github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-28 09:15:27 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
88ef5e55fe
discourse/spec/requests/groups_controller_spec.rb
Sam Saffron 704c579550 FIX: do not allow unbound membership lookups 
Previously we would allow looking up membership limits in an unbound way
via the API, this introduces an upper limit of 1000 per page.
2019-06-17 15:32:06 +10:00

1504 lines
43 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
require 'rails_helper'
describe GroupsController do
fab!(:user) { Fabricate(:user) }
let(:group) { Fabricate(:group, users: [user]) }
let(:moderator_group_id) { Group::AUTO_GROUPS[:moderators] }
fab!(:admin) { Fabricate(:admin) }
fab!(:moderator) { Fabricate(:moderator) }
describe '#index' do
let(:staff_group) do
Fabricate(:group, name: '0000', visibility_level: Group.visibility_levels[:staff])
end
context 'when group directory is disabled' do
before do
SiteSetting.enable_group_directory = false
end
it 'should deny access for an anon user' do
get "/groups.json"
expect(response.status).to eq(403)
end
it 'should deny access for a normal user' do
get "/groups.json"
expect(response.status).to eq(403)
end
it 'should not deny access for an admin' do
sign_in(admin)
get "/groups.json"
expect(response.status).to eq(200)
end
it 'should not deny access for a moderator' do
sign_in(moderator)
get "/groups.json"
expect(response.status).to eq(200)
end
end
context 'searchable' do
it 'should return the right response' do
other_group = Fabricate(:group, name: 'testing')
get "/groups.json", params: { filter: 'test' }
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
expect(response_body["groups"].first["id"]).to eq(other_group.id)
expect(response_body["load_more_groups"]).to eq(
"/groups?filter=test&page=1"
)
end
end
context 'sortable' do
let!(:other_group) { Fabricate(:group, name: "zzzzzz", users: [user]) }
%w{
desc
asc
}.each do |order|
context "#{order} order" do
it 'should return the right response' do
is_asc = order == 'asc'
params = { order: 'name' }
params.merge!(asc: true) if is_asc
group
get "/groups.json", params: params
expect(response.status).to eq(200)
group_ids = [moderator_group_id, group.id, other_group.id]
group_ids.reverse! if !is_asc
response_body = JSON.parse(response.body)
expect(response_body["groups"].map { |group| group["id"] })
.to eq(group_ids)
expect(response_body["load_more_groups"]).to eq(
"/groups?#{is_asc ? 'asc=true&' : '' }order=name&page=1"
)
end
end
end
context 'ascending order' do
it 'should return the right response' do
group
get "/groups.json", params: { order: 'name' }
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
expect(response_body["groups"].map { |group| group["id"] })
.to eq([other_group.id, group.id, moderator_group_id])
expect(response_body["load_more_groups"]).to eq(
"/groups?order=name&page=1"
)
end
end
end
it 'should return the right response' do
group
staff_group
get "/groups.json"
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
group_ids = response_body["groups"].map { |g| g["id"] }
expect(group_ids).to include(group.id)
expect(group_ids).to_not include(staff_group.id)
expect(response_body["load_more_groups"]).to eq("/groups?page=1")
expect(response_body["total_rows_groups"]).to eq(2)
expect(response_body["extras"]["type_filters"].map(&:to_sym)).to eq(
described_class::TYPE_FILTERS.keys - [:my, :owner, :automatic]
)
end
context 'viewing groups of another user' do
describe 'when an invalid username is given' do
it 'should return the right response' do
group
get "/groups.json", params: { username: 'asdasd' }
expect(response.status).to eq(404)
end
end
it 'should return the right response' do
user2 = Fabricate(:user)
group
sign_in(user2)
get "/groups.json", params: { username: user.username }
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
group_ids = response_body["groups"].map { |g| g["id"] }
expect(group_ids).to contain_exactly(group.id)
end
end
context 'viewing as an admin' do
fab!(:admin) { Fabricate(:admin) }
before do
sign_in(admin)
group.add(admin)
group.add_owner(admin)
end
it 'should return the right response' do
staff_group
get "/groups.json"
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
group_ids = response_body["groups"].map { |g| g["id"] }
group_body = response_body["groups"].find { |g| g["id"] == group.id }
expect(group_body["is_group_user"]).to eq(true)
