Adding in security tests and docs.

endpoints/api/superuser.py

@@ -873,19 +873,21 @@ class SuperUserMessages(ApiResource):
   @nickname('getMessages')
   def get(self):
     """ Return a super users messages """
-    messages = list(model.message.get_messages())
     return {
-      'messages': [message_view(m) for m in messages],
+      'messages': [message_view(m) for m in model.message.get_messages()],
     }
 
-  @require_scope(scopes.SUPERUSER)
   @verify_not_prod
   @nickname('createMessages')
   @validate_json_request('CreateMessage')
+  @require_scope(scopes.SUPERUSER)
   def post(self):
     """ Create a message """
-    body = request.get_json()
-    model.message.create([body['message']])
+    if SuperUserPermission().can():
+      model.message.create([request.get_json()['message']])
+      return make_response('', 201)
+    abort(403)
+
 
 def message_view(message):
   return {'id': message.id, 'content': message.content}