OpenProject is the leading open source project management software.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
openproject/spec/models/permitted_params_spec.rb

988 lines
24 KiB

#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) 2012-2021 the OpenProject GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See COPYRIGHT and LICENSE files for more details.
#++
require 'spec_helper'
describe PermittedParams, type: :model do
let(:user) { FactoryBot.build_stubbed(:user) }
let(:admin) { FactoryBot.build_stubbed(:admin) }
shared_context 'prepare params comparison' do
let(:params_key) { defined?(hash_key) ? hash_key : attribute }
let(:params) do
nested_params =
if defined?(nested_key)
{ nested_key => hash }
else
hash
end
ac_params =
if defined?(flat) && flat
nested_params
else
{ params_key => nested_params }
end
ActionController::Parameters.new(ac_params)
end
subject { PermittedParams.new(params, user).send(attribute).to_h }
end
shared_examples_for 'allows params' do
include_context 'prepare params comparison'
it do
expected = defined?(allowed_params) ? allowed_params : hash
expect(subject).to eq(expected)
end
end
shared_examples_for 'allows nested params' do
include_context 'prepare params comparison'
it { expect(subject).to eq(hash) }
end
shared_examples_for 'forbids params' do
include_context 'prepare params comparison'
it { expect(subject).not_to eq(hash) }
end
describe '#permit' do
it 'adds an attribute to be permitted later' do
# just taking project_type here as an example, could be anything
# taking the originally whitelisted params to be restored later
original_whitelisted = PermittedParams.instance_variable_get(:@whitelisted_params)
params = ActionController::Parameters.new(project_type: { 'blubs1' => 'blubs' })
PermittedParams.instance_variable_set(:@whitelisted_params, original_whitelisted)
end
it 'raises an argument error if key does not exist' do
expect { PermittedParams.permit(:bogus_key) }.to raise_error ArgumentError
end
end
describe '#pref' do
let(:attribute) { :pref }
let(:hash) do
acceptable_params = %w(hide_mail time_zone
comments_sorting warn_on_leaving_unsaved)
acceptable_params.map { |x| [x, 'value'] }.to_h
end
it_behaves_like 'allows params'
end
describe '#news' do
let(:attribute) { :news }
let(:hash) do
%w(title summary description).map { |x| [x, 'value'] }.to_h
end
it_behaves_like 'allows params'
end
describe '#comment' do
let(:attribute) { :comment }
let(:hash) do
%w(commented author comments).map { |x| [x, 'value'] }.to_h
end
it_behaves_like 'allows params'
end
describe '#watcher' do
let(:attribute) { :watcher }
let(:hash) do
%w(watchable user user_id).map { |x| [x, 'value'] }.to_h
end
it_behaves_like 'allows params'
end
describe '#reply' do
let(:attribute) { :reply }
let(:hash) do
%w(content subject).map { |x| [x, 'value'] }.to_h
end
it_behaves_like 'allows params'
end
describe '#wiki' do
let(:attribute) { :wiki }
let(:hash) do
%w(start_page).map { |x| [x, 'value'] }.to_h
end
it_behaves_like 'allows params'
end
describe '#membership' do
let(:attribute) { :membership }
let(:hash) do
{ 'project_id' => '1', 'role_ids' => ['1', '2', '4'] }
end
it_behaves_like 'allows params'
end
describe '#category' do
let(:attribute) { :category }
let(:hash) do
%w(name assigned_to_id).map { |x| [x, 'value'] }.to_h
end
it_behaves_like 'allows params'
end
describe '#version' do
let(:attribute) { :version }
context 'whitelisted params' do
let(:hash) do
%w(name description effective_date due_date
start_date wiki_page_title status sharing).map { |x| [x, 'value'] }.to_h
end
it_behaves_like 'allows params'
end
context 'empty' do
let(:hash) { {} }
it_behaves_like 'allows params'
end
context 'custom field values' do
let(:hash) { { 'custom_field_values' => { '1' => '5' } } }
it_behaves_like 'allows params'
end
end
describe '#message' do
let(:attribute) { :message }
context 'no instance passed' do
let(:allowed_params) do
%w(subject content forum_id).map { |x| [x, 'value'] }.to_h
end
let(:hash) do
allowed_params.merge('evil': 'true', 'sticky': 'true', 'locked': 'true')
end
it_behaves_like 'allows params'
end
context 'empty' do
let(:hash) { {} }
it_behaves_like 'allows params'
end
context 'with instance passed' do
let(:instance) { double('message', project: double('project')) }
