summaryrefslogtreecommitdiff
path: root/test/functional/api/users_controller_test.rb
diff options
context:
space:
mode:
authorAzul <azul@riseup.net>2016-10-20 14:39:33 +0200
committerAzul <azul@riseup.net>2016-10-20 14:39:33 +0200
commitb97daaed9b513006ace7e8eb5232a2211e965e77 (patch)
treee27002e8368e92410e5d4af2a945260c2ea6e2d1 /test/functional/api/users_controller_test.rb
parentc6c4d9fd10b8ca8e24889112727e44c9bf68dd60 (diff)
parent6eb2dae802e5453e2a4361ab28f614cce9294f4c (diff)
Merge remote-tracking branch 'origin/develop'
We'll only use the master branch for development from now on.
Diffstat (limited to 'test/functional/api/users_controller_test.rb')
-rw-r--r--test/functional/api/users_controller_test.rb143
1 files changed, 143 insertions, 0 deletions
diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb
new file mode 100644
index 0000000..b69770d
--- /dev/null
+++ b/test/functional/api/users_controller_test.rb
@@ -0,0 +1,143 @@
+require 'test_helper'
+
+class Api::UsersControllerTest < ApiControllerTest
+
+ test "user can change settings" do
+ user = find_record :user
+ changed_attribs = record_attributes_for :user_with_settings
+ account_settings = stub
+ account_settings.expects(:update).with(changed_attribs)
+ Account.expects(:new).with(user).returns(account_settings)
+
+ login user
+ api_put :update, :user => changed_attribs, :id => user.id, :format => :json
+
+ assert_equal user, assigns[:user]
+ assert_response 204
+ assert @response.body.blank?, "Response should be blank"
+ end
+
+ test "admin can update user" do
+ user = find_record :user
+ changed_attribs = record_attributes_for :user_with_settings
+ account_settings = stub
+ account_settings.expects(:update).with(changed_attribs)
+ Account.expects(:new).with(user).returns(account_settings)
+
+ login :is_admin? => true
+ api_put :update, :user => changed_attribs, :id => user.id, :format => :json
+
+ assert_equal user, assigns[:user]
+ assert_response 204
+ end
+
+ test "user cannot update other user" do
+ user = find_record :user
+ login
+ api_put :update, id: user.id,
+ user: record_attributes_for(:user_with_settings),
+ :format => :json
+ assert_access_denied
+ end
+
+ test "should create new user" do
+ user_attribs = record_attributes_for :user
+ user = User.new(user_attribs)
+ Account.expects(:create).with(user_attribs).returns(user)
+
+ api_post :create, :user => user_attribs, :format => :json
+
+ assert_nil session[:user_id]
+ assert_json_response user
+ assert_response :success
+ end
+
+ test "should redirect to signup form on failed attempt" do
+ user_attribs = record_attributes_for :user
+ user_attribs.slice!('login')
+ user = User.new(user_attribs)
+ assert !user.valid?
+ Account.expects(:create).with(user_attribs).returns(user)
+
+ api_post :create, :user => user_attribs, :format => :json
+
+ assert_json_error user.errors.messages
+ assert_response 422
+ end
+
+ test "admin can autocomplete users" do
+ login :is_admin? => true
+ api_get :index, :query => 'a', :format => :json
+
+ assert_response :success
+ assert assigns(:users)
+ end
+
+ test "create returns forbidden if registration is closed" do
+ user_attribs = record_attributes_for :user
+ with_config(allow_registration: false) do
+ api_post :create, :user => user_attribs, :format => :json
+ assert_response :forbidden
+ end
+ end
+
+ test "admin can show user" do
+ user = FactoryGirl.create :user
+ login :is_admin? => true
+ api_get :show, :id => 0, :login => user.login, :format => :json
+ assert_response :success
+ assert_json_response user.to_hash
+ api_get :show, :id => user.id, :format => :json
+ assert_response :success
+ assert_json_response user.to_hash
+ api_get :show, :id => "0", :format => :json
+ assert_response :not_found
+ end
+
+ test "admin can show is_admin property" do
+ user = FactoryGirl.create :user, login: "admin2"
+ login user
+ api_get :show, :id => user.id, :format => :json
+ assert_response :success
+ assert_json_response user.to_hash.merge(:is_admin => true)
+ end
+
+ test "normal users cannot show user" do
+ user = find_record :user
+ login
+ api_get :show, :id => 0, :login => user.login, :format => :json
+ assert_access_denied
+ end
+
+ test "api monitor auth can create and destroy test users" do
+ # should work even with registration off and/or invites required
+ with_config(allow_registration: false, invite_required: true) do
+ monitor_auth do
+ user_attribs = record_attributes_for :test_user
+ api_post :create, :user => user_attribs, :format => :json
+ assert_response :success
+ api_delete :destroy, :id => assigns(:user).id, :format => :json
+ assert_response :success
+ end
+ end
+ end
+
+ test "api monitor auth cannot create normal users" do
+ monitor_auth do
+ user_attribs = record_attributes_for :user
+ api_post :create, :user => user_attribs, :format => :json
+ assert_response :forbidden
+ end
+ end
+
+ test "api monitor auth cannot api_delete normal users" do
+ api_post :create, :user => record_attributes_for(:user), :format => :json
+ assert_response :success
+ normal_user_id = assigns(:user).id
+ monitor_auth do
+ api_delete :destroy, :id => normal_user_id, :format => :json
+ assert_response :forbidden
+ end
+ end
+
+end