1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
require_relative '../../test_helper'
class Api::UsersControllerTest < ActionController::TestCase
test "user can change settings" do
user = find_record :user
changed_attribs = record_attributes_for :user_with_settings
account_settings = stub
account_settings.expects(:update).with(changed_attribs)
Account.expects(:new).with(user).returns(account_settings)
login user
put :update, :user => changed_attribs, :id => user.id, :format => :json
assert_equal user, assigns[:user]
assert_response 204
assert @response.body.blank?, "Response should be blank"
end
test "admin can update user" do
user = find_record :user
changed_attribs = record_attributes_for :user_with_settings
account_settings = stub
account_settings.expects(:update).with(changed_attribs)
Account.expects(:new).with(user).returns(account_settings)
login :is_admin? => true
put :update, :user => changed_attribs, :id => user.id, :format => :json
assert_equal user, assigns[:user]
assert_response 204
end
test "user cannot update other user" do
user = find_record :user
login
put :update, id: user.id,
user: record_attributes_for(:user_with_settings),
:format => :json
assert_access_denied
end
test "should create new user" do
user_attribs = record_attributes_for :user
user = User.new(user_attribs)
Account.expects(:create).with(user_attribs).returns(user)
post :create, :user => user_attribs, :format => :json
assert_nil session[:user_id]
assert_json_response user
assert_response :success
end
test "should redirect to signup form on failed attempt" do
user_attribs = record_attributes_for :user
user_attribs.slice!('login')
user = User.new(user_attribs)
assert !user.valid?
Account.expects(:create).with(user_attribs).returns(user)
post :create, :user => user_attribs, :format => :json
assert_json_error user.errors.messages
assert_response 422
end
test "admin can autocomplete users" do
login :is_admin? => true
get :index, :query => 'a', :format => :json
assert_response :success
assert assigns(:users)
end
test "create returns forbidden if registration is closed" do
user_attribs = record_attributes_for :user
with_config(allow_registration: false) do
post :create, :user => user_attribs, :format => :json
assert_response :forbidden
end
end
test "admin can show user" do
user = FactoryGirl.create :user
login :is_admin? => true
get :show, :id => 0, :login => user.login, :format => :json
assert_response :success
assert_json_response user
get :show, :id => user.id, :format => :json
assert_response :success
assert_json_response user
get :show, :id => "0", :format => :json
assert_response :not_found
end
test "normal users cannot show user" do
user = find_record :user
login
get :show, :id => 0, :login => user.login, :format => :json
assert_access_denied
end
test "api monitor auth can create and destroy test users" do
# should work even with registration off and/or invites required
with_config(allow_registration: false, invite_required: true) do
monitor_auth do
user_attribs = record_attributes_for :test_user
post :create, :user => user_attribs, :format => :json
assert_response :success
delete :destroy, :id => assigns(:user).id, :format => :json
assert_response :success
end
end
end
test "api monitor auth cannot create normal users" do
monitor_auth do
user_attribs = record_attributes_for :user
post :create, :user => user_attribs, :format => :json
assert_response :forbidden
end
end
test "api monitor auth cannot delete normal users" do
post :create, :user => record_attributes_for(:user), :format => :json
assert_response :success
normal_user_id = assigns(:user).id
monitor_auth do
delete :destroy, :id => normal_user_id, :format => :json
assert_response :forbidden
end
end
end
|