']
-    assert_equal @user.id, created_<%= singular_table_name %>['user']['id']
+    assert_not_nil created_<%= singular_table_name %>, "Response should contain <%= singular_table_name %> data"
+    
+<% if class_name != 'Organization' -%>
+    # Verify organization reference (handle both nested and flat formats)
+    if created_<%= singular_table_name %>['organization']
+      assert_equal @organization.id, created_<%= singular_table_name %>['organization']['id']
+    else
+      assert_equal @organization.id, created_<%= singular_table_name %>['organization_id']
+    end
+<% end -%>
+    
+<% if class_name != 'User' && class_name != 'Organization' && attributes.any? { |attr| attr.name == 'user_id' || (attr.type == :references && attr.name == 'user') } -%>
+    # Verify user reference (handle both nested and flat formats)
+    if created_<%= singular_table_name %>['user']
+      assert_equal @user.id, created_<%= singular_table_name %>['user']['id']
+    elsif created_<%= singular_table_name %>['user_id']
+      assert_equal @user.id, created_<%= singular_table_name %>['user_id']
+    end
+<% end -%>
   end
+<% end -%>
   
+<% if class_name == 'Organization' -%>
+  test "should block <%= singular_table_name %> creation even with invalid params" do
+    assert_no_difference('<%= class_name %>.count') do
+      post <%= api_route_helper %>_url,
+           params: { data: invalid_<%= singular_table_name %>_params },
+           headers: @auth_headers
+    end
+    
+    assert_response :forbidden
+    
+    response_body = JSON.parse(response.body)
+    assert_includes response_body.keys, 'error'
+    assert_includes response_body['message'], 'signup'
+  end
+<% else -%>
   test "should not create <%= singular_table_name %> with invalid params" do
     assert_no_difference('<%= class_name %>.count') do
       post <%= api_route_helper %>_url,
@@ -207,34 +289,118 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
     response_body = JSON.parse(response.body)
     assert_includes response_body.keys, 'errors'
   end
+<% end -%>
   
-  test "should auto-assign organization and user on create" do
+<% if class_name == 'Organization' -%>
+  test "should block <%= singular_table_name %> creation even without explicit IDs" do
     params = valid_<%= singular_table_name %>_params
     params.delete(:organization_id)  # Don't send organization_id
     params.delete(:user_id)          # Don't send user_id
     
-    assert_difference('<%= class_name %>.count', 1) do
+    assert_no_difference('<%= class_name %>.count') do
       post <%= api_route_helper %>_url,
            params: { data: params },
            headers: @auth_headers
     end
     
-    assert_response :created
+    assert_response :forbidden
+  end
+<% else -%>
+  test "should handle tenancy context based on configuration" do
+    # Check current configuration
+    require_org_id = PropelAuthentication.configuration.require_organization_id
+    require_user_id = PropelAuthentication.configuration.require_user_id
+<%
+  # Check attributes directly instead of database columns (more reliable during generation)
+  has_agency_id = attributes.any? { |attr| attr.name == 'agency' && attr.type == :references }
+  has_user_id = attributes.any? { |attr| attr.name == 'user' && attr.type == :references }
+-%>
     