expect(group_body["is_group_owner"]).to eq(true)
expect(group_ids).to include(group.id, staff_group.id)
expect(response_body["load_more_groups"]).to eq("/groups?page=1")
expect(response_body["total_rows_groups"]).to eq(10)
expect(response_body["extras"]["type_filters"].map(&:to_sym)).to eq(
described_class::TYPE_FILTERS.keys
)
end
context 'filterable by type' do
def expect_type_to_return_right_groups(type, expected_group_ids)
get "/groups.json", params: { type: type }
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
group_ids = response_body["groups"].map { |g| g["id"] }
expect(response_body["total_rows_groups"]).to eq(expected_group_ids.count)
expect(group_ids).to contain_exactly(*expected_group_ids)
end
describe 'my groups' do
it 'should return the right response' do
expect_type_to_return_right_groups('my', [group.id])
end
end
describe 'owner groups' do
it 'should return the right response' do
group2 = Fabricate(:group)
_group3 = Fabricate(:group)
group2.add_owner(admin)
expect_type_to_return_right_groups('owner', [group.id, group2.id])
end
end
describe 'automatic groups' do
it 'should return the right response' do
expect_type_to_return_right_groups(
'automatic',
Group::AUTO_GROUP_IDS.keys - [0]
)
end
end
describe 'public groups' do
it 'should return the right response' do
group2 = Fabricate(:group, public_admission: true)
expect_type_to_return_right_groups('public', [group2.id])
end
end
describe 'close groups' do
it 'should return the right response' do
group2 = Fabricate(:group, public_admission: false)
_group3 = Fabricate(:group, public_admission: true)
expect_type_to_return_right_groups('close', [group.id, group2.id])
end
end
end
end
end
describe '#show' do
it "ensures the group can be seen" do
sign_in(Fabricate(:user))
group.update!(visibility_level: Group.visibility_levels[:owners])
get "/groups/#{group.name}.json"
expect(response.status).to eq(403)
end
it "returns the right response" do
sign_in(user)
get "/groups/#{group.name}.json"
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
expect(response_body['group']['id']).to eq(group.id)
expect(response_body['extras']["visible_group_names"]).to eq([group.name])
end
context 'as an admin' do
it "returns the right response" do
sign_in(Fabricate(:admin))
get "/groups/#{group.name}.json"
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
expect(response_body['group']['id']).to eq(group.id)
groups = Group::AUTO_GROUPS.keys
groups.delete(:everyone)
groups.push(group.name)
expect(response_body['extras']["visible_group_names"])
.to contain_exactly(*groups.map(&:to_s))
end
end
it 'should respond to HTML' do
group.update!(bio_raw: 'testing **group** bio')
get "/groups/#{group.name}.html"
expect(response.status).to eq(200)
expect(response.body).to have_tag(:meta, with: {
property: 'og:title', content: group.name
})
# note this uses an excerpt so it strips html
expect(response.body).to have_tag(:meta, with: {
property: 'og:description', content: 'testing group bio'
})
end
describe 'when viewing activity filters' do
it 'should return the right response' do
get "/groups/#{group.name}/activity/posts.json"
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)['group']
expect(response_body["id"]).to eq(group.id)
end
end
end
describe "#posts" do
it "ensures the group can be seen" do
sign_in(Fabricate(:user))
group.update!(visibility_level: Group.visibility_levels[:owners])
get "/groups/#{group.name}/posts.json"
expect(response.status).to eq(403)
end
it "calls `posts_for` and responds with JSON" do
sign_in(user)
post = Fabricate(:post, user: user)
get "/groups/#{group.name}/posts.json"
expect(response.status).to eq(200)
expect(JSON.parse(response.body).first["id"]).to eq(post.id)
end
end
describe "#members" do
it "returns correct error code with invalid params" do
sign_in(Fabricate(:user))
get "/groups/#{group.name}/members.json?limit=-1"
expect(response.status).to eq(400)
get "/groups/#{group.name}/members.json?offset=-1"
expect(response.status).to eq(400)
get "/groups/trust_level_0/members.json?limit=2000"
expect(response.status).to eq(400)
end
it "ensures the group can be seen" do
sign_in(Fabricate(:user))
group.update!(visibility_level: Group.visibility_levels[:owners])
get "/groups/#{group.name}/members.json"
expect(response.status).to eq(403)
end
it "ensures that membership can be paginated" do
freeze_time
first_user = Fabricate(:user)
group.add(first_user)
freeze_time 1.day.from_now
