openproject/spec/controllers/work_packages_controller_spec.rb

#-- encoding: UTF-8
#-- copyright
# OpenProject is a project management system.
# Copyright (C) 2012-2015 the OpenProject Foundation (OPF)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
# See doc/COPYRIGHT.rdoc for more details.
#++

require 'spec_helper'
require 'support/shared/previews'

describe WorkPackagesController, type: :controller do

  before do
    allow(User).to receive(:current).and_return current_user
    # disables sending mails
    allow(UserMailer).to receive(:new).and_return(double('mailer').as_null_object)
  end

  let(:planning_element) { FactoryGirl.create(:work_package, project_id: project.id) }
  let(:project) { FactoryGirl.create(:project, identifier: 'test_project', is_public: false) }
  let(:stub_planning_element) { FactoryGirl.build_stubbed(:work_package, project_id: stub_project.id) }
  let(:stub_project) { FactoryGirl.build_stubbed(:project, identifier: 'test_project', is_public: false) }
  let(:stub_issue) { FactoryGirl.build_stubbed(:work_package, project_id: stub_project.id) }
  let(:stub_user) { FactoryGirl.build_stubbed(:user) }
  let(:stub_work_package) { double('work_package', id: 1337, project: stub_project).as_null_object }

  let(:current_user) { FactoryGirl.create(:user) }

  def self.requires_permission_in_project(&block)
    describe 'w/o the permission to see the project/work_package' do
      before do
        allow(controller).to receive(:work_package).and_return(nil)

        call_action
      end

      it 'should render a 404' do
        expect(response.response_code).to be === 404
      end
    end

    describe 'w/ the permission to see the project
              w/ having the necessary permissions' do

      before do
        allow(controller).to receive(:work_package).and_return(stub_work_package)
        expect(controller).to receive(:authorize).and_return(true)
      end

      instance_eval(&block)
    end
  end

  def self.requires_export_permission(&block)
    describe 'w/ the export permission
              w/o a project' do
      let(:project) { nil }

      before do
        expect(User.current).to receive(:allowed_to?)
          .with(:export_work_packages,
                project,
                global: true)
          .and_return(true)
      end

      instance_eval(&block)
    end

    describe 'w/ the export permission
              w/ a project' do
      before do
        params[:project_id] = project.id

        expect(User.current).to receive(:allowed_to?)
          .with(:export_work_packages,
                project,
                global: false)
          .and_return(true)
      end

      instance_eval(&block)
    end

    describe 'w/o the export permission' do
      let(:project) { nil }

      before do
        expect(User.current).to receive(:allowed_to?)
          .with(:export_work_packages,
                project,
                global: true)
          .and_return(false)

        call_action
      end

      it 'should render a 403' do
        expect(response.response_code).to eq(403)
      end
    end
  end

  describe 'index' do
    let(:query) { FactoryGirl.build_stubbed(:query).tap(&:add_default_filter) }
    let(:work_packages) { double('work packages').as_null_object }

    before do
      allow(User.current).to receive(:allowed_to?).and_return(false)
      expect(User.current).to receive(:allowed_to?)
        .with({ controller: 'work_packages',
                action: 'index' },
              project,
              global: true)
        .and_return(true)
    end

    describe 'with valid query' do
      before do
        allow(controller).to receive(:retrieve_query).and_return(query)

        # Note: Stubs for methods used to build up the json query results.
        # TODO RS:  Clearly this isn't testing anything, but it all needs to be moved to an API controller anyway.
        query.stub_chain(:results, :work_packages, :page, :per_page, :all).and_return(work_packages)
        query.stub_chain(:results, :work_package_count_by_group).and_return([])
        query.stub_chain(:results, :column_total_sums).and_return([])
        query.stub_chain(:results, :column_group_sums).and_return([])
        allow(query).to receive(:as_json).and_return('')
      end

      describe 'html' do
        let(:call_action) { get('index', project_id: project.id) }
        before { call_action }

        describe 'w/o a project' do
          let(:project) { nil }
          let(:call_action) { get('index') }

          it 'should render the index template' do
            expect(response).to render_template('work_packages/index', formats: ['html'],
                                                                       layout: :base)
          end
        end

        context 'w/ a project' do
          it 'should render the index template' do
            expect(response).to render_template('work_packages/index', formats: ['html'],
                                                                       layout: :base)
          end
        end