-    # Should automatically assign current user's organization and user
-    created_<%= singular_table_name %> = <%= class_name %>.last
-    assert_equal @organization.id, created_<%= singular_table_name %>.organization_id
-    assert_equal @user.id, created_<%= singular_table_name %>.user_id
+    params = valid_<%= singular_table_name %>_params
+    params.delete(:organization_id)  # Remove organization_id to test behavior
+<% if has_user_id -%>
+    params.delete(:user_id)          # Remove user_id to test behavior
+<% end -%>
+<% if has_agency_id -%>
+    params.delete(:agency_id)        # Remove agency_id to test behavior
+<% end -%>
+    
+    if require_org_id<% if has_agency_id %> || true<% end -%> # Agency models always require strict validation
+      # Strict mode: Should fail validation due to missing required tenancy context
+      assert_no_difference('<%= class_name %>.count') do
+        post <%= api_route_helper %>_url,
+             params: { data: params },
+             headers: @auth_headers
+      end
+      
+      assert_response :unprocessable_entity
+      
+      # Should return validation errors for missing tenancy
+      error_response = JSON.parse(response.body)
+      
+      if require_org_id
+        assert_includes error_response['errors'].keys, 'organization_id',
+          "Should require organization_id when require_organization_id = true"
+      end
+<% if has_user_id -%>
+      if require_user_id
+        assert_includes error_response['errors'].keys, 'user_id',
+          "Should require user_id when require_user_id = true"
+      end
+<% end -%>
+<% if has_agency_id -%>
+      # Agency models always require agency_id (business rule)
+      assert_includes error_response['errors'].keys, 'agency_id',
+        "Should require agency_id for models with agency tenancy"
+<% end -%>
+    else
+      # Auto-assignment mode: Should succeed with auto-assigned tenancy context
+      assert_difference('<%= class_name %>.count', 1) do
+        post <%= api_route_helper %>_url,
+             params: { data: params },
+             headers: @auth_headers
+      end
+      
+      assert_response :created
+      
+      # Should auto-assign missing tenancy context
+      created_response = JSON.parse(response.body)
+      created_<%= singular_table_name %> = created_response['data']
+      
+<% unless class_name == 'Organization' -%>
+      # Verify organization_id was auto-assigned
+      if created_<%= singular_table_name %>['organization']
+        assert_equal @user.organization.id, created_<%= singular_table_name %>['organization']['id'],
+          "Should auto-assign organization_id when require_organization_id = false"
+      elsif created_<%= singular_table_name %>['organization_id']
+        assert_equal @user.organization.id, created_<%= singular_table_name %>['organization_id'],
+          "Should auto-assign organization_id when require_organization_id = false"
+      end
+<% end -%>
+<% if has_user_id && class_name != 'User' -%>
+      # Verify user_id was auto-assigned (if not required to be explicit)
+      unless require_user_id
+        if created_<%= singular_table_name %>['user']
+          assert_equal @user.id, created_<%= singular_table_name %>['user']['id'],
+            "Should auto-assign user_id when require_user_id = false"
+        elsif created_<%= singular_table_name %>['user_id']
+          assert_equal @user.id, created_<%= singular_table_name %>['user_id'],
+            "Should auto-assign user_id when require_user_id = false"
+        end
+      end
+<% end -%>
+    end
   end
+<% end -%>
 
   # === UPDATE TESTS ===
   
   test "should update <%= singular_table_name %> with valid params" do
 <% if attributes.any? { |attr| attr.type == :string && attr.name != "organization" && attr.name != "user" } -%>
 <% string_attr = attributes.find { |attr| attr.type == :string && attr.name != "organization" && attr.name != "user" } -%>
-    new_<%= string_attr.name %> = "Updated <%= string_attr.name.humanize %>"
+    new_<%= string_attr.name %> = <% if string_attr.name.include?('email') %>"updated_<%= string_attr.name %>@example.com"<% else %>"Updated <%= string_attr.name.humanize %>"<% end %>
     
-    patch <%= api_route_helper %>_url(@<%= singular_table_name %>),
+    patch <%= api_singular_route_helper %>_url(@<%= singular_table_name %>),
           params: { data: { <%= string_attr.name %>: new_<%= string_attr.name %> } },
           headers: @auth_headers
     
@@ -244,7 +410,7 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
     assert_equal new_<%= string_attr.name %>, @<%= singular_table_name %>.<%= string_attr.name %>
 <% else -%>
     # Update test for <%= singular_table_name %> - customize based on your model's attributes
-    patch <%= api_route_helper %>_url(@<%= singular_table_name %>),
+    patch <%= api_singular_route_helper %>_url(@<%= singular_table_name %>),
           params: { data: valid_<%= singular_table_name %>_params },
           headers: @auth_headers
     
@@ -253,7 +419,7 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
   end
   
   test "should not update <%= singular_table_name %> with invalid params" do
-    patch <%= api_route_helper %>_url(@<%= singular_table_name %>),
+    patch <%= api_singular_route_helper %>_url(@<%= singular_table_name %>),
           params: { data: invalid_<%= singular_table_name %>_params },
           headers: @auth_headers
     
