github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-26 06:43:44 +08:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
d91456fd53
discourse/spec/serializers/user_serializer_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

483 lines
15 KiB
Ruby
Raw Normal View History

DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
2019-04-30 08:27:42 +08:00
# frozen_string_literal: true
Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277
2022-07-28 10:27:38 +08:00
RSpec.describe UserSerializer do
SECURITY: Mod should not see `group_users` and `second_factor_enabled`. Moderators should not be able to see `UserSerializer#group_users` and `UserSerializer#second_factor_enabled` of other users. Impact of leaking this is low because the information leaked is not exploitable.
2020-09-11 10:23:35 +08:00
fab!(:user) { Fabricate(:user, trust_level: 0) }
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
FEATURE: restrict some user fields for TL0 users when viewed by anonymous users
2014-11-27 02:20:03 +08:00
context "with a TL0 user seen as anonymous" do
let(:serializer) { UserSerializer.new(user, scope: Guardian.new, root: false) }
let(:json) { serializer.as_json }
FIX: do not show website name on TL0 profile
2017-06-04 20:58:36 +08:00
let(:untrusted_attributes) do
%i[
bio_raw
bio_cooked
bio_excerpt
location
website
website_name
profile_background
card_background
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 19:18:21 +08:00
]
end
FEATURE: restrict some user fields for TL0 users when viewed by anonymous users
2014-11-27 02:20:03 +08:00
it "doesn't serialize untrusted attributes" do
Update rspec syntax to v3 update rspec syntax to v3 change syntax to rspec v3 oops. fix typo mailers classes with rspec3 syntax helpers with rspec3 syntax jobs with rspec3 syntax serializers with rspec3 syntax views with rspec3 syntax support to rspec3 syntax category spec with rspec3 syntax
2014-12-31 22:55:03 +08:00
untrusted_attributes.each { |attr| expect(json).not_to have_key(attr) }
FEATURE: restrict some user fields for TL0 users when viewed by anonymous users
2014-11-27 02:20:03 +08:00
end
FIX: secondary_emails, unconfirmed_emails, group_users are private fields Those fields should be only visible to the user.
2020-06-16 08:43:06 +08:00
SECURITY: Mod should not see `group_users` and `second_factor_enabled`. Moderators should not be able to see `UserSerializer#group_users` and `UserSerializer#second_factor_enabled` of other users. Impact of leaking this is low because the information leaked is not exploitable.
2020-09-11 10:23:35 +08:00
it "serializes correctly" do
expect(json[:group_users]).to eq(nil)
expect(json[:second_factor_enabled]).to eq(nil)
end
end
context "as moderator" do
it "serializes correctly" do
json =
UserSerializer.new(user, scope: Guardian.new(Fabricate(:moderator)), root: false).as_json
expect(json[:group_users]).to eq(nil)
expect(json[:second_factor_enabled]).to eq(nil)
FIX: secondary_emails, unconfirmed_emails, group_users are private fields Those fields should be only visible to the user.
2020-06-16 08:43:06 +08:00
end
FEATURE: restrict some user fields for TL0 users when viewed by anonymous users
2014-11-27 02:20:03 +08:00
end
PERF: shift most user options out of the user table As it stands we load up user records quite frequently on the topic pages, this in turn pulls all the columns for the users being selected, just to discard them after they are loaded New structure keeps all options in a discrete table, this is better organised and allows us to easily add more column without worrying about bloating the user table
2016-02-17 12:46:19 +08:00
context "as current user" do
it "serializes options correctly" do
# so we serialize more stuff
PERF: move 3 more option columns out of the user table
2016-02-18 13:57:22 +08:00
SiteSetting.default_other_auto_track_topics_after_msecs = 0
Add notification level user preference when replying to a topic
2016-10-01 00:36:43 +08:00
SiteSetting.default_other_notification_level_when_replying = 3
PERF: move 3 more option columns out of the user table
2016-02-18 13:57:22 +08:00
SiteSetting.default_other_new_topic_duration_minutes = 60 * 24
PERF: shift most user options out of the user table As it stands we load up user records quite frequently on the topic pages, this in turn pulls all the columns for the users being selected, just to discard them after they are loaded New structure keeps all options in a discrete table, this is better organised and allows us to easily add more column without worrying about bloating the user table
2016-02-17 12:46:19 +08:00
DEV: Remove remaining hardcoded ids (#18735)
2022-10-25 15:29:09 +08:00
user = Fabricate(:user)
user.user_option.update(dynamic_favicon: true, skip_new_user_tips: true)
PERF: shift most user options out of the user table As it stands we load up user records quite frequently on the topic pages, this in turn pulls all the columns for the users being selected, just to discard them after they are loaded New structure keeps all options in a discrete table, this is better organised and allows us to easily add more column without worrying about bloating the user table
2016-02-17 12:46:19 +08:00
json = UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json
FEATURE: remove user option for edit history public Users can no longer opt-in for "public" edit history if site owner disables it. This feature adds cost and complexity to post rendering since user options need to be premeptively loaded for every user in the stream. It is also confusing to explain to communities with private edit history.
