require 'test_helper' class Api::UsersControllerTest < ApiControllerTest test "user can change settings" do user = find_record :user attribs = record_attributes_for(:user) changed_attribs = attribs.slice 'login', 'password_verifier', 'password_salt' account_settings = stub account_settings.expects(:update).with(changed_attribs) Account.expects(:new).with(user).returns(account_settings) login user api_put :update, :user => attribs, :id => user.id, :format => :json assert_equal user, assigns[:user] assert_response 204 assert @response.body.blank?, "Response should be blank" end test "deal with empty settings" do user = find_record :user login user assert_raises ActionController::ParameterMissing do api_put :update, :id => user.id, :format => :json end end test "admin can update user" do user = find_record :user attribs = record_attributes_for(:user) changed_attribs = attribs.slice 'login', 'password_verifier', 'password_salt' account_settings = stub account_settings.expects(:update).with(changed_attribs) Account.expects(:new).with(user).returns(account_settings) login :is_admin? => true api_put :update, :user => attribs, :id => user.id, :format => :json assert_equal user, assigns[:user] assert_response 204 end test "user cannot update other user" do user = find_record :user login api_put :update, id: user.id, user: record_attributes_for(:user_with_settings), :format => :json assert_access_denied end test "should create new user" do user_attribs = record_attributes_for :user user = User.new(user_attribs) Account.expects(:create).with(user_attribs).returns(user) api_post :create, :user => user_attribs, :format => :json assert_nil session[:user_id] assert_json_response user assert_response :success end test "should redirect to signup form on failed attempt" do user_attribs = record_attributes_for :user user_attribs.slice!('login') user = User.new(user_attribs) assert !user.valid? Account.expects(:create).with(user_attribs).returns(user) api_post :create, :user => user_attribs, :format => :json assert_json_error user.errors.messages assert_response 422 end test "admin can autocomplete users" do login :is_admin? => true api_get :index, :query => 'a', :format => :json assert_response :success assert assigns(:users) end test "create returns forbidden if registration is closed" do user_attribs = record_attributes_for :user with_config(allow_registration: false) do api_post :create, :user => user_attribs, :format => :json assert_response :forbidden end end test "admin can show user" do user = FactoryGirl.create :user login :is_admin? => true api_get :show, :id => 0, :login => user.login, :format => :json assert_response :success assert_json_response user.to_hash api_get :show, :id => user.id, :format => :json assert_response :success assert_json_response user.to_hash api_get :show, :id => "0", :format => :json assert_response :not_found end test "admin can show is_admin property" do admin = FactoryGirl.create :user with_config(admins: [admin.login]) do login admin api_get :show, :id => admin.id, :format => :json assert_response :success assert_json_response admin.to_hash.merge(:is_admin => true) end end test "normal users cannot show user" do user = find_record :user login api_get :show, :id => 0, :login => user.login, :format => :json assert_access_denied end test "api monitor auth can create and destroy test users" do # should work even with registration off and/or invites required with_config(allow_registration: false, invite_required: true) do monitor_auth do user_attribs = record_attributes_for :test_user api_post :create, :user => user_attribs, :format => :json assert_response :success api_delete :destroy, :id => assigns(:user).id, :format => :json assert_response :success end end end test "api monitor auth cannot create normal users" do monitor_auth do user_attribs = record_attributes_for :user api_post :create, :user => user_attribs, :format => :json assert_response :forbidden end end test "api monitor auth cannot api_delete normal users" do api_post :create, :user => record_attributes_for(:user), :format => :json assert_response :success normal_user_id = assigns(:user).id monitor_auth do api_delete :destroy, :id => normal_user_id, :format => :json assert_response :forbidden end end end