        context 'when a query has been previously selected' do
          let(:query) do
            FactoryGirl.build_stubbed(:query).tap { |q| q.filters = [Queries::WorkPackages::Filter.new('done_ratio', operator: '>=', values: [10])] }
          end

          before { allow(session).to receive(:query).and_return query }

          it 'preserves the query' do
            expect(assigns['query'].filters).to eq(query.filters)
          end
        end
      end

      describe 'csv' do
        let(:params) { {} }
        let(:call_action) { get('index', params.merge(format: 'csv')) }

        requires_export_permission do

          before do
            mock_csv = double('csv export')

            expect(WorkPackage::Exporter).to receive(:csv).with(work_packages, query)
                                                          .and_return(mock_csv)

            expect(controller).to receive(:send_data).with(mock_csv,
                                                           type: 'text/csv; charset=utf-8; header=present',
                                                           filename: "#{query.name}.csv") do |_|

              # We need to render something because otherwise
              # the controller will and he will not find a suitable template
              controller.render text: 'success'
            end
          end

          it 'should fulfill the defined should_receives' do
            call_action
          end
        end
      end

      describe 'pdf' do
        let(:params) { {} }
        let(:call_action) { get('index', params.merge(format: 'pdf')) }

        requires_export_permission do
          before do
            mock_pdf = double('pdf export')

            expect(WorkPackage::Exporter).to receive(:pdf).and_return(mock_pdf)

            expect(controller).to receive(:send_data).with(mock_pdf,
                                                           type: 'application/pdf',
                                                           filename: 'export.pdf') do |*_args|
              # We need to render something because otherwise
              # the controller will and he will not find a suitable template
              controller.render text: 'success'
            end
          end

          it 'should fulfill the defined should_receives' do
            call_action
          end
        end
      end

      describe 'atom' do
        let(:params) { {} }
        let(:call_action) { get('index', params.merge(format: 'atom')) }

        requires_export_permission do
          before do
            expect(controller).to receive(:render_feed).with(work_packages, anything) do |*_args|
              # We need to render something because otherwise
              # the controller will and he will not find a suitable template
              controller.render text: 'success'
            end
          end

          it 'should fulfill the defined should_receives' do
            call_action
          end
        end
      end
    end

    describe 'with invalid query' do
      context 'when a non-existant query has been previously selected' do
        let(:call_action) { get('index', project_id: project.id, query_id: 'hokusbogus') }
        before { call_action }

        it 'renders a 404' do
          expect(response.response_code).to be === 404
        end

        it 'preserves the project' do
          expect(assigns['project']).to be === project
        end
      end
    end
  end

  describe 'index with actual data' do
    require 'csv'
    render_views

    ##
    # When Ruby tries to join the following work package's subject encoded in ISO-8859-1
    # and its description encoded in UTF-8 it will result in a CompatibilityError.
    # This would not happen if the description contained only letters covered by
    # ISO-8859-1. Since this can happen, though, it is more sensible to encode everything
    # in UTF-8 which gets rid of this problem altogether.
    let(:work_package) do
      FactoryGirl.create(
        :work_package,
        subject: "Ruby encodes ß as '\\xDF' in ISO-8859-1.",
        description: "\u2022 requires unicode.")
    end
    let(:current_user) { FactoryGirl.create(:admin) }

    it 'performs a successful export' do
      wp = work_package

      expect {
        get :index, format: 'csv'
      }.to_not raise_error

      data = CSV.parse(response.body)

      expect(data.size).to eq(2)
      expect(data.last).to include(wp.subject)
      expect(data.last).to include(wp.description)
    end
  end

  describe 'index with a broken project reference' do
    before { get('index', project_id: 'project_that_doesnt_exist') }

    it { is_expected.to respond_with :not_found }
  end

  describe 'show.html' do
    let(:call_action) { get('show', id: '1337') }

    requires_permission_in_project do
      it 'renders the show builder template' do
        call_action

        expect(response).to render_template('work_packages/show', formats: ['html'],
                                                                  layout: :base)
      end
    end
  end

  describe 'show.pdf' do
    let(:call_action) { get('show', format: 'pdf', id: '1337') }

    requires_permission_in_project do
      it 'respond with a pdf' do
        pdf = double('pdf')

