From e05a1b0f5ae40a2aa17976b3009cd563b8e4660a Mon Sep 17 00:00:00 2001
From: Azul <azul@riseup.net>
Date: Sun, 1 May 2016 10:55:33 -0300
Subject: api: allow version bumping - bump to 2

---
 test/functional/api/users_controller_test.rb | 135 +++++++++++++++++++++++++++
 1 file changed, 135 insertions(+)
 create mode 100644 test/functional/api/users_controller_test.rb

(limited to 'test/functional/api/users_controller_test.rb')

diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb
new file mode 100644
index 0000000..bc2e312
--- /dev/null
+++ b/test/functional/api/users_controller_test.rb
@@ -0,0 +1,135 @@
+require_relative '../../test_helper'
+
+class Api::UsersControllerTest < ActionController::TestCase
+
+  test "user can change settings" do
+    user = find_record :user
+    changed_attribs = record_attributes_for :user_with_settings
+    account_settings = stub
+    account_settings.expects(:update).with(changed_attribs)
+    Account.expects(:new).with(user).returns(account_settings)
+
+    login user
+    put :update, :user => changed_attribs, :id => user.id, :format => :json
+
+    assert_equal user, assigns[:user]
+    assert_response 204
+    assert @response.body.blank?, "Response should be blank"
+  end
+
+  test "admin can update user" do
+    user = find_record :user
+    changed_attribs = record_attributes_for :user_with_settings
+    account_settings = stub
+    account_settings.expects(:update).with(changed_attribs)
+    Account.expects(:new).with(user).returns(account_settings)
+
+    login :is_admin? => true
+    put :update, :user => changed_attribs, :id => user.id, :format => :json
+
+    assert_equal user, assigns[:user]
+    assert_response 204
+  end
+
+  test "user cannot update other user" do
+    user = find_record :user
+    login
+    put :update, id: user.id,
+      user: record_attributes_for(:user_with_settings),
+      :format => :json
+    assert_access_denied
+  end
+
+  test "should create new user" do
+    user_attribs = record_attributes_for :user
+    user = User.new(user_attribs)
+    Account.expects(:create).with(user_attribs).returns(user)
+
+    post :create, :user => user_attribs, :format => :json
+
+    assert_nil session[:user_id]
+    assert_json_response user
+    assert_response :success
+  end
+
+  test "should redirect to signup form on failed attempt" do
+    user_attribs = record_attributes_for :user
+    user_attribs.slice!('login')
+    user = User.new(user_attribs)
+    assert !user.valid?
+    Account.expects(:create).with(user_attribs).returns(user)
+
+    post :create, :user => user_attribs, :format => :json
+
+    assert_json_error user.errors.messages
+    assert_response 422
+  end
+
+  test "admin can autocomplete users" do
+    login :is_admin? => true
+    get :index, :query => 'a', :format => :json
+
+    assert_response :success
+    assert assigns(:users)
+  end
+
+  test "create returns forbidden if registration is closed" do
+    user_attribs = record_attributes_for :user
+    with_config(allow_registration: false) do
+      post :create, :user => user_attribs, :format => :json
+      assert_response :forbidden
+    end
+  end
+
+  test "admin can show user" do
+    user = FactoryGirl.create :user
+    login :is_admin? => true
+    get :show, :id => 0, :login => user.login, :format => :json
+    assert_response :success
+    assert_json_response user
+    get :show, :id => user.id, :format => :json
+    assert_response :success
+    assert_json_response user
+    get :show, :id => "0", :format => :json
+    assert_response :not_found
+  end
+
+  test "normal users cannot show user" do
+    user = find_record :user
+    login
+    get :show, :id => 0, :login => user.login, :format => :json
+    assert_access_denied
+  end
+
+  test "api monitor auth can create and destroy test users" do
+    # should work even with registration off and/or invites required
+    with_config(allow_registration: false, invite_required: true) do
+      monitor_auth do
+        user_attribs = record_attributes_for :test_user
+        post :create, :user => user_attribs, :format => :json
+        assert_response :success
+        delete :destroy, :id => assigns(:user).id, :format => :json
+        assert_response :success
+      end
+    end
+  end
+
+  test "api monitor auth cannot create normal users" do
+    monitor_auth do
+      user_attribs = record_attributes_for :user
+      post :create, :user => user_attribs, :format => :json
+      assert_response :forbidden
+    end
+  end
+
+  test "api monitor auth cannot delete normal users" do
+    post :create, :user => record_attributes_for(:user), :format => :json
+    assert_response :success
+    normal_user_id = assigns(:user).id
+    monitor_auth do
+      delete :destroy, :id => normal_user_id, :format => :json
+      assert_response :forbidden
+    end
+  end
+
+end
-- 
cgit v1.2.3