let(:project) { double('project') }
let(:allowed_params) do
{ 'subject' => 'value',
'content' => 'value',
'forum_id' => 'value',
'sticky' => 'true',
'locked' => 'true' }
end
let(:hash) do
ActionController::Parameters.new('message' => allowed_params.merge('evil': 'true'))
end
before do
allow(user).to receive(:allowed_to?).with(:edit_messages, project).and_return(true)
end
subject { PermittedParams.new(hash, user).message(project).to_h }
it do
expect(subject).to eq(allowed_params)
end
end
end
describe '#attachments' do
let(:attribute) { :attachments }
let(:hash) do
{ 'file' => 'myfile',
'description' => 'mydescription' }
end
it_behaves_like 'allows params'
end
describe '#projects_type_ids' do
let(:attribute) { :projects_type_ids }
let(:hash_key) { 'project' }
let(:hash) do
{ 'type_ids' => ['1', '', '2'] }
end
let(:allowed_params) do
[1, 2]
end
include_context 'prepare params comparison'
it do
actual = PermittedParams.new(params, user).send(attribute)
expect(actual).to eq(allowed_params)
end
end
describe '#color' do
let(:attribute) { :color }
let(:hash) do
{ 'name' => 'blubs',
'hexcode' => '#fff' }
end
it_behaves_like 'allows params'
end
describe '#color_move' do
let(:attribute) { :color_move }
let(:hash_key) { 'color' }
let(:hash) do
{ 'move_to' => '1' }
end
it_behaves_like 'allows params'
end
describe '#custom_field' do
let(:attribute) { :custom_field }
let(:hash) do
{ 'editable' => '0', 'visible' => '0' }
end
it_behaves_like 'allows params'
end
describe '#custom_action' do
let(:attribute) { :custom_action }
let(:hash) do
{
'name' => 'blubs',
'description' => 'blubs blubs',
'actions' => { 'assigned_to' => '1' },
'conditions' => { 'status' => '42' },
'move_to' => 'lower'
}
end
it_behaves_like 'allows params'
end
describe "#update_work_package" do
let(:attribute) { :update_work_package }
let(:hash_key) { 'work_package' }
context 'subject' do
let(:hash) { { 'subject' => 'blubs' } }
it_behaves_like 'allows params'
end
context 'description' do
let(:hash) { { 'description' => 'blubs' } }
it_behaves_like 'allows params'
end
context 'start_date' do
let(:hash) { { 'start_date' => '2013-07-08' } }
it_behaves_like 'allows params'
end
context 'due_date' do
let(:hash) { { 'due_date' => '2013-07-08' } }
it_behaves_like 'allows params'
end
context 'assigned_to_id' do
let(:hash) { { 'assigned_to_id' => '1' } }
it_behaves_like 'allows params'
end
context 'responsible_id' do
let(:hash) { { 'responsible_id' => '1' } }
it_behaves_like 'allows params'
end
context 'type_id' do
let(:hash) { { 'type_id' => '1' } }
it_behaves_like 'allows params'
end
context 'priority_id' do
let(:hash) { { 'priority_id' => '1' } }
it_behaves_like 'allows params'
end
context 'parent_id' do
let(:hash) { { 'parent_id' => '1' } }
it_behaves_like 'allows params'
end
context 'parent_id' do
let(:hash) { { 'parent_id' => '1' } }
it_behaves_like 'allows params'
end
context 'version_id' do
let(:hash) { { 'version_id' => '1' } }
it_behaves_like 'allows params'
end
context 'estimated_hours' do
let(:hash) { { 'estimated_hours' => '1' } }
it_behaves_like 'allows params'
end
context 'done_ratio' do
let(:hash) { { 'done_ratio' => '1' } }
it_behaves_like 'allows params'
end
context 'lock_version' do
let(:hash) { { 'lock_version' => '1' } }
it_behaves_like 'allows params'
end
context 'status_id' do
let(:hash) { { 'status_id' => '1' } }
it_behaves_like 'allows params'
end
context 'category_id' do
let(:hash) { { 'category_id' => '1' } }
it_behaves_like 'allows params'
end
Feature/remove timelog (#8557) * rename costs, introduce budgets * move files from costs to budgets * rename cost_object to budget * remove unused code * move hook - should be turned into standard code in the long run * move type attributes change over to budgets * move patch to work_package proper * move budget menu item up * combine reporting, time and cost module * remove rails based time_entries & reports code * rename cost object filter * adapt menu spec expectations * use cost project module name in administration * include timeline labels in migration * properly place budget linking method * fix permitted params * remove outdated routing spec * adapt budget request specs * ensure order of descendent updates * remove outdated specs * fix checking for reporting