        expected_name = "#{stub_work_package.project.identifier}-#{stub_work_package.id}.pdf"
        expect(WorkPackage::Exporter).to receive(:work_package_to_pdf).and_return(pdf)
        expect(controller).to receive(:send_data).with(pdf,
                                                       type: 'application/pdf',
                                                       filename: expected_name) do |*_args|
          # We need to render something because otherwise
          # the controller will and he will not find a suitable template
          controller.render text: 'success'
        end
        call_action
      end
    end
  end

  describe 'show.atom' do
    let(:call_action) { get('show', format: 'atom', id: '1337') }

    requires_permission_in_project do
      it 'render the journal/index template' do
        call_action

        expect(response).to render_template('journals/index', formats: ['atom'],
                                                              layout: false,
                                                              content_type: 'application/atom+xml')
      end
    end
  end

  describe 'new.html' do
    let(:call_action) { get('new', format: 'html', project_id: 5) }

    requires_permission_in_project do
      before do
        call_action
      end

      it 'renders the new builder template' do

        expect(response).to render_template('work_packages/new', formats: ['html'])
      end

      it 'should respond with 200 OK' do
        expect(response.response_code).to eq(200)
      end
    end
  end

  describe 'new_type.js' do
    let(:wp_params) { { wp_attribute: double('wp_attribute') } }
    let(:call_action) { xhr :get, :new_type, project_id: 5 }

    requires_permission_in_project do
      before do
        expect(controller.send(:permitted_params)).to receive(:update_work_package)
          .with(project: stub_project)
          .and_return(wp_params)
        expect(stub_work_package).to receive(:update_by).with(current_user, wp_params).and_return(true)

        call_action
      end

      it 'renders the new builder template' do
        expect(response).to render_template('work_packages/new_type', formats: ['html'])
      end

      it 'should respond with 200 OK' do
        expect(response.response_code).to eq(200)
      end
    end
  end

  describe 'create.html' do
    let(:params) {
      { project_id: stub_work_package.project.id,
        work_package: {} }
    }

    let(:call_action) { post 'create', params }

    requires_permission_in_project do

      describe 'w/ having a successful save' do
        before do
          expect(stub_work_package).to receive(:save).and_return(true)
        end

        it 'redirect to show' do
          call_action

          expect(response).to redirect_to(work_package_path(stub_work_package))
        end

        it 'should show a flash message' do
          disable_flash_sweep

          call_action

          expect(flash[:notice]).to eq(I18n.t(:notice_successful_create))
        end

        it 'should attach attachments if those are provided' do
          params[:attachments] = 'attachment-blubs-data'

          expect(stub_work_package).to receive(:attach_files).with(params[:attachments])
          allow(controller).to receive(:render_attachment_warning_if_needed)

          call_action
        end
      end

      describe 'w/ having an unsuccessful save' do

        before do
          expect(stub_work_package).to receive(:save).and_return(false)

          call_action
        end

        it 'renders the new template' do
          expect(response).to render_template('work_packages/new', formats: ['html'])
        end
      end
    end
  end

  describe 'edit.html' do
    let(:call_action) { get 'edit', id: stub_work_package.id }

    requires_permission_in_project do
      it 'renders the show builder template' do
        call_action

        expect(response).to render_template('work_packages/edit', formats: ['html'], layout: :base)
      end
    end
  end

  describe 'update w/ a time entry' do
    render_views

    let(:admin) { FactoryGirl.create(:admin) }
    let(:work_package) { FactoryGirl.create(:work_package) }
    let(:default_activity) { FactoryGirl.create(:default_activity) }
    let(:activity) { FactoryGirl.create(:activity) }
    let(:params) do
      lambda do |work_package_id, activity_id|
        {
          id: work_package_id,
          work_package: {
            time_entry: {
              hours: '',
              comments: '',
              activity_id: activity_id
            }
          }
        }
      end
    end

    before do
      allow(User).to receive(:current).and_return admin
    end

    it 'should not try to create a time entry if blank' do
      # default activity counts as blank as long as everything else is blank too
      put 'update', params.call(work_package.id, default_activity.id)

      expect(flash[:notice]).to eq(I18n.t(:notice_successful_update))
      expect(response).to redirect_to(work_package_path(work_package))
    end

    it 'should still give an error for a non-blank time entry' do
      put 'update', params.call(work_package.id, activity.id)