4.times { group.add(Fabricate(:user)) }
usernames = group.users.map { |m| m.username }.sort
get "/groups/#{group.name}/members.json", params: { limit: 3 }
expect(response.status).to eq(200)
members = JSON.parse(response.body)["members"]
expect(members.map { |m| m['username'] }).to eq(usernames[0..2])
get "/groups/#{group.name}/members.json", params: { limit: 3, offset: 3 }
expect(response.status).to eq(200)
members = JSON.parse(response.body)["members"]
expect(members.map { |m| m['username'] }).to eq(usernames[3..5])
get "/groups/#{group.name}/members.json", params: { order: 'added_at', desc: true }
members = JSON.parse(response.body)["members"]
expect(members.last['added_at']).to eq(first_user.created_at.as_json)
end
end
describe '#posts_feed' do
it 'renders RSS' do
get "/groups/#{group.name}/posts.rss"
expect(response.status).to eq(200)
expect(response.content_type).to eq('application/rss+xml')
end
end
describe '#mentions_feed' do
it 'renders RSS' do
get "/groups/#{group.name}/mentions.rss"
expect(response.status).to eq(200)
expect(response.content_type).to eq('application/rss+xml')
end
it 'fails when disabled' do
SiteSetting.enable_mentions = false
get "/groups/#{group.name}/mentions.rss"
expect(response.status).to eq(404)
end
end
describe '#mentionable' do
it "should return the right response" do
sign_in(user)
get "/groups/#{group.name}/mentionable.json"
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
expect(response_body["mentionable"]).to eq(false)
group.update!(
mentionable_level: Group::ALIAS_LEVELS[:everyone],
visibility_level: Group.visibility_levels[:staff]
)
get "/groups/#{group.name}/mentionable.json"
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
expect(response_body["mentionable"]).to eq(true)
end
end
describe '#messageable' do
it "should return the right response" do
sign_in(user)
get "/groups/#{group.name}/messageable.json"
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
expect(response_body["messageable"]).to eq(false)
group.update!(
messageable_level: Group::ALIAS_LEVELS[:everyone],
visibility_level: Group.visibility_levels[:staff]
)
get "/groups/#{group.name}/messageable.json"
expect(response.status).to eq(200)
response_body = JSON.parse(response.body)
expect(response_body["messageable"]).to eq(true)
end
end
describe '#update' do
let!(:group) do
Fabricate(:group,
name: 'test',
users: [user],
public_admission: false,
public_exit: false
)
end
context "custom_fields" do
before do
user.update!(admin: true)
sign_in(user)
plugin = Plugin::Instance.new
plugin.register_editable_group_custom_field :test
@group = Fabricate(:group)
end
after do
Group.plugin_editable_group_custom_fields.clear
end
it "only updates allowed user fields" do
put "/groups/#{@group.id}.json", params: { group: { custom_fields: { test: :hello1, test2: :hello2 } } }
@group.reload
expect(response.status).to eq(200)
expect(@group.custom_fields['test']).to eq('hello1')
expect(@group.custom_fields['test2']).to be_blank
end
it "is secure when there are no registered editable fields" do
Group.plugin_editable_group_custom_fields.clear
put "/groups/#{@group.id}.json", params: { group: { custom_fields: { test: :hello1, test2: :hello2 } } }
@group.reload
expect(response.status).to eq(200)
expect(@group.custom_fields['test']).to be_blank
expect(@group.custom_fields['test2']).to be_blank
end
end
context "when user is group owner" do
before do
group.add_owner(user)
sign_in(user)
end
it "should be able update the group" do
group.update!(
allow_membership_requests: false,
visibility_level: 2,
mentionable_level: 2,
messageable_level: 2,
default_notification_level: 0,
grant_trust_level: 0,
automatic_membership_retroactive: false
)
expect do
put "/groups/#{group.id}.json", params: {
group: {
mentionable_level: 1,
messageable_level: 1,
visibility_level: 1,
automatic_membership_email_domains: 'test.org',
automatic_membership_retroactive: true,
title: 'haha',
primary_group: true,
grant_trust_level: 1,
incoming_email: 'test@mail.org',
flair_bg_color: 'FFF',
flair_color: 'BBB',
flair_url: 'fa-adjust',
bio_raw: 'testing',
full_name: 'awesome team',
public_admission: true,
public_exit: true,
allow_membership_requests: true,
membership_request_template: 'testing',
default_notification_level: 1,
name: 'testing'
}
}
end.to change { GroupHistory.count }.by(13)
expect(response.status).to eq(200)
group.reload
expect(group.flair_bg_color).to eq('FFF')