From e542a3056c27fd662ef767b6720861035f6dbb1c Mon Sep 17 00:00:00 2001
From: Azul <azul@riseup.net>
Date: Wed, 18 May 2016 21:00:42 +0200
Subject: api: set defaults for version in routes

This way we do not need to specify it all the times.

In the functional tests defaults do not get added automatically.
Introduced api_{get,put,post,delete} to add format and version default.

One to two functional tests failing, everything else passes.
---
 test/functional/api/users_controller_test.rb | 38 ++++++++++++++--------------
 1 file changed, 19 insertions(+), 19 deletions(-)

(limited to 'test/functional/api/users_controller_test.rb')

diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb
index bc2e312..32afd0a 100644
--- a/test/functional/api/users_controller_test.rb
+++ b/test/functional/api/users_controller_test.rb
@@ -1,6 +1,6 @@
-require_relative '../../test_helper'
+require 'test_helper'
 
-class Api::UsersControllerTest < ActionController::TestCase
+class Api::UsersControllerTest < ApiControllerTest
 
   test "user can change settings" do
     user = find_record :user
@@ -10,7 +10,7 @@ class Api::UsersControllerTest < ActionController::TestCase
     Account.expects(:new).with(user).returns(account_settings)
 
     login user
-    put :update, :user => changed_attribs, :id => user.id, :format => :json
+    api_put :update, :user => changed_attribs, :id => user.id, :format => :json
 
     assert_equal user, assigns[:user]
     assert_response 204
@@ -25,7 +25,7 @@ class Api::UsersControllerTest < ActionController::TestCase
     Account.expects(:new).with(user).returns(account_settings)
 
     login :is_admin? => true
-    put :update, :user => changed_attribs, :id => user.id, :format => :json
+    api_put :update, :user => changed_attribs, :id => user.id, :format => :json
 
     assert_equal user, assigns[:user]
     assert_response 204
@@ -34,7 +34,7 @@ class Api::UsersControllerTest < ActionController::TestCase
   test "user cannot update other user" do
     user = find_record :user
     login
-    put :update, id: user.id,
+    api_put :update, id: user.id,
       user: record_attributes_for(:user_with_settings),
       :format => :json
     assert_access_denied
@@ -45,7 +45,7 @@ class Api::UsersControllerTest < ActionController::TestCase
     user = User.new(user_attribs)
     Account.expects(:create).with(user_attribs).returns(user)
 
-    post :create, :user => user_attribs, :format => :json
+    api_post :create, :user => user_attribs, :format => :json
 
     assert_nil session[:user_id]
     assert_json_response user
@@ -59,7 +59,7 @@ class Api::UsersControllerTest < ActionController::TestCase
     assert !user.valid?
     Account.expects(:create).with(user_attribs).returns(user)
 
-    post :create, :user => user_attribs, :format => :json
+    api_post :create, :user => user_attribs, :format => :json
 
     assert_json_error user.errors.messages
     assert_response 422
@@ -67,7 +67,7 @@ class Api::UsersControllerTest < ActionController::TestCase
 
   test "admin can autocomplete users" do
     login :is_admin? => true
-    get :index, :query => 'a', :format => :json
+    api_get :index, :query => 'a', :format => :json
 
