diff options
Diffstat (limited to 'test/functional/api/users_controller_test.rb')
-rw-r--r-- | test/functional/api/users_controller_test.rb | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb new file mode 100644 index 0000000..32afd0a --- /dev/null +++ b/test/functional/api/users_controller_test.rb @@ -0,0 +1,135 @@ +require 'test_helper' + +class Api::UsersControllerTest < ApiControllerTest + + test "user can change settings" do + user = find_record :user + changed_attribs = record_attributes_for :user_with_settings + account_settings = stub + account_settings.expects(:update).with(changed_attribs) + Account.expects(:new).with(user).returns(account_settings) + + login user + api_put :update, :user => changed_attribs, :id => user.id, :format => :json + + assert_equal user, assigns[:user] + assert_response 204 + assert @response.body.blank?, "Response should be blank" + end + + test "admin can update user" do + user = find_record :user + changed_attribs = record_attributes_for :user_with_settings + account_settings = stub + account_settings.expects(:update).with(changed_attribs) + Account.expects(:new).with(user).returns(account_settings) + + login :is_admin? => true + api_put :update, :user => changed_attribs, :id => user.id, :format => :json + + assert_equal user, assigns[:user] + assert_response 204 + end + + test "user cannot update other user" do + user = find_record :user + login + api_put :update, id: user.id, + user: record_attributes_for(:user_with_settings), + :format => :json + assert_access_denied + end + + test "should create new user" do + user_attribs = record_attributes_for :user + user = User.new(user_attribs) + Account.expects(:create).with(user_attribs).returns(user) + + api_post :create, :user => user_attribs, :format => :json + + assert_nil session[:user_id] + assert_json_response user + assert_response :success + end + + test "should redirect to signup form on failed attempt" do + user_attribs = record_attributes_for :user + user_attribs.slice!('login') + user = User.new(user_attribs) + assert !user.valid? + Account.expects(:create).with(user_attribs).returns(user) + + api_post :create, :user => user_attribs, :format => :json + + assert_json_error user.errors.messages + assert_response 422 + end + + test "admin can autocomplete users" do + login :is_admin? => true + api_get :index, :query => 'a', :format => :json + + assert_response :success + assert assigns(:users) + end + + test "create returns forbidden if registration is closed" do + user_attribs = record_attributes_for :user + with_config(allow_registration: false) do + api_post :create, :user => user_attribs, :format => :json + assert_response :forbidden + end + end + + test "admin can show user" do + user = FactoryGirl.create :user + login :is_admin? => true + api_get :show, :id => 0, :login => user.login, :format => :json + assert_response :success + assert_json_response user + api_get :show, :id => user.id, :format => :json + assert_response :success + assert_json_response user + api_get :show, :id => "0", :format => :json + assert_response :not_found + end + + test "normal users cannot show user" do + user = find_record :user + login + api_get :show, :id => 0, :login => user.login, :format => :json + assert_access_denied + end + + test "api monitor auth can create and destroy test users" do + # should work even with registration off and/or invites required + with_config(allow_registration: false, invite_required: true) do + monitor_auth do + user_attribs = record_attributes_for :test_user + api_post :create, :user => user_attribs, :format => :json + assert_response :success + api_delete :destroy, :id => assigns(:user).id, :format => :json + assert_response :success + end + end + end + + test "api monitor auth cannot create normal users" do + monitor_auth do + user_attribs = record_attributes_for :user + api_post :create, :user => user_attribs, :format => :json + assert_response :forbidden + end + end + + test "api monitor auth cannot api_delete normal users" do + api_post :create, :user => record_attributes_for(:user), :format => :json + assert_response :success + normal_user_id = assigns(:user).id + monitor_auth do + api_delete :destroy, :id => normal_user_id, :format => :json + assert_response :forbidden + end + end + +end |