expect(group.flair_color).to eq('BBB')
expect(group.flair_url).to eq('fa-adjust')
expect(group.bio_raw).to eq('testing')
expect(group.full_name).to eq('awesome team')
expect(group.public_admission).to eq(true)
expect(group.public_exit).to eq(true)
expect(group.allow_membership_requests).to eq(true)
expect(group.membership_request_template).to eq('testing')
expect(group.name).to eq('test')
expect(group.visibility_level).to eq(2)
expect(group.mentionable_level).to eq(1)
expect(group.messageable_level).to eq(1)
expect(group.default_notification_level).to eq(1)
expect(group.automatic_membership_email_domains).to eq(nil)
expect(group.automatic_membership_retroactive).to eq(false)
expect(group.title).to eq('haha')
expect(group.primary_group).to eq(false)
expect(group.incoming_email).to eq(nil)
expect(group.grant_trust_level).to eq(0)
end
it 'should not be allowed to update automatic groups' do
group = Group.find(Group::AUTO_GROUPS[:admins])
put "/groups/#{group.id}.json", params: {
group: {
messageable_level: 1
}
}
expect(response.status).to eq(403)
end
end
context "when user is group admin" do
before do
user.update!(admin: true)
sign_in(user)
end
it 'should be able to update the group' do
group.update!(
visibility_level: 2,
automatic_membership_retroactive: false,
grant_trust_level: 0
)
put "/groups/#{group.id}.json", params: {
group: {
flair_color: 'BBB',
name: 'testing',
incoming_email: 'test@mail.org',
primary_group: true,
automatic_membership_email_domains: 'test.org',
automatic_membership_retroactive: true,
grant_trust_level: 2,
visibility_level: 1
}
}
expect(response.status).to eq(200)
group.reload
expect(group.flair_color).to eq('BBB')
expect(group.name).to eq('testing')
expect(group.incoming_email).to eq("test@mail.org")
expect(group.primary_group).to eq(true)
expect(group.visibility_level).to eq(1)
expect(group.automatic_membership_email_domains).to eq('test.org')
expect(group.automatic_membership_retroactive).to eq(true)
expect(group.grant_trust_level).to eq(2)
expect(Jobs::AutomaticGroupMembership.jobs.first["args"].first["group_id"])
.to eq(group.id)
end
it "should be able to update an automatic group" do
group = Group.find(Group::AUTO_GROUPS[:admins])
group.update!(
visibility_level: 2,
mentionable_level: 2,
messageable_level: 2,
default_notification_level: 2
)
put "/groups/#{group.id}.json", params: {
group: {
flair_color: 'BBB',
name: 'testing',
visibility_level: 1,
mentionable_level: 1,
messageable_level: 1,
default_notification_level: 1
}
}
expect(response.status).to eq(200)
group.reload
expect(group.flair_color).to eq(nil)
expect(group.name).to eq('admins')
expect(group.visibility_level).to eq(1)
expect(group.mentionable_level).to eq(1)
expect(group.messageable_level).to eq(1)
expect(group.default_notification_level).to eq(1)
end
it 'triggers a extensibility event' do
event = DiscourseEvent.track_events {
put "/groups/#{group.id}.json", params: { group: { flair_color: 'BBB' } }
}.last
expect(event[:event_name]).to eq(:group_updated)
expect(event[:params].first).to eq(group)
end
end
context "when user is not a group owner or admin" do
it 'should not be able to update the group' do
sign_in(user)
put "/groups/#{group.id}.json", params: { group: { name: 'testing' } }
expect(response.status).to eq(403)
end
end
end
describe '#members' do
let(:user1) do
Fabricate(:user,
last_seen_at: Time.zone.now,
last_posted_at: Time.zone.now - 1.day,
email: 'b@test.org'
)
end
let(:user2) do
Fabricate(:user,
last_seen_at: Time.zone.now - 1 .day,
last_posted_at: Time.zone.now,
email: 'a@test.org'
)
end
fab!(:user3) do
Fabricate(:user,
last_seen_at: nil,
last_posted_at: nil,
email: 'c@test.org'
)
end
fab!(:bot) { Fabricate(:user, id: -999) }
let(:group) { Fabricate(:group, users: [user1, user2, user3, bot]) }
it "should allow members to be sorted by" do
get "/groups/#{group.name}/members.json", params: {
order: 'last_seen_at', desc: true
}
expect(response.status).to eq(200)
members = JSON.parse(response.body)["members"]
expect(members.map { |m| m["id"] }).to eq([user1.id, user2.id, user3.id])
get "/groups/#{group.name}/members.json", params: { order: 'last_seen_at' }
expect(response.status).to eq(200)
members = JSON.parse(response.body)["members"]
expect(members.map { |m| m["id"] }).to eq([user2.id, user1.id, user3.id])
get "/groups/#{group.name}/members.json", params: {
order: 'last_posted_at', desc: true
}
expect(response.status).to eq(200)
