github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-01-16 06:02:41 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
98fa42f2e2
discourse/spec/requests/admin/screened_emails_controller_spec.rb
Krzysztof Kotlarek 95564a3df2 SECURITY: Moderators cannot see user emails. 
Unless `moderators_view_emails` SiteSetting is enabled, moderators should not be able to discover users’ emails.
2024-12-19 13:13:18 -03:00

107 lines
2.9 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
RSpec.describe Admin::ScreenedEmailsController do
fab!(:admin)
fab!(:moderator)
fab!(:user)
fab!(:screened_email)
describe "#index" do
shared_examples "screened emails accessible" do
it "returns screened emails" do
get "/admin/logs/screened_emails.json"
expect(response.status).to eq(200)
json = response.parsed_body
expect(json.size).to eq(1)
end
end
context "when logged in as an admin" do
before { sign_in(admin) }
include_examples "screened emails accessible"
end
context "when logged in as a moderator and has permission to view emails" do
before do
sign_in(moderator)
SiteSetting.moderators_view_emails = true
end
include_examples "screened emails accessible"
end
context "when logged in as a non-staff user" do
before { sign_in(user) }
it "denies access with a 404 response" do
get "/admin/logs/screened_emails.json"
expect(response.status).to eq(404)
expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
end
end
context "when logged in as a moderator but no permission to view emails" do
before { sign_in(moderator) }
it "denies access with a 403 response" do
get "/admin/logs/screened_emails.json"
expect(response.status).to eq(403)
expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
end
end
end
describe "#destroy" do
shared_examples "screened email deletion possible" do
it "deletes screened email" do
expect do delete "/admin/logs/screened_emails/#{screened_email.id}.json" end.to change {
ScreenedEmail.count
}.by(-1)
expect(response.status).to eq(200)
end
end
context "when logged in as an admin" do
before { sign_in(admin) }
include_examples "screened email deletion possible"
end
context "when logged in as a moderator and has permission to view emails" do
before do
sign_in(moderator)
SiteSetting.moderators_view_emails = true
end
include_examples "screened email deletion possible"
end
context "when logged in as a non-staff user" do
before { sign_in(user) }
it "prevents deletion with a 404 response" do
delete "/admin/logs/screened_emails/#{screened_email.id}.json"
expect(response.status).to eq(404)
expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
end
end
context "when logged in as a moderator but no permission to view emails" do
before { sign_in(moderator) }
it "prevents deletion with a 403 response" do
delete "/admin/logs/screened_emails/#{screened_email.id}.json"
expect(response.status).to eq(403)
expect(response.parsed_body["errors"]).to include(I18n.t("invalid_access"))
end
end
end
end
Reference in New Issue View Git Blame Copy Permalink