      expect(response.status).to eq(200) # shouldn't this be 400 or similar?
      expect(response.body).to have_content('Log time is invalid')
    end
  end

  describe 'update.html' do
    let(:wp_params) { { 'wp_attribute' => double('wp_attribute') } }
    let(:params) { { id: stub_work_package.id, work_package: wp_params } }
    let(:call_action) { put 'update', params }

    requires_permission_in_project do
      before do
        allow(controller).to receive(:work_package).and_return(stub_work_package)
        expect(controller.send(:permitted_params)).to receive(:update_work_package)
          .at_most(:twice)
          .with(project: stub_work_package.project)
          .and_return(wp_params)

        expect(current_user).to receive(:allowed_to?).with(:edit_work_packages, stub_work_package.project)
          .and_return(true)
      end

      describe 'w/ having a successful save' do
        before do
          expect(stub_work_package).to receive(:update_by!)
            .with(current_user, wp_params)
            .and_return(true)
        end

        it 'should redirect to the show action' do
          call_action

          expect(response).to redirect_to(work_package_path(stub_work_package))
        end

        it 'should show a flash message' do
          disable_flash_sweep

          call_action

          expect(flash[:notice]).to eq(I18n.t(:notice_successful_update))
        end
      end

      describe 'w/ having an unsuccessful save' do
        before do
          expect(stub_work_package).to receive(:update_by!)
            .with(current_user, wp_params)
            .and_return(false)
        end

        it 'render the edit action' do
          call_action

          expect(response).to render_template('work_packages/edit', formats: ['html'], layout: :base)
        end
      end

      describe 'w/ having a successful save
                w/ having a faulty attachment' do

        before do
          expect(stub_work_package).to receive(:update_by!)
            .with(current_user, wp_params)
            .and_return(true)
          allow(stub_work_package).to receive(:unsaved_attachments)
            .and_return([double('unsaved_attachment')])
        end

        it 'should redirect to the show action' do
          call_action

          expect(response).to redirect_to(work_package_path(stub_work_package))
        end

        it 'should show a flash message' do
          disable_flash_sweep

          call_action

          expect(flash[:warning]).to eq(I18n.t(:warning_attachments_not_saved, count: 1))
        end
      end
    end
  end

  describe :work_package do
    describe 'when providing an id (wanting to see an existing wp)' do
      describe 'when beeing allowed to see the work_package' do
        become_member_with_view_planning_element_permissions

        it 'should return the work_package' do
          controller.params = { id: planning_element.id }

          expect(controller.work_package).to eq(planning_element)
        end

        it 'should return nil for non existing work_packages' do
          controller.params = { id: 0 }

          expect(controller.work_package).to be_nil
        end
      end

      describe 'when not beeing allowed to see the work_package' do
        it 'should return nil' do
          controller.params = { id: planning_element.id }

          expect(controller.work_package).to be_nil
        end
      end
    end

    describe 'when providing a project_id (wanting to build a new wp)' do
      let(:wp_params) { { wp_attribute: double('wp_attribute') } }
      let(:params) { { project_id: stub_project.id } }

      before do
        allow(Project).to receive(:find_visible).and_return stub_project
      end

      describe 'when we copy stuff' do
        before do
          controller.params = { work_package: {} }.merge(params)

          allow(controller).to receive(:current_user).and_return(stub_user)
          expect(controller.send(:permitted_params)).to receive(:new_work_package)
            .with(project: stub_project)
            .and_return(wp_params)

          expect(stub_project).to receive(:add_work_package) { |args|

            expect(args[:author]).to eql stub_user

          }.and_return(stub_issue)
        end

        it 'should return a new issue on the project' do
          expect(controller.work_package).to eq(stub_issue)
        end

        it 'should copy over attributes from another work_package provided as the source' do
          controller.params[:copy_from] = 2
          expect(stub_issue).to receive(:copy_from).with(2, exclude: [:project_id])

          controller.work_package
        end
      end

      describe 'if the project is not visible for the current_user' do
        before do
          projects = [stub_project]
          allow(Project).to receive(:visible).and_return projects
          allow(projects).to receive(:find_by_id).and_return(stub_project)
        end

        it 'should return nil' do
          expect(controller.work_package).to be_nil

        end
      end
    end

    describe 'when providing neither id nor project_id (error)' do
      it 'should return nil' do
        controller.params = {}

