fix user account spec - users *can* now update their own profile via …

…api due to previous change in #703

app/models/ability.rb

@@ -718,10 +718,11 @@ def to_tagging(user, is_guest)
   end
 
   def to_user(user, is_guest)
-    # admin only: :index, :edit, :update
+    # admin only: :index, :edit
     # :edit and :update are the Admin interface for editing any user
     # normal users edit their profile using devise/registrations#edit
 
+    # users can :update their own attributes on the user model via api
     # users can only view their own:
     can [:projects, :sites, :bookmarks, :audio_events, :audio_event_comments, :update], User, id: user.id
 

spec/acceptance/user_accounts_spec.rb

@@ -163,18 +163,16 @@ def id_param
     id_param
     let(:id) { writer_id }
     let(:raw_post) { { user: post_attributes }.to_json }
-    let(:authentication_token) { writer_token } # admin only, users edit using devise/registrations#edit
-    standard_request_options(:put, 'UPDATE (as writer, same user)', :forbidden,
-      { expected_json_path: get_json_error_path(:permissions) })
+    let(:authentication_token) { writer_token }
+    standard_request_options(:put, 'UPDATE (as writer, same user)', :ok, { expected_json_path: 'data/user_name' })
   end
 
   put '/user_accounts/:id' do
     id_param
     let(:id) { reader_id }
     let(:raw_post) { { user: post_attributes }.to_json }
-    let(:authentication_token) { reader_token } # admin only, users edit using devise/registrations#edit
-    standard_request_options(:put, 'UPDATE (as reader, same user)', :forbidden,
-      { expected_json_path: get_json_error_path(:permissions) })
+    let(:authentication_token) { reader_token }
+    standard_request_options(:put, 'UPDATE (as reader, same user)', :ok, { expected_json_path: 'data/user_name' })
   end
 
   put '/user_accounts/:id' do