members = JSON.parse(response.body)["members"]
expect(members.map { |m| m["id"] }).to eq([user2.id, user1.id, user3.id])
end
it "should not allow members to be sorted by columns that are not allowed" do
get "/groups/#{group.name}/members.json", params: { order: 'email' }
expect(response.status).to eq(200)
members = JSON.parse(response.body)["members"]
expect(members.map { |m| m["id"] })
.to contain_exactly(user1.id, user2.id, user3.id)
end
it "can show group requests" do
sign_in(Fabricate(:admin))
user4 = Fabricate(:user)
request4 = Fabricate(:group_request, user: user4, group: group)
get "/groups/#{group.name}/members.json", params: { requesters: true }
members = JSON.parse(response.body)["members"]
expect(members.length).to eq(1)
expect(members.first["username"]).to eq(user4.username)
expect(members.first["reason"]).to eq(request4.reason)
end
describe 'filterable' do
describe 'as a normal user' do
it "should not allow members to be filterable by email" do
email = 'uniquetest@discourse.org'
user1.update!(email: email)
get "/groups/#{group.name}/members.json", params: { filter: email }
expect(response.status).to eq(200)
members = JSON.parse(response.body)["members"]
expect(members).to eq([])
end
end
describe 'as an admin' do
before do
sign_in(Fabricate(:admin))
end
it "should allow members to be filterable by username" do
email = 'uniquetest@discourse.org'
user1.update!(email: email)
{
email.upcase => [user1.id],
'QUEtes' => [user1.id],
"#{user1.email},#{user2.email}" => [user1.id, user2.id]
}.each do |filter, ids|
get "/groups/#{group.name}/members.json", params: { filter: filter }
expect(response.status).to eq(200)
members = JSON.parse(response.body)["members"]
expect(members.map { |m| m["id"] }).to contain_exactly(*ids)
end
end
it "should allow members to be filterable by email" do
username = 'uniquetest'
user1.update!(username: username)
[username.upcase, 'QUEtes'].each do |filter|
get "/groups/#{group.name}/members.json", params: { filter: filter }
expect(response.status).to eq(200)
members = JSON.parse(response.body)["members"]
expect(members.map { |m| m["id"] }).to contain_exactly(user1.id)
end
end
end
end
end
describe "#edit" do
fab!(:group) { Fabricate(:group) }
context 'when user is not signed in' do
it 'should be fobidden' do
put "/groups/#{group.id}/members.json", params: { usernames: "bob" }
expect(response).to be_forbidden
delete "/groups/#{group.id}/members.json", params: { username: "bob" }
expect(response).to be_forbidden
end
context 'public group' do
it 'should be fobidden' do
group.update!(
public_admission: true,
public_exit: true
)
put "/groups/#{group.id}/members.json", params: { usernames: "bob" }
expect(response.status).to eq(403)
delete "/groups/#{group.id}/members.json", params: { username: "bob" }
expect(response.status).to eq(403)
end
end
end
context 'when user is not an owner of the group' do
before do
sign_in(user)
end
it "refuses membership changes to unauthorized users" do
put "/groups/#{group.id}/members.json", params: { usernames: "bob" }
expect(response).to be_forbidden
delete "/groups/#{group.id}/members.json", params: { username: "bob" }
expect(response).to be_forbidden
end
end
context 'when user is an admin' do
fab!(:user) { Fabricate(:admin) }
let(:group) { Fabricate(:group, users: [user], automatic: true) }
before do
sign_in(user)
end
it "cannot add members to automatic groups" do
put "/groups/#{group.id}/members.json", params: { usernames: "bob" }
expect(response).to be_forbidden
delete "/groups/#{group.id}/members.json", params: { username: "bob" }
expect(response).to be_forbidden
end
end
end
describe "membership edits" do
fab!(:admin) { Fabricate(:admin) }
before do
sign_in(admin)
end
context '#add_members' do
it "can make incremental adds" do
user2 = Fabricate(:user)
expect do
put "/groups/#{group.id}/members.json", params: { usernames: user2.username }
end.to change { group.users.count }.by(1)
expect(response.status).to eq(200)
group_history = GroupHistory.last
expect(group_history.action).to eq(GroupHistory.actions[:add_user_to_group])
expect(group_history.acting_user).to eq(admin)
expect(group_history.target_user).to eq(user2)
end
it "cannot add members to automatic groups" do
group.update!(automatic: true)
put "/groups/#{group.id}/members.json", params: { usernames: "l77t" }
expect(response.status).to eq(403)
end
context "is able to add several members to a group" do