        expect(controller.work_package).to be_nil
      end
    end
  end

  describe :project do
    it "should be the work_packages's project" do
      allow(controller).to receive(:work_package).and_return(planning_element)

      expect(controller.project).to eq(planning_element.project)
    end
  end

  describe :journals do
    it "should return all the work_package's journals except the first one" do
      planning_element.description = 'blubs'

      planning_element.save
      planning_element.reload

      allow(controller).to receive(:work_package).and_return(planning_element)

      expect(controller.journals).to eq([planning_element.journals.last])
    end

    it 'should be empty if the work_package has only one journal' do
      allow(controller).to receive(:work_package).and_return(planning_element)

      expect(controller.journals).to be_empty
    end

    describe 'order of journal entries' do
      let!(:planning_element_note1) {
        FactoryGirl.create(:work_package_journal,
                           journable_id: planning_element.id,
                           version: 2,
                           notes: 'lala')
      }

      let!(:planning_element_note2) {
        FactoryGirl.create(:work_package_journal,
                           journable_id: planning_element.id,
                           version: 3,
                           notes: 'lala2')
      }

      before do
        allow(controller).to receive(:current_user).and_return(stub_user)
        allow(controller).to receive(:work_package).and_return(planning_element)
      end

      it 'chronological by default' do
        expect(controller.journals).to eq([planning_element_note1, planning_element_note2])
      end

      it "reverse chronological order if the user wan'ts it that way" do
        allow(stub_user).to receive(:wants_comments_in_reverse_order?).and_return(true)
        expect(controller.journals).to eq([planning_element_note2, planning_element_note1])
      end
    end
  end

  describe :changesets do
    let(:change1) { double('change_1') }
    let(:change2) { double('change_2') }
    let(:changesets) { [change1, change2] }

    before do
      allow(planning_element).to receive(:changesets).and_return(changesets)
      # couldn't get stub_chain to work
      # https://www.relishapp.com/rspec/rspec-mocks/v/2-0/docs/stubs/stub-a-chain-of-methods
      [:visible, :all, :includes].each do |meth|
        allow(changesets).to receive(meth).and_return(changesets)
      end
      allow(controller).to receive(:work_package).and_return(planning_element)
    end

    it "should have all the work_package's changesets" do
      expect(controller.changesets).to eq(changesets)
    end

    it "should have all the work_package's changesets in reverse order if the user wan'ts it that way" do
      allow(controller).to receive(:current_user).and_return(stub_user)

      allow(stub_user).to receive(:wants_comments_in_reverse_order?).and_return(true)

      expect(controller.changesets).to eq([change2, change1])
    end
  end

  describe :relations do
    let(:relation) {
      FactoryGirl.build_stubbed(:relation, from: stub_issue,
                                           to: stub_planning_element)
    }
    let(:relations) { [relation] }

    before do
      allow(controller).to receive(:work_package).and_return(stub_issue)
      allow(stub_issue).to receive(:relations).and_return(relations)
      allow(relations).to receive(:includes).and_return(relations)
    end

    it "should return all the work_packages's relations visible to the user" do
      allow(stub_planning_element).to receive(:visible?).and_return(true)

      expect(controller.relations).to eq(relations)
    end

    it 'should not return relations invisible to the user' do
      allow(stub_planning_element).to receive(:visible?).and_return(false)

      expect(controller.relations).to eq([])
    end
  end

  describe :ancestors do
    let(:project) { FactoryGirl.create(:project_with_types) }
    let(:ancestor_issue) { FactoryGirl.create(:work_package, project: project) }
    let(:issue) { FactoryGirl.create(:work_package, project: project, parent_id: ancestor_issue.id) }

    become_member_with_view_planning_element_permissions

    describe 'when work_package is an issue' do
      let(:ancestor_issue) { FactoryGirl.create(:work_package, project: project) }
      let(:issue) { FactoryGirl.create(:work_package, project: project, parent_id: ancestor_issue.id) }

      it 'should return the work_packages ancestors' do
        allow(controller).to receive(:work_package).and_return(issue)

        expect(controller.ancestors).to eq([ancestor_issue])
      end
    end

    describe 'when work_package is a planning element' do
      let(:descendant_planning_element) {
        FactoryGirl.create(:work_package, project: project,
                                          parent_id: planning_element.id)
      }
      it 'should return the work_packages ancestors' do
        allow(controller).to receive(:work_package).and_return(descendant_planning_element)