2016-07-16 19:30:00 +08:00
expect(json[:user_option][:dynamic_favicon]).to eq(true)
FEATURE: add new user option `skip_new_user_tips`. (#10437) And add new site setting `default_other_skip_new_user_tips` in user preferences category.
2020-08-14 21:40:56 +08:00
expect(json[:user_option][:skip_new_user_tips]).to eq(true)
PERF: move 3 more option columns out of the user table
2016-02-18 13:57:22 +08:00
expect(json[:user_option][:new_topic_duration_minutes]).to eq(60 * 24)
expect(json[:user_option][:auto_track_topics_after_msecs]).to eq(0)
Add notification level user preference when replying to a topic
2016-10-01 00:36:43 +08:00
expect(json[:user_option][:notification_level_when_replying]).to eq(3)
FIX: secondary_emails, unconfirmed_emails, group_users are private fields Those fields should be only visible to the user.
2020-06-16 08:43:06 +08:00
expect(json[:group_users]).to eq([])
SECURITY: Mod should not see `group_users` and `second_factor_enabled`. Moderators should not be able to see `UserSerializer#group_users` and `UserSerializer#second_factor_enabled` of other users. Impact of leaking this is low because the information leaked is not exploitable.
2020-09-11 10:23:35 +08:00
expect(json[:second_factor_enabled]).to eq(false)
PERF: shift most user options out of the user table As it stands we load up user records quite frequently on the topic pages, this in turn pulls all the columns for the users being selected, just to discard them after they are loaded New structure keeps all options in a discrete table, this is better organised and allows us to easily add more column without worrying about bloating the user table
2016-02-17 12:46:19 +08:00
end
end
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
context "with a user" do
FIX: Wrong scope used for notification levels user serializer (#13039) This is a recent regression introduced by https://github.com/discourse/discourse/pull/12937 which makes it so that when looking at a user profile that is not your own, specifically the category and tag notification settings, you would see your own settings instead of the target user. This is only a problem for admins because regular users cannot see these details for other users. The issue was that we were using `scope` in the serializer, which refers to the current user, rather than using a scope for the target user via `Guardian.new(user)`. However, on further inspection the `notification_levels_for` method for `TagUser` and `CategoryUser` did not actually need to be accepting an instance of Guardian, all that it was using it for was to check guardian.anonymous? which is just a fancy way of saying user.blank?. Changed this method to just accept a user instead and send the user in from the serializer.
2021-05-14 07:45:14 +08:00
let(:admin_user) { Fabricate(:admin) }
FIX: Ensure enforce 2FA for staff satisfied by security keys (#8316) * If a staff user created only a security key as their single 2FA option. they continued to be prompted to create a 2FA option because we only considered this condition satisfied if a TOTP was added. * The condition is now satisfied if TOTP OR security keys are enabled.
2019-11-08 13:11:53 +08:00
let(:scope) { Guardian.new }
More prefabrication
2019-05-10 18:59:31 +08:00
fab!(:user) { Fabricate(:user) }
FIX: Ensure enforce 2FA for staff satisfied by security keys (#8316) * If a staff user created only a security key as their single 2FA option. they continued to be prompted to create a 2FA option because we only considered this condition satisfied if a TOTP was added. * The condition is now satisfied if TOTP OR security keys are enabled.
2019-11-08 13:11:53 +08:00
let(:serializer) { UserSerializer.new(user, scope: scope, root: false) }
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
let(:json) { serializer.as_json }
More prefabrication
2019-05-10 18:59:31 +08:00
fab!(:upload) { Fabricate(:upload) }
fab!(:upload2) { Fabricate(:upload) }
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
FIX: Wrong scope used for notification levels user serializer (#13039) This is a recent regression introduced by https://github.com/discourse/discourse/pull/12937 which makes it so that when looking at a user profile that is not your own, specifically the category and tag notification settings, you would see your own settings instead of the target user. This is only a problem for admins because regular users cannot see these details for other users. The issue was that we were using `scope` in the serializer, which refers to the current user, rather than using a scope for the target user via `Guardian.new(user)`. However, on further inspection the `notification_levels_for` method for `TagUser` and `CategoryUser` did not actually need to be accepting an instance of Guardian, all that it was using it for was to check guardian.anonymous? which is just a fancy way of saying user.blank?. Changed this method to just accept a user instead and send the user in from the serializer.