to be enabled * fix displaying spent units * fix time entries activity event url * reenable current rate tab * fix path on budget page * allow bulk editing of budgets only in one project scenario * fix sanitizing reference in controller * include module required for format_date * fix reference to correct units from work package spent units * linting * remove outdated spec * remove outdated views and permission references * remove acts_as_event from time_entries There is no atom link for time entries * remove acts_as_event from projects There are no atom links for projects * introduce budget filter for cost reports * remove actions added to removed controller * move time entries to the costs module * factor in view_own permission when calculating time entry visibility * linting * move mounting of time entries * include budgets into api v3 documentation
4 years ago
context 'budget_id' do
let(:hash) { { 'budget_id' => '1' } }
it_behaves_like 'allows params'
end
context 'notes' do
let(:hash) { { 'journal_notes' => 'blubs' } }
it_behaves_like 'allows params'
end
context 'attachments' do
let(:hash) { { 'attachments' => [{ 'file' => 'djskfj', 'description' => 'desc' }] } }
it_behaves_like 'allows params'
end
context 'watcher_user_ids' do
include_context 'prepare params comparison'
let(:hash) { { 'watcher_user_ids' => ['1', '2'] } }
let(:project) { double('project') }
before do
allow(user).to receive(:allowed_to?).with(:add_work_package_watchers, project).and_return(allowed_to)
end
subject { PermittedParams.new(params, user).update_work_package(project: project).to_h }
context 'user is allowed to add watchers' do
let(:allowed_to) { true }
it do
expect(subject).to eq(hash)
end
end
context 'user is not allowed to add watchers' do
let(:allowed_to) { false }
it do
expect(subject).to eq({})
end
end
end
context 'custom field values' do
let(:hash) { { 'custom_field_values' => { '1' => '5' } } }
it_behaves_like 'allows params'
end
context "removes custom field values that do not follow the schema 'id as string' => 'value as string'" do
let(:hash) { { 'custom_field_values' => { 'blubs' => '5', '5' => { '1' => '2' } } } }
it_behaves_like 'forbids params'
end
end
describe '#time_entry_activities_project' do
let(:attribute) { :time_entry_activities_project }
let(:hash) do
[
{ "activity_id" => "5", "active" => "0" },
{ "activity_id" => "6", "active" => "1" }
]
end
let(:allowed_params) do
[{ "activity_id" => "5", "active" => "0" }, { "activity_id" => "6", "active" => "1" }]
end
it_behaves_like 'allows params' do
subject { PermittedParams.new(params, user).send(attribute) }
end
end
describe '#user' do
include_context 'prepare params comparison'
let(:hash_key) { 'user' }
let(:external_authentication) { false }
let(:change_password_allowed) { true }
subject { PermittedParams.new(params, user).send(attribute, external_authentication, change_password_allowed).to_h }
all_permissions = ['admin',
'login',
'firstname',
'lastname',
'mail',
'language',
'custom_fields',
'auth_source_id',
'force_password_change']
describe :user_create_as_admin do
let(:attribute) { :user_create_as_admin }
[26688] In-app notifications (#9399) * Add bell icon to icon font * Add in app notification in top menu * Add fullscreen modal * Add notification modal and items * Style items * Toggle details of item * Mark all read * Add no results box * wip specification for event api * Add events table, query and index * Send out events from WP notification mailer job There we have the recipients present * Add cleanup job for older events with a setting * Hide bell notification when not logged * Add specs for events API index/show * Fix setting yml key * remove pry in event creation * Fix before hook in events API to after_validation * Fix polymorphic association raising exception for aggregated journals * Fix typo in read_ian * Fix yml entry for mentioned * Add read/unread post actions to event API and add specs * Wire up API to frontend * Fix order on events * Switch to unread in notification * Add event query * rename WPEventService * route wp mail sending over events * rename spec methods * author becomes watcher * correct message call signature * rename events to notifications * renname parameter to reflect notification nature * create