fab!(:user1) { Fabricate(:user) }
fab!(:user2) { Fabricate(:user, username: "UsEr2") }
it "adds by username" do
expect do
put "/groups/#{group.id}/members.json",
params: { usernames: [user1.username, user2.username.upcase].join(",") }
end.to change { group.users.count }.by(2)
expect(response.status).to eq(200)
end
it "adds by id" do
expect do
put "/groups/#{group.id}/members.json",
params: { user_ids: [user1.id, user2.id].join(",") }
end.to change { group.users.count }.by(2)
expect(response.status).to eq(200)
end
it "adds by email" do
expect do
put "/groups/#{group.id}/members.json",
params: { user_emails: [user1.email, user2.email].join(",") }
end.to change { group.users.count }.by(2)
expect(response.status).to eq(200)
end
it 'fails when multiple member already exists' do
user2.update!(username: 'alice')
user3 = Fabricate(:user, username: 'bob')
[user2, user3].each { |user| group.add(user) }
expect do
put "/groups/#{group.id}/members.json",
params: { user_emails: [user1.email, user2.email, user3.email].join(",") }
end.to change { group.users.count }.by(0)
expect(response.status).to eq(422)
expect(JSON.parse(response.body)["errors"]).to include(I18n.t(
"groups.errors.member_already_exist",
username: "alice, bob",
count: 2
))
end
end
it "returns 422 if member already exists" do
put "/groups/#{group.id}/members.json", params: { usernames: user.username }
expect(response.status).to eq(422)
expect(JSON.parse(response.body)["errors"]).to include(I18n.t(
"groups.errors.member_already_exist",
username: user.username,
count: 1
))
end
it "returns 400 if member is not found" do
[
{ usernames: "some thing" },
{ user_ids: "-5,-6" },
{ user_emails: "some@test.org" }
].each do |params|
put "/groups/#{group.id}/members.json", params: params
expect(response.status).to eq(400)
body = JSON.parse(response.body)
expect(body["error_type"]).to eq("invalid_parameters")
end
end
context 'public group' do
fab!(:other_user) { Fabricate(:user) }
before do
group.update!(
public_admission: true,
public_exit: true
)
end
context 'admin' do
it "can make incremental adds" do
expect do
put "/groups/#{group.id}/members.json",
params: { usernames: other_user.username }
end.to change { group.users.count }.by(1)
expect(response.status).to eq(200)
group_history = GroupHistory.last
expect(group_history.action).to eq(GroupHistory.actions[:add_user_to_group])
expect(group_history.acting_user).to eq(admin)
expect(group_history.target_user).to eq(other_user)
end
end
it 'should allow a user to join the group' do
sign_in(other_user)
expect do
put "/groups/#{group.id}/members.json",
params: { usernames: other_user.username }
end.to change { group.users.count }.by(1)
expect(response.status).to eq(200)
end
it 'should not allow an underprivilege user to add another user to a group' do
sign_in(user)
put "/groups/#{group.id}/members.json",
params: { usernames: other_user.username }
expect(response).to be_forbidden
end
end
end
context '#remove_member' do
it "cannot remove members from automatic groups" do
group.update!(automatic: true)
delete "/groups/#{group.id}/members.json", params: { user_id: 42 }
expect(response.status).to eq(403)
end
it "raises an error if user to be removed is not found" do
delete "/groups/#{group.id}/members.json", params: { user_id: -10 }
expect(response.status).to eq(400)
end
context "is able to remove a member" do
it "removes by id" do
expect do
delete "/groups/#{group.id}/members.json", params: { user_id: user.id }
end.to change { group.users.count }.by(-1)
expect(response.status).to eq(200)
end
it "removes by id with integer in json" do
expect do
headers = { "CONTENT_TYPE": "application/json" }
delete "/groups/#{group.id}/members.json", params: "{\"user_id\":#{user.id}}", headers: headers
end.to change { group.users.count }.by(-1)
expect(response.status).to eq(200)
end
it "removes by username" do
expect do
delete "/groups/#{group.id}/members.json", params: { username: user.username }
end.to change { group.users.count }.by(-1)
expect(response.status).to eq(200)
end
it "removes user.primary_group_id when user is removed from group" do
user.update!(primary_group_id: group.id)
delete "/groups/#{group.id}/members.json", params: { user_id: user.id }
expect(user.reload.primary_group_id).to eq(nil)
end
it "removes by user_email" do
expect do
delete "/groups/#{group.id}/members.json",
params: { user_email: user.email }
end.to change { group.users.count }.by(-1)