2021-05-14 07:45:14 +08:00
context "when the scope user is admin" do
let(:scope) { Guardian.new(admin_user) }
it "returns the user's category notification levels, not the scope user's" do
category1 = Fabricate(:category)
category2 = Fabricate(:category)
category3 = Fabricate(:category)
category4 = Fabricate(:category)
CategoryUser.create(
category: category1,
user: user,
notification_level: CategoryUser.notification_levels[:muted],
)
CategoryUser.create(
category: Fabricate(:category),
user: admin_user,
notification_level: CategoryUser.notification_levels[:muted],
)
CategoryUser.create(
category: category2,
user: user,
notification_level: CategoryUser.notification_levels[:tracking],
)
CategoryUser.create(
category: Fabricate(:category),
user: admin_user,
notification_level: CategoryUser.notification_levels[:tracking],
)
CategoryUser.create(
category: category3,
user: user,
notification_level: CategoryUser.notification_levels[:watching],
)
CategoryUser.create(
category: Fabricate(:category),
user: admin_user,
notification_level: CategoryUser.notification_levels[:watching],
)
CategoryUser.create(
category: category4,
user: user,
notification_level: CategoryUser.notification_levels[:regular],
)
CategoryUser.create(
category: Fabricate(:category),
user: admin_user,
notification_level: CategoryUser.notification_levels[:regular],
)
expect(json[:muted_category_ids]).to eq([category1.id])
expect(json[:tracked_category_ids]).to eq([category2.id])
expect(json[:watched_category_ids]).to eq([category3.id])
expect(json[:regular_category_ids]).to eq([category4.id])
end
it "returns the user's tag notification levels, not the scope user's" do
tag1 = Fabricate(:tag)
tag2 = Fabricate(:tag)
tag3 = Fabricate(:tag)
tag4 = Fabricate(:tag)
TagUser.create(
tag: tag1,
user: user,
notification_level: TagUser.notification_levels[:muted],
)
TagUser.create(
tag: Fabricate(:tag),
user: admin_user,
notification_level: TagUser.notification_levels[:muted],
)
TagUser.create(
tag: tag2,
user: user,
notification_level: TagUser.notification_levels[:tracking],
)
TagUser.create(
tag: Fabricate(:tag),
user: admin_user,
notification_level: TagUser.notification_levels[:tracking],
)
TagUser.create(
tag: tag3,
user: user,
notification_level: TagUser.notification_levels[:watching],
)
TagUser.create(
tag: Fabricate(:tag),
user: admin_user,
notification_level: TagUser.notification_levels[:watching],
)
TagUser.create(
tag: tag4,
user: user,
notification_level: TagUser.notification_levels[:watching_first_post],
)
TagUser.create(
tag: Fabricate(:tag),
user: admin_user,
notification_level: TagUser.notification_levels[:watching_first_post],
)
expect(json[:muted_tags]).to eq([tag1.name])
expect(json[:tracked_tags]).to eq([tag2.name])
expect(json[:watched_tags]).to eq([tag3.name])
expect(json[:watching_first_post_tags]).to eq([tag4.name])
end
end
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
context "with `enable_names` true" do
PERF: shift most user options out of the user table As it stands we load up user records quite frequently on the topic pages, this in turn pulls all the columns for the users being selected, just to discard them after they are loaded New structure keeps all options in a discrete table, this is better organised and allows us to easily add more column without worrying about bloating the user table
2016-02-17 12:46:19 +08:00
before { SiteSetting.enable_names = true }
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
it "has a name" do
Update rspec syntax to v3 update rspec syntax to v3 change syntax to rspec v3 oops. fix typo mailers classes with rspec3 syntax helpers with rspec3 syntax jobs with rspec3 syntax serializers with rspec3 syntax views with rspec3 syntax support to rspec3 syntax category spec with rspec3 syntax
2014-12-31 22:55:03 +08:00
expect(json[:name]).to be_present
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
end
end
context "with `enable_names` false" do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 14:09:14 +08:00
before { SiteSetting.enable_names = false }
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
it "has a name" do
Update rspec syntax to v3 update rspec syntax to v3 change syntax to rspec v3 oops. fix typo mailers classes with rspec3 syntax helpers with rspec3 syntax jobs with rspec3 syntax serializers with rspec3 syntax views with rspec3 syntax support to rspec3 syntax category spec with rspec3 syntax
2014-12-31 22:55:03 +08:00
expect(json[:name]).to be_blank
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
end
end
FIX: Properly associate user_profiles background urls via upload id. `Upload#url` is more likely and can change from time to time. When it does changes, we don't want to have to look through multiple tables to ensure that the URLs are all up to date. Instead, we simply associate uploads properly to `UserProfile` so that it does not have to replicate the URLs in the table.