@@ -266,6 +432,7 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
   test "should not update <%= singular_table_name %> from different organization" do
     other_org = Organization.create!(name: "Other Organization")
     other_<%= singular_table_name %> = <%= class_name %>.create!(
+
 <% attributes.each_with_index do |attribute, index| -%>
 <% if attribute.name == "organization" && attribute.type == :references -%>
       <%= attribute.name %>: other_org<%= ',' if index < attributes.length - 1 %>
@@ -274,7 +441,13 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
 <% elsif attribute.type == :references -%>
       <%= attribute.name %>: @<%= attribute.name %><%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :string -%>
+<% if attribute.name.to_s.match?(/email/) -%>
+      <%= attribute.name %>: "other@example.com"<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.name.to_s.match?(/password/) -%>
+      <%= attribute.name %>: "password123"<%= ',' if index < attributes.length - 1 %>
+<% else -%>
       <%= attribute.name %>: "Other Org <%= attribute.name.humanize %>"<%= ',' if index < attributes.length - 1 %>
+<% end -%>
 <% elsif attribute.type == :text -%>
       <%= attribute.name %>: "Other org <%= attribute.name.humanize %> content"<%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :integer -%>
@@ -283,13 +456,17 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
       <%= attribute.name %>: true<%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :decimal || attribute.type == :float -%>
       <%= attribute.name %>: 99.99<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.type == :datetime -%>
+      <%= attribute.name %>: Time.current<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.type == :json -%>
+      <%= attribute.name %>: {}<%= ',' if index < attributes.length - 1 %>
 <% else -%>
       <%= attribute.name %>: "other_value"<%= ',' if index < attributes.length - 1 %>
 <% end -%>
 <% end -%>
     )
     
-    patch <%= api_route_helper %>_url(other_<%= singular_table_name %>),
+    patch <%= api_singular_route_helper %>_url(other_<%= singular_table_name %>),
           params: { data: valid_<%= singular_table_name %>_params },
           headers: @auth_headers
     
@@ -300,7 +477,7 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
   
   test "should destroy <%= singular_table_name %>" do
     assert_difference('<%= class_name %>.count', -1) do
-      delete <%= api_route_helper %>_url(@<%= singular_table_name %>), headers: @auth_headers
+      delete <%= api_singular_route_helper %>_url(@<%= singular_table_name %>), headers: @auth_headers
     end
     
     assert_response :no_content
@@ -309,6 +486,7 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
   test "should not destroy <%= singular_table_name %> from different organization" do
     other_org = Organization.create!(name: "Other Organization")
     other_<%= singular_table_name %> = <%= class_name %>.create!(
+
 <% attributes.each_with_index do |attribute, index| -%>
 <% if attribute.name == "organization" && attribute.type == :references -%>
       <%= attribute.name %>: other_org<%= ',' if index < attributes.length - 1 %>
@@ -317,7 +495,13 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
 <% elsif attribute.type == :references -%>
       <%= attribute.name %>: @<%= attribute.name %><%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :string -%>
+<% if attribute.name.to_s.match?(/email/) -%>
+      <%= attribute.name %>: "other@example.com"<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.name.to_s.match?(/password/) -%>
+      <%= attribute.name %>: "password123"<%= ',' if index < attributes.length - 1 %>
+<% else -%>
       <%= attribute.name %>: "Other Org <%= attribute.name.humanize %>"<%= ',' if index < attributes.length - 1 %>
+<% end -%>
 <% elsif attribute.type == :text -%>
       <%= attribute.name %>: "Other org <%= attribute.name.humanize %> content"<%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :integer -%>
@@ -326,6 +510,10 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
       <%= attribute.name %>: true<%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :decimal || attribute.type == :float -%>
       <%= attribute.name %>: 99.99<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.type == :datetime -%>
+      <%= attribute.name %>: Time.current<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.type == :json -%>
+      <%= attribute.name %>: {}<%= ',' if index < attributes.length - 1 %>
 <% else -%>
       <%= attribute.name %>: "other_value"<%= ',' if index < attributes.length - 1 %>
 <% end -%>
@@ -333,7 +521,7 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
     )
     
     assert_no_difference('<%= class_name %>.count') do
-      delete <%= api_route_helper %>_url(other_<%= singular_table_name %>), headers: @auth_headers
+      delete <%= api_singular_route_helper %>_url(other_<%= singular_table_name %>), headers: @auth_headers
     end
     
     assert_response :not_found
@@ -341,6 +529,18 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
 