        expect(controller.ancestors).to eq([planning_element])
      end
    end
  end

  describe :descendants do
    before do
      allow(controller).to receive(:work_package).and_return(planning_element)
    end

    it 'should be empty' do
      expect(controller.descendants).to be_empty
    end
  end

  describe :priorities do
    it 'should return all defined priorities' do
      expected = double('priorities')

      allow(IssuePriority).to receive(:active).and_return(expected)

      expect(controller.priorities).to eq(expected)
    end
  end

  describe :allowed_statuses do
    it 'should return all statuses allowed by the issue' do
      expected = double('statuses')

      allow(controller).to receive(:work_package).and_return(stub_issue)

      allow(stub_issue).to receive(:new_statuses_allowed_to).with(current_user).and_return(expected)

      expect(controller.allowed_statuses).to eq(expected)
    end
  end

  describe :time_entry do
    before do
      allow(controller).to receive(:work_package).and_return(stub_planning_element)
    end

    it 'should return a time entry' do
      expected = double('time_entry')

      allow(stub_planning_element).to receive(:add_time_entry).and_return(expected)

      expect(controller.time_entry).to eq(expected)
    end
  end

  describe 'quotation' do
    let(:call_action) { get :quoted }

    requires_permission_in_project do
      context 'description' do
        subject { get :quoted, id: planning_element.id }

        it { is_expected.to be_success }
        it { is_expected.to render_template('edit') }
      end

      context 'journal' do
        let(:journal_id) { planning_element.journals.first.id }

        subject { get :quoted, id: planning_element.id, journal_id: journal_id }

        it { is_expected.to be_success }
        it { is_expected.to render_template('edit') }
      end
    end
  end

  let(:filename) { 'testfile.txt' }
  let(:file) { File.open(Rails.root.join('test/fixtures/files', filename)) }
  let(:uploaded_file) { ActionDispatch::Http::UploadedFile.new(tempfile: file, type: 'text/plain', filename: filename) }

  describe :create do
    let(:type) { FactoryGirl.create :type }
    let(:project) {
      FactoryGirl.create :project,
                         types: [type]
    }
    let(:status) { FactoryGirl.create :default_status }
    let(:priority) { FactoryGirl.create :priority }

    context :copy do
      let(:current_user) { FactoryGirl.create(:admin) }
      let(:params) { { copy_from: planning_element.id, project_id: project.id } }
      let(:except) {
        ['id',
         'root_id',
         'parent_id',
         'lft',
         'rgt',
         'type',
         'created_at',
         'updated_at']
      }

      before { post 'create', params }

      subject { response }

      it do
        expect(assigns['new_work_package']).not_to eq(nil)
        expect(assigns['new_work_package'].attributes.dup.except(*except)).to eq(planning_element.attributes.dup.except(*except))
      end
    end

    context :attachments do
      let(:new_work_package) {
        FactoryGirl.build(:work_package,
                          project: project,
                          type: type,
                          description: 'Description',
                          priority: priority)
      }
      let(:params) {
        { project_id: project.id,
          attachments: { '1' => { 'file' => uploaded_file,
                                  'description' => '' } } }
      }

      before do
        allow(controller).to receive(:work_package).and_return(new_work_package)
        expect(controller).to receive(:authorize).and_return(true)

        allow_any_instance_of(Attachment).to receive(:filename).and_return(filename)
        allow_any_instance_of(Attachment).to receive(:copy_file_to_destination)
      end

      # see ticket #2009 on OpenProject.org
      context 'new attachment on new work package' do
        before { post 'create', params }

        describe :journal do
          let(:attachment_id) { "attachments_#{new_work_package.attachments.first.id}" }

          subject { new_work_package.journals.last.changed_data }

          it { is_expected.to have_key attachment_id }

          it { expect(subject[attachment_id]).to eq([nil, filename]) }
        end
      end

      context 'invalid attachment' do
        let(:max_filesize) { Setting.attachment_max_size.to_i.kilobytes }

        before do
          allow_any_instance_of(Attachment).to receive(:filesize).and_return(max_filesize + 1)