2019-04-29 11:58:52 +08:00
context "with filled out backgrounds" do
move profile_background from User to UserProfile
2014-06-12 09:52:50 +08:00
before do
FIX: Properly associate user_profiles background urls via upload id. `Upload#url` is more likely and can change from time to time. When it does changes, we don't want to have to look through multiple tables to ensure that the URLs are all up to date. Instead, we simply associate uploads properly to `UserProfile` so that it does not have to replicate the URLs in the table.
2019-04-29 11:58:52 +08:00
user.user_profile.upload_card_background(upload)
user.user_profile.upload_profile_background(upload2)
move profile_background from User to UserProfile
2014-06-12 09:52:50 +08:00
end
it "has a profile background" do
FIX: Properly associate user_profiles background urls via upload id. `Upload#url` is more likely and can change from time to time. When it does changes, we don't want to have to look through multiple tables to ensure that the URLs are all up to date. Instead, we simply associate uploads properly to `UserProfile` so that it does not have to replicate the URLs in the table.
2019-04-29 11:58:52 +08:00
expect(json[:card_background_upload_url]).to eq(upload.url)
expect(json[:profile_background_upload_url]).to eq(upload2.url)
move profile_background from User to UserProfile
2014-06-12 09:52:50 +08:00
end
end
do not use try in UserSerializer for fields coming from UserProfile
2014-06-08 03:52:51 +08:00
context "with filled out website" do
Add spec for website name when url has subdomain
2016-04-11 13:53:50 +08:00
context "when website has a path" do
before { user.user_profile.website = "http://example.com/user" }
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
Add spec for website name when url has subdomain
2016-04-11 13:53:50 +08:00
it "has a website with a path" do
expect(json[:website]).to eq "http://example.com/user"
end
it "returns complete website name with path" do
expect(json[:website_name]).to eq "example.com/user"
end
UX: show complete URL path if website domain is same as instance domain
2015-08-10 16:07:53 +08:00
end
Add spec for website name when url has subdomain
2016-04-11 13:53:50 +08:00
context "when website has a subdomain" do
Remove www. from website name
2016-04-11 22:13:33 +08:00
before { user.user_profile.website = "http://subdomain.example.com/user" }
Add spec for website name when url has subdomain
2016-04-11 13:53:50 +08:00
it "has a website with a subdomain" do
Remove www. from website name
2016-04-11 22:13:33 +08:00
expect(json[:website]).to eq "http://subdomain.example.com/user"
Add spec for website name when url has subdomain
2016-04-11 13:53:50 +08:00
end
it "returns website name with the subdomain" do
Remove www. from website name
2016-04-11 22:13:33 +08:00
expect(json[:website_name]).to eq "subdomain.example.com/user"
end
end
context "when website has www" do
before { user.user_profile.website = "http://www.example.com/user" }
it "has a website with the www" do
expect(json[:website]).to eq "http://www.example.com/user"
end
it "returns website name without the www" do
expect(json[:website_name]).to eq "example.com/user"
Add spec for website name when url has subdomain
2016-04-11 13:53:50 +08:00
end
UX: Show website path in website name for all domains Query parameters are still truncated in website name
2016-04-09 19:52:55 +08:00
end
context "when website includes query parameters" do
before { user.user_profile.website = "http://example.com/user?ref=payme" }
UX: show complete URL path if website domain is same as instance domain
2015-08-10 16:07:53 +08:00
UX: Show website path in website name for all domains Query parameters are still truncated in website name
2016-04-09 19:52:55 +08:00
it "has a website with query params" do
expect(json[:website]).to eq "http://example.com/user?ref=payme"
UX: show complete URL path if website domain is same as instance domain
2015-08-10 16:07:53 +08:00
end
UX: Show website path in website name for all domains Query parameters are still truncated in website name
2016-04-09 19:52:55 +08:00
it "has a website name without query params" do
UX: show complete URL path if website domain is same as instance domain
2015-08-10 16:07:53 +08:00
expect(json[:website_name]).to eq "example.com/user"
end
do not use try in UserSerializer for fields coming from UserProfile
2014-06-08 03:52:51 +08:00
end
UX: Show website path in website name for all domains Query parameters are still truncated in website name
2016-04-09 19:52:55 +08:00
context "when website is not a valid url" do
before { user.user_profile.website = "invalid-url" }
it "has a website with the invalid url" do
expect(json[:website]).to eq "invalid-url"
end
it "has a nil website name" do
expect(json[:website_name]).to eq nil
end
end
do not use try in UserSerializer for fields coming from UserProfile
2014-06-08 03:52:51 +08:00
end
move bio to UserProfile from User
2014-06-10 13:19:08 +08:00
context "with filled out bio" do
before do
user.user_profile.bio_raw = "my raw bio"
user.user_profile.bio_cooked = "my cooked bio"
end
it "has a bio" do
expect(json[:bio_raw]).to eq "my raw bio"
end
it "has a cooked bio" do
expect(json[:bio_cooked]).to eq "my cooked bio"
end
end
FIX: Ensure enforce 2FA for staff satisfied by security keys (#8316) * If a staff user created only a security key as their single 2FA option. they continued to be prompted to create a 2FA option because we only considered this condition satisfied if a TOTP was added. * The condition is now satisfied if TOTP OR security keys are enabled.