     assert_response :success
     assert assigns(:users)
@@ -76,7 +76,7 @@ class Api::UsersControllerTest < ActionController::TestCase
   test "create returns forbidden if registration is closed" do
     user_attribs = record_attributes_for :user
     with_config(allow_registration: false) do
-      post :create, :user => user_attribs, :format => :json
+      api_post :create, :user => user_attribs, :format => :json
       assert_response :forbidden
     end
   end
@@ -84,20 +84,20 @@ class Api::UsersControllerTest < ActionController::TestCase
   test "admin can show user" do
     user = FactoryGirl.create :user
     login :is_admin? => true
-    get :show, :id => 0, :login => user.login, :format => :json
+    api_get :show, :id => 0, :login => user.login, :format => :json
     assert_response :success
     assert_json_response user
-    get :show, :id => user.id, :format => :json
+    api_get :show, :id => user.id, :format => :json
     assert_response :success
     assert_json_response user
-    get :show, :id => "0", :format => :json
+    api_get :show, :id => "0", :format => :json
     assert_response :not_found
   end
 
   test "normal users cannot show user" do
     user = find_record :user
     login
-    get :show, :id => 0, :login => user.login, :format => :json
+    api_get :show, :id => 0, :login => user.login, :format => :json
     assert_access_denied
   end
 
@@ -106,9 +106,9 @@ class Api::UsersControllerTest < ActionController::TestCase
     with_config(allow_registration: false, invite_required: true) do
       monitor_auth do
         user_attribs = record_attributes_for :test_user
-        post :create, :user => user_attribs, :format => :json
+        api_post :create, :user => user_attribs, :format => :json
         assert_response :success
-        delete :destroy, :id => assigns(:user).id, :format => :json
+        api_delete :destroy, :id => assigns(:user).id, :format => :json
         assert_response :success
       end
     end
@@ -117,17 +117,17 @@ class Api::UsersControllerTest < ActionController::TestCase
   test "api monitor auth cannot create normal users" do
     monitor_auth do
       user_attribs = record_attributes_for :user
-      post :create, :user => user_attribs, :format => :json
+      api_post :create, :user => user_attribs, :format => :json
       assert_response :forbidden
     end
   end
 
-  test "api monitor auth cannot delete normal users" do
-    post :create, :user => record_attributes_for(:user), :format => :json
+  test "api monitor auth cannot api_delete normal users" do
+    api_post :create, :user => record_attributes_for(:user), :format => :json
     assert_response :success
     normal_user_id = assigns(:user).id
     monitor_auth do
-      delete :destroy, :id => normal_user_id, :format => :json
+      api_delete :destroy, :id => normal_user_id, :format => :json
       assert_response :forbidden
     end
   end
-- 
cgit v1.2.3


From ab1917c5fe0f03e7719863a5598ad575d9fef302 Mon Sep 17 00:00:00 2001
From: NavaL <ayoyo@thoughtworks.com>
Date: Thu, 14 Jul 2016 15:06:20 +0200
Subject: [feature] restrict is_admin in the user api, to only allow querying
 for him/herself

So that it we do not expose the is_admin property to anyone else
including other admins.
---
 test/functional/api/users_controller_test.rb | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'test/functional/api/users_controller_test.rb')

diff --git a/test/functional/api/users_controller_test.rb b/test/functional/api/users_controller_test.rb
index 32afd0a..b69770d 100644
--- a/test/functional/api/users_controller_test.rb
+++ b/test/functional/api/users_controller_test.rb
@@ -86,14 +86,22 @@ class Api::UsersControllerTest < ApiControllerTest
     login :is_admin? => true
     api_get :show, :id => 0, :login => user.login, :format => :json
     assert_response :success
-    assert_json_response user
+    assert_json_response user.to_hash
     api_get :show, :id => user.id, :format => :json
     assert_response :success
-    assert_json_response user
+    assert_json_response user.to_hash
     api_get :show, :id => "0", :format => :json
     assert_response :not_found
   end
 
+  test "admin can show is_admin property" do
+    user = FactoryGirl.create :user, login: "admin2"
+    login user
+    api_get :show, :id => user.id, :format => :json
+    assert_response :success
+    assert_json_response user.to_hash.merge(:is_admin => true)
+  end
+
   test "normal users cannot show user" do
     user = find_record :user
     login
-- 
cgit v1.2.3