expect(response.status).to eq(200)
end
context 'public group' do
fab!(:other_user) { Fabricate(:user) }
let(:group) { Fabricate(:public_group, users: [other_user]) }
context "admin" do
it "removes by username" do
expect do
delete "/groups/#{group.id}/members.json",
params: { username: other_user.username }
end.to change { group.users.count }.by(-1)
expect(response.status).to eq(200)
end
end
it 'should allow a user to leave a group' do
sign_in(other_user)
expect do
delete "/groups/#{group.id}/members.json",
params: { username: other_user.username }
end.to change { group.users.count }.by(-1)
expect(response.status).to eq(200)
end
it 'should not allow a underprivilege user to leave a group for another user' do
sign_in(user)
delete "/groups/#{group.id}/members.json",
params: { username: other_user.username }
expect(response).to be_forbidden
end
end
end
context '#remove_members' do
context "is able to remove several members from a group" do
fab!(:user1) { Fabricate(:user) }
fab!(:user2) { Fabricate(:user, username: "UsEr2") }
let(:group1) { Fabricate(:group, users: [user1, user2]) }
it "removes by username" do
expect do
delete "/groups/#{group1.id}/members.json",
params: { usernames: [user1.username, user2.username.upcase].join(",") }
end.to change { group1.users.count }.by(-2)
expect(response.status).to eq(200)
end
it "removes by id" do
expect do
delete "/groups/#{group1.id}/members.json",
params: { user_ids: [user1.id, user2.id].join(",") }
end.to change { group1.users.count }.by(-2)
expect(response.status).to eq(200)
end
it "removes by id with integer in json" do
expect do
headers = { "CONTENT_TYPE": "application/json" }
delete "/groups/#{group1.id}/members.json", params: "{\"user_ids\":#{user1.id}}", headers: headers
end.to change { group1.users.count }.by(-1)
expect(response.status).to eq(200)
end
it "removes by email" do
expect do
delete "/groups/#{group1.id}/members.json",
params: { user_emails: [user1.email, user2.email].join(",") }
end.to change { group1.users.count }.by(-2)
expect(response.status).to eq(200)
end
it "only removes users in that group" do
expect do
delete "/groups/#{group1.id}/members.json",
params: { usernames: [user.username, user2.username].join(",") }
end.to change { group1.users.count }.by(-1)
expect(response.status).to eq(200)
end
end
end
end
end
describe "#histories" do
context 'when user is not signed in' do
it 'should raise the right error' do
get "/groups/#{group.name}/logs.json"
expect(response.status).to eq(403)
end
end
context 'when user is not a group owner' do
before do
sign_in(user)
end
it 'should be forbidden' do
get "/groups/#{group.name}/logs.json"
expect(response).to be_forbidden
end
end
describe 'when user is a group owner' do
before do
group.add_owner(user)
sign_in(user)
end
describe 'when viewing a public group' do
before do
group.update!(
public_admission: true,
public_exit: true
)
GroupActionLogger.new(user, group).log_change_group_settings
end
it 'should allow group owner to view history' do
get "/groups/#{group.name}/logs.json"
expect(response.status).to eq(200)
result = JSON.parse(response.body)["logs"].last
expect(result["action"]).to eq(GroupHistory.actions[1].to_s)
expect(result["subject"]).to eq('public_exit')
expect(result["prev_value"]).to eq('f')
expect(result["new_value"]).to eq('t')
end
end
it 'should not be allowed to view history of an automatic group' do
group = Group.find_by(id: Group::AUTO_GROUPS[:admins])
get "/groups/#{group.name}/logs.json"
expect(response.status).to eq(403)
end
end
context 'when user is an admin' do
fab!(:admin) { Fabricate(:admin) }
before do
sign_in(admin)
end
it 'should be able to view history' do
GroupActionLogger.new(admin, group).log_remove_user_from_group(user)
get "/groups/#{group.name}/logs.json"
expect(response.status).to eq(200)
result = JSON.parse(response.body)["logs"].first
expect(result["action"]).to eq(GroupHistory.actions[3].to_s)
end
it 'should be able to view history of automatic groups' do
group = Group.find_by(id: Group::AUTO_GROUPS[:admins])
get "/groups/#{group.name}/logs.json"
expect(response.status).to eq(200)
end
it 'should be able to filter through the history' do
GroupActionLogger.new(admin, group).log_add_user_to_group(user)
GroupActionLogger.new(admin, group).log_remove_user_from_group(user)
get "/groups/#{group.name}/logs.json", params: {
filters: { "action" => "add_user_to_group" }
}