2019-11-08 13:11:53 +08:00
describe "second_factor_enabled" do
let(:scope) { Guardian.new(user) }
it "is false by default" do
expect(json[:second_factor_enabled]).to eq(false)
end
context "when totp enabled" do
before { User.any_instance.stubs(:totp_enabled?).returns(true) }
it "is true" do
expect(json[:second_factor_enabled]).to eq(true)
end
end
context "when security_keys enabled" do
before { User.any_instance.stubs(:security_keys_enabled?).returns(true) }
it "is true" do
expect(json[:second_factor_enabled]).to eq(true)
end
end
end
PERF: Reduce DB queries when serializing ignore/mute information (#8629) * PERF: Cache ignored and muted user ids in the current_user object * PERF: Avoid DB queries when checking ignore/mute permission in guardian
2020-01-02 21:04:08 +08:00
describe "ignored and muted" do
fab!(:viewing_user) { Fabricate(:user) }
let(:scope) { Guardian.new(viewing_user) }
it "returns false values for muted and ignored" do
expect(json[:ignored]).to eq(false)
expect(json[:muted]).to eq(false)
end
context "when ignored" do
before do
Fabricate(:ignored_user, user: viewing_user, ignored_user: user)
viewing_user.reload
end
it "returns true for ignored" do
expect(json[:ignored]).to eq(true)
expect(json[:muted]).to eq(false)
end
end
context "when muted" do
before do
Fabricate(:muted_user, user: viewing_user, muted_user: user)
viewing_user.reload
end
it "returns true for muted" do
expect(json[:muted]).to eq(true)
expect(json[:ignored]).to eq(false)
end
end
end
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
end
FIX: public_user_custom_fields are returned by UserSerializer
2014-08-19 23:05:35 +08:00
context "with custom_fields" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-07 11:12:20 +08:00
fab!(:user) { Fabricate(:user) }
FIX: public_user_custom_fields are returned by UserSerializer
2014-08-19 23:05:35 +08:00
let(:json) { UserSerializer.new(user, scope: Guardian.new, root: false).as_json }
before do
user.custom_fields["secret_field"] = "Only for me to know"
user.custom_fields["public_field"] = "Everyone look here"
user.save
end
it "doesn't serialize the fields by default" do
json[:custom_fields]
Update rspec syntax to v3 update rspec syntax to v3 change syntax to rspec v3 oops. fix typo mailers classes with rspec3 syntax helpers with rspec3 syntax jobs with rspec3 syntax serializers with rspec3 syntax views with rspec3 syntax support to rspec3 syntax category spec with rspec3 syntax
2014-12-31 22:55:03 +08:00
expect(json[:custom_fields]).to be_empty
FIX: public_user_custom_fields are returned by UserSerializer
2014-08-19 23:05:35 +08:00
end
it "serializes the fields listed in public_user_custom_fields site setting" do
Nuke all `SiteSetting.stubs` from our codebase.