   # === PARAMETER HANDLING TESTS ===
   
+<% if class_name == 'Organization' -%>
+  test "should reject <%= singular_table_name %> creation with proper error structure" do
+    post <%= api_route_helper %>_url,
+         params: { data: valid_<%= singular_table_name %>_params },
+         headers: @auth_headers
+    
+    assert_response :forbidden
+    response_body = JSON.parse(response.body)
+    assert_includes response_body.keys, 'code'
+    assert_equal 'ORGANIZATION_CREATION_BLOCKED', response_body['code']
+  end
+<% else -%>
   test "should accept valid data structure" do
     post <%= api_route_helper %>_url,
          params: { data: valid_<%= singular_table_name %>_params },
@@ -348,15 +548,40 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
     
     assert_response :created
   end
+<% end -%>
   
+<% if class_name == 'Organization' -%>
+  test "should block <%= singular_table_name %> creation regardless of data wrapper" do
+    post <%= api_route_helper %>_url,
+         params: valid_<%= singular_table_name %>_params,  # No data wrapper
+         headers: @auth_headers
+    
+    assert_response :forbidden
+  end
+<% else -%>
   test "should reject params without data wrapper" do
     post <%= api_route_helper %>_url,
          params: valid_<%= singular_table_name %>_params,  # No data wrapper
          headers: @auth_headers
     
-    assert_response :unprocessable_entity
+    assert_response :bad_request
   end
+<% end -%>
   
+<% if class_name == 'Organization' -%>
+  test "should block <%= singular_table_name %> creation regardless of parameter filtering" do
+    params_with_extra = valid_<%= singular_table_name %>_params.merge(
+      forbidden_field: "should_be_ignored",
+      admin_only_field: true
+    )
+    
+    post <%= api_route_helper %>_url,
+         params: { data: params_with_extra },
+         headers: @auth_headers
+    
+    assert_response :forbidden
+  end
+<% else -%>
   test "should filter permitted params only" do
     params_with_extra = valid_<%= singular_table_name %>_params.merge(
       forbidden_field: "should_be_ignored",
@@ -373,6 +598,7 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
     created_<%= singular_table_name %> = <%= class_name %>.last
     assert_not created_<%= singular_table_name %>.respond_to?(:forbidden_field)
   end
+<% end -%>
 
   # === JSON FACET RESPONSE TESTS ===
   
@@ -404,7 +630,7 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
   end
   
   test "show should return details facet data" do
-    get <%= api_route_helper %>_url(@<%= singular_table_name %>), headers: @auth_headers
+    get <%= api_singular_route_helper %>_url(@<%= singular_table_name %>), headers: @auth_headers
     assert_response :success
     
     response_body = JSON.parse(response.body)
@@ -431,20 +657,35 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
 
   def valid_<%= singular_table_name %>_params
     {
+<% 
+  # Get list of reference attribute names to avoid duplicating them as string attributes
+  reference_names = attributes.select { |attr| attr.type == :references }.map(&:name)
+-%>
+
 <% attributes.each_with_index do |attribute, index| -%>
 <% if attribute.type == :references -%>
       <%= attribute.name %>_id: @<%= attribute.name %>.id<%= ',' if index < attributes.length - 1 %>
-<% elsif attribute.type == :string -%>
+<% elsif attribute.type == :string && !reference_names.include?(attribute.name) -%>
+<% if attribute.name.to_s.match?(/email/) -%>
+      <%= attribute.name %>: "test@example.com"<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.name.to_s.match?(/password/) -%>
+      <%= attribute.name %>: "password123"<%= ',' if index < attributes.length - 1 %>
+<% else -%>
       <%= attribute.name %>: "Test <%= attribute.name.humanize %>"<%= ',' if index < attributes.length - 1 %>
-<% elsif attribute.type == :text -%>
+<% end -%>
+<% elsif attribute.type == :text && !reference_names.include?(attribute.name) -%>
       <%= attribute.name %>: "Test <%= attribute.name.humanize %> content"<%= ',' if index < attributes.length - 1 %>
-<% elsif attribute.type == :integer -%>
+<% elsif attribute.type == :integer && !reference_names.include?(attribute.name) -%>
       <%= attribute.name %>: 42<%= ',' if index < attributes.length - 1 %>
-<% elsif attribute.type == :boolean -%>
+<% elsif attribute.type == :boolean && !reference_names.include?(attribute.name) -%>
       <%= attribute.name %>: true<%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :decimal || attribute.type == :float -%>
       <%= attribute.name %>: 123.45<%= ',' if index < attributes.length - 1 %>
-<% else -%>
+<% elsif attribute.type == :datetime -%>
+      <%= attribute.name %>: Time.current<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.type == :json -%>
+      <%= attribute.name %>: {}<%= ',' if index < attributes.length - 1 %>
+<% elsif !reference_names.include?(attribute.name) -%>
       <%= attribute.name %>: "test_value"<%= ',' if index < attributes.length - 1 %>
 <% end -%>
 <% end -%>
@@ -475,6 +716,8 @@ class <%= controller_class_name_with_namespace %>ControllerTest < ActionDispatch
       <%= attribute.name %>: "not_a_number"<%= ',' if index < attributes.length - 1 %>
 <% elsif attribute.type == :decimal || attribute.type == :float -%>
       <%= attribute.name %>: "not_a_number"<%= ',' if index < attributes.length - 1 %>
+<% elsif attribute.type == :references -%>
+      <%= reference_names.include?(attribute.name) ? "#{attribute.name}_id" : attribute.name %>: nil<%= ',' if index < attributes.length - 1 %>
 <% else -%>
       <%= attribute.name %>: ""<%= ',' if index < attributes.length - 1 %>
 <% end -%>

