summaryrefslogtreecommitdiff
path: root/test/functional/api/users_controller_test.rb
blob: dfaf95925d5061ae148b506b43c67074b9676616 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
require 'test_helper'

class Api::UsersControllerTest < ApiControllerTest

  test "user can change settings" do
    user = find_record :user
    attribs = record_attributes_for(:user)
    changed_attribs = attribs.slice 'login',
      'password_verifier',
      'password_salt'
    account_settings = stub
    account_settings.expects(:update).with(changed_attribs)
    Account.expects(:new).with(user).returns(account_settings)

    login user
    api_put :update, :user => attribs, :id => user.id, :format => :json

    assert_equal user, assigns[:user]
    assert_response 204
    assert @response.body.blank?, "Response should be blank"
  end

  test "deal with empty settings" do
    user = find_record :user
    login user
    assert_raises ActionController::ParameterMissing do
      api_put :update, :id => user.id, :format => :json
    end
  end

  test "admin can update user" do
    user = find_record :user
    attribs = record_attributes_for(:user)
    changed_attribs = attribs.slice 'login',
      'password_verifier',
      'password_salt'
    account_settings = stub
    account_settings.expects(:update).with(changed_attribs)
    Account.expects(:new).with(user).returns(account_settings)

    login :is_admin? => true
    api_put :update, :user => attribs, :id => user.id, :format => :json

    assert_equal user, assigns[:user]
    assert_response 204
  end

  test "user cannot update other user" do
    user = find_record :user
    login
    api_put :update, id: user.id,
      user: record_attributes_for(:user_with_settings),
      :format => :json
    assert_access_denied
  end

  test "should create new user" do
    user_attribs = record_attributes_for :user
    user = User.new(user_attribs)
    Account.expects(:create).with(user_attribs).returns(user)

    api_post :create, :user => user_attribs, :format => :json

    assert_nil session[:user_id]
    assert_json_response user
    assert_response :success
  end

  test "should redirect to signup form on failed attempt" do
    user_attribs = record_attributes_for :user
    user_attribs.slice!('login')
    user = User.new(user_attribs)
    assert !user.valid?
    Account.expects(:create).with(user_attribs).returns(user)

    api_post :create, :user => user_attribs, :format => :json

    assert_json_error user.errors.messages
    assert_response 422
  end

  test "admin can autocomplete users" do
    login :is_admin? => true
    api_get :index, :query => 'a', :format => :json

    assert_response :success
    assert assigns(:users)
  end

  test "create returns forbidden if registration is closed" do
    user_attribs = record_attributes_for :user
    with_config(allow_registration: false) do
      api_post :create, :user => user_attribs, :format => :json
      assert_response :forbidden
    end
  end

  test "admin can show user" do
    user = FactoryBot.create :user
    login :is_admin? => true
    api_get :show, :id => 0, :login => user.login, :format => :json
    assert_response :success
    assert_json_response user.to_hash
    api_get :show, :id => user.id, :format => :json
    assert_response :success
    assert_json_response user.to_hash
    api_get :show, :id => "0", :format => :json
    assert_response :not_found
  end

  test "admin can show is_admin property" do
    admin = FactoryBot.create :user
    with_config(admins: [admin.login]) do
      login admin
      api_get :show, :id => admin.id, :format => :json
      assert_response :success
      assert_json_response admin.to_hash.merge(:is_admin => true)
    end
  end

  test "normal users cannot show user" do
    user = find_record :user
    login
    api_get :show, :id => 0, :login => user.login, :format => :json
    assert_access_denied
  end

  test "api monitor auth can create and destroy test users" do
    # should work even with registration off and/or invites required
    with_config(allow_registration: false, invite_required: true) do
      monitor_auth do
        user_attribs = record_attributes_for :test_user
        api_post :create, :user => user_attribs, :format => :json
        assert_response :success
        api_delete :destroy, :id => assigns(:user).id, :format => :json
        assert_response :success
      end
    end
  end

  test "api monitor auth cannot create normal users" do
    monitor_auth do
      user_attribs = record_attributes_for :user
      api_post :create, :user => user_attribs, :format => :json
      assert_response :forbidden
    end
  end

  test "api monitor auth cannot api_delete normal users" do
    api_post :create, :user => record_attributes_for(:user), :format => :json
    assert_response :success
    normal_user_id = assigns(:user).id
    monitor_auth do
      api_delete :destroy, :id => normal_user_id, :format => :json
      assert_response :forbidden
    end
  end

end