          post :create, params
        end

        describe :view do
          subject { response }

          it { is_expected.to render_template('work_packages/new', formats: ['html']) }
        end

        describe :error do
          subject { new_work_package.errors.messages }

          it { is_expected.to have_key(:attachments) }

          it { subject[:attachments] =~ /too long/ }
        end
      end
    end
  end

  describe :update do
    let(:type) { FactoryGirl.create :type }
    let(:project) {
      FactoryGirl.create :project,
                         types: [type]
    }
    let(:status) { FactoryGirl.create :default_status }
    let(:priority) { FactoryGirl.create :priority }

    context :attachments do
      let(:work_package) {
        FactoryGirl.build(:work_package,
                          project: project,
                          type: type,
                          description: 'Description',
                          priority: priority)
      }
      let(:params) {
        { id: work_package.id,
          work_package: { attachments: { '1' => { 'file' => uploaded_file,
                                                  'description' => '' } } } }
      }

      before do
        allow(controller).to receive(:work_package).and_return(work_package)
        expect(controller).to receive(:authorize).and_return(true)

        expect(current_user).to receive(:allowed_to?).with(:edit_work_packages, project).and_return(true)

        allow_any_instance_of(Attachment).to receive(:filename).and_return(filename)
        allow_any_instance_of(Attachment).to receive(:copy_file_to_destination)
      end

      context 'invalid attachment' do
        let(:max_filesize) { Setting.attachment_max_size.to_i.kilobytes }

        before do
          allow_any_instance_of(Attachment).to receive(:filesize).and_return(max_filesize + 1)

          post :update, params
        end

        describe :view do
          subject { response }

          it { is_expected.to render_template('work_packages/edit', formats: ['html']) }
        end

        describe :error do
          subject { work_package.errors.messages }

          it { is_expected.to have_key(:attachments) }

          it { subject[:attachments] =~ /too long/ }
        end
      end
    end
  end

  describe 'preview' do
    let(:project) { FactoryGirl.create(:project) }
    let(:role) {
      FactoryGirl.create(:role,
                         permissions: [:add_work_packages])
    }
    let(:user) {
      FactoryGirl.create(:user,
                         member_in_project: project,
                         member_through_role: role)
    }
    let(:description) { 'Work package description' }
    let(:notes) { 'Work package note' }
    let(:preview_params) {
      { work_package: { description: description,
                        notes: notes } }
    }

    before { allow(User).to receive(:current).and_return(user) }

    it_behaves_like 'valid preview' do
      let(:preview_texts) { [description, notes] }
    end

    it_behaves_like 'authorizes object access' do
      let(:work_package) { FactoryGirl.create(:work_package) }
      let(:preview_params) {
        { id: work_package.id,
          work_package: {} }
      }
    end

    describe 'preview.js' do
      before { xhr :put, :preview, preview_params }

      it {
        expect(response).to render_template('common/preview',
                                            format: ['html'],
                                            layout: false)
      }
    end
  end

  describe 'Update permissions' do
    let(:project) { FactoryGirl.create(:project) }

    let(:description) { 'Muh hahahah!!!' }
    let(:notes) { 'Work package note' }
    let(:wp_params) { { id: work_package.id, work_package: { description: description, notes: notes } } }

    shared_context 'update work package' do
      let(:user) {
        FactoryGirl.create(:user,
                           member_in_project: project,
                           member_through_role: role)
      }
      let!(:work_package) {
        FactoryGirl.create(:work_package,
                           project_id: project.id,
                           author: user)
      }
      let!(:original_description) { work_package.description }

      before do
        User.stub(:current).and_return user

        put 'update', wp_params

        work_package.reload
      end
    end

    describe '#14964 User w/o permission able to update work package attributes' do
      let(:role) {
        FactoryGirl.create(:role,
                           permissions: [:view_work_packages,
                                         :add_work_package_notes])
      }

      include_context 'update work package'

      it { expect(work_package.description).to eq(original_description) }

      it { expect(work_package.journals.last.notes).to eq(notes) }
    end

    describe 'notes update w/o privileges' do
      let(:role) {
        FactoryGirl.create(:role,
                           permissions: [:view_work_packages,
                                         :edit_work_packages])
      }

      include_context 'update work package'

      it { expect(work_package.description).to eq(description) }

      it { expect(work_package.journals.last.notes).to be_empty }
    end
  end
end