data/lib/generators/propel_api/templates/tests/fixtures_template.yml.tt

@@ -7,6 +7,8 @@ one:
   <%= attribute.name %>: acme_org
 <% elsif attribute.name == 'user' -%>
   <%= attribute.name %>: john_user
+<% elsif attribute.name == 'agency' -%>
+  <%= attribute.name %>: marketing_agency
 <% else -%>
   <%= attribute.name %>: one
 <% end -%>
@@ -78,6 +80,14 @@ one:
   <%= attribute.name %>: "2024-06-15 10:30:00"
 <% elsif attribute.type == :time -%>
   <%= attribute.name %>: "10:30:00"
+<% elsif attribute.type == :json || attribute.name.to_s.match?(/^(meta|settings)$/) -%>
+<% if attribute.name == 'meta' -%>
+  <%= attribute.name %>: { fixture_meta: "test_one", environment: "test", record_type: "<%= singular_table_name %>" }
+<% elsif attribute.name == 'settings' -%>
+  <%= attribute.name %>: { dark_mode: false, money_format: "usd", language: "en", test_mode: true }
+<% else -%>
+  <%= attribute.name %>: { test_data: "fixture_one" }
+<% end -%>
 <% else -%>
   <%= attribute.name %>: "test_value_one"
 <% end -%>
@@ -90,6 +100,8 @@ two:
   <%= attribute.name %>: tech_startup
 <% elsif attribute.name == 'user' -%>
   <%= attribute.name %>: jane_user
+<% elsif attribute.name == 'agency' -%>
+  <%= attribute.name %>: tech_agency
 <% else -%>
   <%= attribute.name %>: one
 <% end -%>
@@ -161,6 +173,14 @@ two:
   <%= attribute.name %>: "2023-12-25 15:45:00"
 <% elsif attribute.type == :time -%>
   <%= attribute.name %>: "15:45:00"
+<% elsif attribute.type == :json || attribute.name.to_s.match?(/^(meta|settings)$/) -%>
+<% if attribute.name == 'meta' -%>
+  <%= attribute.name %>: { fixture_meta: "test_two", environment: "test", record_type: "<%= singular_table_name %>" }
+<% elsif attribute.name == 'settings' -%>
+  <%= attribute.name %>: { dark_mode: true, money_format: "eur", language: "fr", test_mode: true }
+<% else -%>
+  <%= attribute.name %>: { test_data: "fixture_two" }
+<% end -%>
 <% else -%>
   <%= attribute.name %>: "test_value_two"
 <% end -%>
@@ -173,6 +193,8 @@ three:
   <%= attribute.name %>: acme_org
 <% elsif attribute.name == 'user' -%>
   <%= attribute.name %>: confirmed_user
+<% elsif attribute.name == 'agency' -%>
+  <%= attribute.name %>: sales_agency
 <% else -%>
   <%= attribute.name %>: one
 <% end -%>
@@ -244,6 +266,14 @@ three:
   <%= attribute.name %>: "2025-03-10 08:15:00"
 <% elsif attribute.type == :time -%>
   <%= attribute.name %>: "08:15:00"
+<% elsif attribute.type == :json || attribute.name.to_s.match?(/^(meta|settings)$/) -%>
+<% if attribute.name == 'meta' -%>
+  <%= attribute.name %>: { fixture_meta: "test_three", environment: "test", record_type: "<%= singular_table_name %>" }
+<% elsif attribute.name == 'settings' -%>
+  <%= attribute.name %>: { dark_mode: true, money_format: "gbp", language: "es", test_mode: true }
+<% else -%>
+  <%= attribute.name %>: { test_data: "fixture_three" }
+<% end -%>
 <% else -%>
   <%= attribute.name %>: "test_value_three"
 <% end -%>