2017-07-07 14:09:14 +08:00
SiteSetting.public_user_custom_fields = "public_field"
Update rspec syntax to v3 update rspec syntax to v3 change syntax to rspec v3 oops. fix typo mailers classes with rspec3 syntax helpers with rspec3 syntax jobs with rspec3 syntax serializers with rspec3 syntax views with rspec3 syntax support to rspec3 syntax category spec with rspec3 syntax
2014-12-31 22:55:03 +08:00
expect(json[:custom_fields]["public_field"]).to eq(user.custom_fields["public_field"])
expect(json[:custom_fields]["secret_field"]).to eq(nil)
FIX: public_user_custom_fields are returned by UserSerializer
2014-08-19 23:05:35 +08:00
end
FEATURE: Allow plugins to whitelist user custom fields for public display (#6499) This works exactly the same as `whitelist_staff_user_custom_fields`, but is not limited to staff
2018-10-17 17:33:27 +08:00
DEV: Cleanup properly after user_serializer test
2018-10-17 17:54:22 +08:00
context "with user custom field" do
before do
plugin = Plugin::Instance.new
FIX: use allowlist and blocklist terminology (#10209) This is a PR of the renaming whitelist to allowlist and blacklist to the blocklist.
2020-07-27 08:23:54 +08:00
plugin.allow_public_user_custom_field :public_field
DEV: Cleanup properly after user_serializer test
2018-10-17 17:54:22 +08:00
end
DEV: Add framework for filtered plugin registers (#9763) * DEV: Add framework for filtered plugin registers Plugins often need to add values to a list, and we need to filter those lists at runtime to ignore values from disabled plugins. This commit provides a re-usable way to do that, which should make it easier to add new registers in future, and also reduce repeated code. Follow-up commits will migrate existing registers to use this new system * DEV: Migrate user and group custom field APIs to plugin registry This gives us a consistent system for checking plugin enabled state, so we are repeating less logic. API changes are backwards compatible
2020-05-15 21:04:38 +08:00
after { DiscoursePluginRegistry.reset! }
DEV: Cleanup properly after user_serializer test
2018-10-17 17:54:22 +08:00
DEV: Add framework for filtered plugin registers (#9763) * DEV: Add framework for filtered plugin registers Plugins often need to add values to a list, and we need to filter those lists at runtime to ignore values from disabled plugins. This commit provides a re-usable way to do that, which should make it easier to add new registers in future, and also reduce repeated code. Follow-up commits will migrate existing registers to use this new system * DEV: Migrate user and group custom field APIs to plugin registry This gives us a consistent system for checking plugin enabled state, so we are repeating less logic. API changes are backwards compatible
2020-05-15 21:04:38 +08:00
it "serializes the fields listed in public_user_custom_fields" do
DEV: Cleanup properly after user_serializer test
2018-10-17 17:54:22 +08:00
expect(json[:custom_fields]["public_field"]).to eq(user.custom_fields["public_field"])
expect(json[:custom_fields]["secret_field"]).to eq(nil)
end
FEATURE: Allow plugins to whitelist user custom fields for public display (#6499) This works exactly the same as `whitelist_staff_user_custom_fields`, but is not limited to staff
2018-10-17 17:33:27 +08:00
end
FIX: public_user_custom_fields are returned by UserSerializer
2014-08-19 23:05:35 +08:00
end
FIX: Do not serialize user fields unless they are specified for display (#6736)
2018-12-07 18:57:28 +08:00
context "with user fields" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-07 11:12:20 +08:00
fab!(:user) { Fabricate(:user) }
FIX: Do not serialize user fields unless they are specified for display (#6736)
2018-12-07 18:57:28 +08:00
let! :fields do
[
Fabricate(:user_field),
Fabricate(:user_field),
Fabricate(:user_field, show_on_profile: true),
Fabricate(:user_field, show_on_user_card: true),
Fabricate(:user_field, show_on_user_card: true, show_on_profile: true),
]
end
let(:other_user_json) do
UserSerializer.new(user, scope: Guardian.new(Fabricate(:user)), root: false).as_json
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 19:18:21 +08:00
end
FIX: Do not serialize user fields unless they are specified for display (#6736)
2018-12-07 18:57:28 +08:00
let(:self_json) { UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json }
let(:admin_json) do
UserSerializer.new(user, scope: Guardian.new(Fabricate(:admin)), root: false).as_json
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 19:18:21 +08:00
end
FIX: Do not serialize user fields unless they are specified for display (#6736)
2018-12-07 18:57:28 +08:00
it "includes the correct fields for each audience" do
expect(admin_json[:user_fields].keys).to contain_exactly(*fields.map { |f| f.id.to_s })
expect(other_user_json[:user_fields].keys).to contain_exactly(
*fields[2..5].map { |f| f.id.to_s },
)
expect(self_json[:user_fields].keys).to contain_exactly(*fields.map { |f| f.id.to_s })
end
end
Add spec for UserSerializer and UserApiKey.
2018-08-23 05:19:01 +08:00
context "with user_api_keys" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-07 11:12:20 +08:00
fab!(:user) { Fabricate(:user) }
Add spec for UserSerializer and UserApiKey.