expect(response.status).to eq(200)
logs = JSON.parse(response.body)["logs"]
expect(logs.count).to eq(1)
expect(logs.first["action"]).to eq(GroupHistory.actions[2].to_s)
end
end
end
describe '#request_membership' do
fab!(:new_user) { Fabricate(:user) }
it 'requires the user to log in' do
post "/groups/#{group.name}/request_membership.json"
expect(response.status).to eq(403)
end
it 'requires a reason' do
sign_in(user)
post "/groups/#{group.name}/request_membership.json"
expect(response.status).to eq(400)
end
it 'checks for duplicates' do
sign_in(user)
post "/groups/#{group.name}/request_membership.json",
params: { reason: 'Please add me in' }
expect(response.status).to eq(200)
post "/groups/#{group.name}/request_membership.json",
params: { reason: 'Please add me in' }
expect(response.status).to eq(409)
end
it 'should create the right PM' do
owner1 = Fabricate(:user, last_seen_at: Time.zone.now)
owner2 = Fabricate(:user, last_seen_at: Time.zone.now - 1 .day)
[owner1, owner2].each { |owner| group.add_owner(owner) }
sign_in(user)
post "/groups/#{group.name}/request_membership.json",
params: { reason: 'Please add me in' }
expect(response.status).to eq(200)
post = Post.last
topic = post.topic
body = JSON.parse(response.body)
expect(body['relative_url']).to eq(topic.relative_url)
expect(post.user).to eq(user)
expect(topic.title).to eq(I18n.t('groups.request_membership_pm.title',
group_name: group.name
))
expect(post.raw).to start_with('Please add me in')
expect(topic.archetype).to eq(Archetype.private_message)
expect(topic.allowed_users).to contain_exactly(user, owner1, owner2)
expect(topic.allowed_groups).to eq([])
end
end
describe '#search ' do
fab!(:hidden_group) do
Fabricate(:group,
visibility_level: Group.visibility_levels[:owners],
name: 'KingOfTheNorth'
)
end
before do
group.update!(
name: 'GOT',
full_name: 'Daenerys Targaryen'
)
hidden_group
end
context 'as an anon user' do
it "returns the right response" do
get '/groups/search.json'
expect(response.status).to eq(403)
end
end
context 'as a normal user' do
it "returns the right response" do
sign_in(user)
get '/groups/search.json'
expect(response.status).to eq(200)
groups = JSON.parse(response.body)
expected_ids = Group::AUTO_GROUPS.map { |name, id| id }
expected_ids.delete(Group::AUTO_GROUPS[:everyone])
expected_ids << group.id
expect(groups.map { |group| group["id"] }).to contain_exactly(*expected_ids)
['GO', 'nerys'].each do |term|
get "/groups/search.json?term=#{term}"
expect(response.status).to eq(200)
groups = JSON.parse(response.body)
expect(groups.length).to eq(1)
expect(groups.first['id']).to eq(group.id)
end
get "/groups/search.json?term=KingOfTheNorth"
expect(response.status).to eq(200)
groups = JSON.parse(response.body)
expect(groups).to eq([])
end
end
context 'as a group owner' do
before do
hidden_group.add_owner(user)
end
it "returns the right response" do
sign_in(user)
get "/groups/search.json?term=north"
expect(response.status).to eq(200)
groups = JSON.parse(response.body)
expect(groups.length).to eq(1)
expect(groups.first['id']).to eq(hidden_group.id)
end
end
context 'as an admin' do
it "returns the right response" do
sign_in(Fabricate(:admin))
get '/groups/search.json?ignore_automatic=true'
expect(response.status).to eq(200)
groups = JSON.parse(response.body)
expect(groups.length).to eq(2)
expect(groups.map { |group| group['id'] })
.to contain_exactly(group.id, hidden_group.id)
end
end
end
describe '#new' do
describe 'for an anon user' do
it 'should return 404' do
get '/groups/custom/new'
expect(response.status).to eq(404)
end
end
describe 'for a normal user' do
before { sign_in(user) }
it 'should return 404' do
get '/groups/custom/new'
expect(response.status).to eq(404)
end
end
describe 'for an admin user' do
before { sign_in(Fabricate(:admin)) }
it 'should return 404' do
get '/groups/custom/new'
expect(response.status).to eq(200)
end
end
end
describe '#check_name' do
describe 'for an anon user' do
it 'should return the right response' do
get "/groups/check-name.json", params: { group_name: 'test' }
expect(response.status).to eq(403)
end
end
it 'should return the right response' do
sign_in(Fabricate(:user))
SiteSetting.reserved_usernames = 'test|donkey'
get "/groups/check-name.json", params: { group_name: 'test' }
expect(response.status).to eq(200)
expect(JSON.parse(response.body)["available"]).to eq(true)
end
end
end
Reference in New Issue View Git Blame Copy Permalink