2018-08-23 05:19:01 +08:00
it "sorts keys by last used time" do
freeze_time
user_api_key_0 =
Fabricate(
:readonly_user_api_key,
user: user,
last_used_at: 2.days.ago,
revoked_at: Time.zone.now,
)
user_api_key_1 = Fabricate(:readonly_user_api_key, user: user, last_used_at: 7.days.ago)
user_api_key_2 = Fabricate(:readonly_user_api_key, user: user, last_used_at: 1.days.ago)
user_api_key_3 =
Fabricate(
:readonly_user_api_key,
user: user,
last_used_at: 4.days.ago,
revoked_at: Time.zone.now,
)
user_api_key_4 = Fabricate(:readonly_user_api_key, user: user, last_used_at: 3.days.ago)
json = UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json
expect(json[:user_api_keys].size).to eq(3)
expect(json[:user_api_keys][0][:id]).to eq(user_api_key_1.id)
expect(json[:user_api_keys][1][:id]).to eq(user_api_key_4.id)
expect(json[:user_api_keys][2][:id]).to eq(user_api_key_2.id)
end
end
DEV: Route PM only tags to PM tags show route (#17870) Previously, PM only tags were being routed to the public topic list with the tag added as a filter. However, the public topic list does not fetch PMs and hence PM only tags did not provide any value when added to the Sidebar. This commit changes that by allowing the client to differentiate PM only tag and thus routes the link to the PM tags show route. Counts for PM only tags section links are not supported as of this commit and will be added in a follow up commit.
2022-08-12 11:26:56 +08:00
DEV: Add routes and controller actions for passkeys (2/3) (#23587) This is part 2 (of 3) for passkeys support. This adds a hidden site setting plus routes and controller actions. 1. registering passkeys Passkeys are registered in a two-step process. First, `create_passkey` returns details for the browser to create a passkey. This includes - a challenge - the relying party ID and Origin - the user's secure identifier - the supported algorithms - the user's existing passkeys (if any) Then the browser creates a key with this information, and submits it to the server via `register_passkey`. 2. authenticating passkeys A similar process happens here as well. First, a challenge is created and sent to the browser. Then the browser makes a public key credential and submits it to the server via `passkey_auth_perform`. 3. renaming/deleting passkeys These routes allow changing the name of a key and deleting it. 4. checking if session is trusted for sensitive actions Since a passkey is a password replacement, we want to make sure to confirm the user's identity before allowing adding/deleting passkeys. The u/trusted-session GET route returns success if user has confirmed their session (and failed if user hasn't). In the frontend (in the next PR), we're using these routes to show the password confirmation screen. The `/u/confirm-session` route allows the user to confirm their session with a password. The latter route's functionality already existed in core, under the 2FA flow, but it has been abstracted into its own here so it can be used independently. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2023-10-12 02:36:54 +08:00
context "with user_passkeys" do
fab!(:user) { Fabricate(:user) }
DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2023-10-14 00:24:06 +08:00
fab!(:passkey0) do
Fabricate(:passkey_with_random_credential, user: user, created_at: 5.hours.ago)
end
fab!(:passkey1) do
Fabricate(:passkey_with_random_credential, user: user, created_at: 2.hours.ago)
end
DEV: Add routes and controller actions for passkeys (2/3) (#23587) This is part 2 (of 3) for passkeys support. This adds a hidden site setting plus routes and controller actions. 1. registering passkeys Passkeys are registered in a two-step process. First, `create_passkey` returns details for the browser to create a passkey. This includes - a challenge - the relying party ID and Origin - the user's secure identifier - the supported algorithms - the user's existing passkeys (if any) Then the browser creates a key with this information, and submits it to the server via `register_passkey`. 2. authenticating passkeys A similar process happens here as well. First, a challenge is created and sent to the browser. Then the browser makes a public key credential and submits it to the server via `passkey_auth_perform`. 3. renaming/deleting passkeys These routes allow changing the name of a key and deleting it. 4. checking if session is trusted for sensitive actions Since a passkey is a password replacement, we want to make sure to confirm the user's identity before allowing adding/deleting passkeys. The u/trusted-session GET route returns success if user has confirmed their session (and failed if user hasn't). In the frontend (in the next PR), we're using these routes to show the password confirmation screen. The `/u/confirm-session` route allows the user to confirm their session with a password. The latter route's functionality already existed in core, under the 2FA flow, but it has been abstracted into its own here so it can be used independently. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2023-10-12 02:36:54 +08:00
it "does not include them if feature is disabled" do
json = UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json
expect(json[:user_passkeys]).to eq(nil)
end
it "includes passkeys if feature is enabled" do
SiteSetting.experimental_passkeys = true
json = UserSerializer.new(user, scope: Guardian.new(user), root: false).as_json
DEV: Add UI for passkeys (3/3) (#23853) Adds UI elements for registering a passkey and logging in with it. The feature is still in an early stage, interested parties that want to try it can use the `experimental_passkeys` site setting (via Rails console). See PR for more details. --------- Co-authored-by: Joffrey JAFFEUX <j.jaffeux@gmail.com>
2023-10-14 00:24:06 +08:00
expect(json[:user_passkeys][0][:id]).to eq(passkey0.id)
expect(json[:user_passkeys][0][:name]).to eq(passkey0.name)
expect(json[:user_passkeys][0][:last_used]).to eq(passkey0.last_used)
expect(json[:user_passkeys][1][:id]).to eq(passkey1.id)
DEV: Add routes and controller actions for passkeys (2/3) (#23587) This is part 2 (of 3) for passkeys support. This adds a hidden site setting plus routes and controller actions. 1. registering passkeys Passkeys are registered in a two-step process. First, `create_passkey` returns details for the browser to create a passkey. This includes - a challenge - the relying party ID and Origin - the user's secure identifier - the supported algorithms - the user's existing passkeys (if any) Then the browser creates a key with this information, and submits it to the server via `register_passkey`. 2. authenticating passkeys A similar process happens here as well. First, a challenge is created and sent to the browser. Then the browser makes a public key credential and submits it to the server via `passkey_auth_perform`. 3. renaming/deleting passkeys These routes allow changing the name of a key and deleting it. 4. checking if session is trusted for sensitive actions Since a passkey is a password replacement, we want to make sure to confirm the user's identity before allowing adding/deleting passkeys. The u/trusted-session GET route returns success if user has confirmed their session (and failed if user hasn't). In the frontend (in the next PR), we're using these routes to show the password confirmation screen. The `/u/confirm-session` route allows the user to confirm their session with a password. The latter route's functionality already existed in core, under the 2FA flow, but it has been abstracted into its own here so it can be used independently. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
2023-10-12 02:36:54 +08:00
end
end
FIX: Admin can't see user sidebar preferences of other users (#19570)
2022-12-23 11:45:29 +08:00
context "for user sidebar attributes" do
include_examples "User Sidebar Serializer Attributes", described_class
DEV: Route PM only tags to PM tags show route (#17870) Previously, PM only tags were being routed to the public topic list with the tag added as a filter. However, the public topic list does not fetch PMs and hence PM only tags did not provide any value when added to the Sidebar. This commit changes that by allowing the client to differentiate PM only tag and thus routes the link to the PM tags show route. Counts for PM only tags section links are not supported as of this commit and will be added in a follow up commit.
2022-08-12 11:26:56 +08:00
FIX: Admin can't see user sidebar preferences of other users (#19570)
2022-12-23 11:45:29 +08:00
it "does not include attributes when scoped to user that cannot edit user" do
user2 = Fabricate(:user)
serializer = described_class.new(user, scope: Guardian.new(user2), root: false)
DEV: Route PM only tags to PM tags show route (#17870) Previously, PM only tags were being routed to the public topic list with the tag added as a filter. However, the public topic list does not fetch PMs and hence PM only tags did not provide any value when added to the Sidebar. This commit changes that by allowing the client to differentiate PM only tag and thus routes the link to the PM tags show route. Counts for PM only tags section links are not supported as of this commit and will be added in a follow up commit.
2022-08-12 11:26:56 +08:00
FIX: Admin can't see user sidebar preferences of other users (#19570)
2022-12-23 11:45:29 +08:00
expect(serializer.as_json[:sidebar_category_ids]).to eq(nil)
expect(serializer.as_json[:sidebar_tags]).to eq(nil)
expect(serializer.as_json[:display_sidebar_tags]).to eq(nil)
DEV: Route PM only tags to PM tags show route (#17870) Previously, PM only tags were being routed to the public topic list with the tag added as a filter. However, the public topic list does not fetch PMs and hence PM only tags did not provide any value when added to the Sidebar. This commit changes that by allowing the client to differentiate PM only tag and thus routes the link to the PM tags show route. Counts for PM only tags section links are not supported as of this commit and will be added in a follow up commit.
2022-08-12 11:26:56 +08:00
end
end
SiteSetting to hide regular names from users
2013-10-31 03:45:13 +08:00
end
Reference in New Issue Copy Permalink