author watcher for existing work packages * Merge unreadCount from store * Take a stab at polymorphic representers * Fix link generation in polymorphic resources For journals, no title is being generated however * Fix frontend model for context * Use timer for polling * add notification_setting data layer * Fix show resource spec * Fix duplicate class in notification bell item * Add minimal feature spec for notification * API for notification settings * Persist notifications * adapt work package notification creation to notification settings * extract notified_on_all * consolidate wp#recipients * concentrate wp notification in journal service * simplify methods * Remove unused patch endpoint * Add specs for rendering and parsing notification settings * Contract spec * Update service spec * adapt specs * Angular notifications frontend commit e29dced64699eb5f2443b9307c78343c9a58d1ee Author: Wieland Lindenthal <w.lindenthal@forkmerge.com> Date: Mon Jun 21 17:34:50 2021 +0200 Create Akita store and query for notification settings commit 1a45c26c1a0c147d15393e49d2625aca4851a64d Author: Wieland Lindenthal <w.lindenthal@forkmerge.com> Date: Mon Jun 21 11:09:25 2021 +0200 Remove tabs from notificaition settings page commit 0ea21e90c13a197f8bf2cfba1b60ddcff4e5e827 Author: Oliver Günther <mail@oliverguenther.de> Date: Sun Jun 20 21:55:48 2021 +0200 WIP in app settings * migrate notification data * add project visible filter to project query * Add inline-create and table display grouped by project * Add notifications under admin/users * Remove notifications partial * Rename notififcations store to user preferences store * Add setting for self_notified and hook that up to the backend * Add aria-label to table checkboxes * Restyle table and toolbar * replace remains of mail_notifications attribute * initialize notification settings for new user * adapt my_preferences references * reenable no self notified for documents * adapt specs * Avoid has_many :notifcation_settings Rails magically autosaves the user's preferences when the user gets saved, which somehow also tries to save the notfifications even when unchanged. This breaks some specs such as the avatar upload spec. As we can't update the assocation through rails anyway, just delegate to the user for reading instead. * Restore update method of notification settings * Restore update spec * fix spec syntax * lint scss * linting * Fix content_tag for bell icon * Add feature specs for notification settings * Disable ContentTag cop * use visible filter to get projects for notification The visible filter will reduce the project list down to the set of projects visible to the user provided as a parameter. This includes public projects. * test for actual mail sending * adapt me resource path this.apiV3Service.users.me changed its type in 0d6c0b6bc7620de94e00e72b36d6cbc1ec4c8db4 * Implement changed migration * Linting * Add actor to notification representer * Fix factory creating a duplicate WP journal * Add work packages loading and journal details to notification entry component * IAN basic facets, keep and expanded states. * Fix notification bell spec * Render body separately and add auto updating relative time * Add fixedTime title * Add actor to notification entry * Fix clicking links on work package and project * Tiny styling changes on entry row * Disable count in notification if larger than 99 (wont fit) * Introduce virtual scrolling to entry table * allow delaying & prevent mail sending if ain read Introduces a setting to delay mail sending after a journal aggregation time has expired. That way, users can confirm a notification in app. If they do before the delay expires, no mail is sent out additionally for that user. * consolidate notifications (in&out) into shared admin menu Co-authored-by: ulferts <jens.ulferts@googlemail.com> Co-authored-by: Wieland Lindenthal <w.lindenthal@forkmerge.com>
3 years ago
let(:default_permissions) { %w[custom_fields firstname lastname language mail auth_source_id] }
context 'non-admin' do
let(:hash) { Hash[all_permissions.zip(all_permissions)] }
[35507] Allow global permission to add and edit users (#8937) * Add global permission for add_user * Rename fieldset for global roles to "Global" * Add permission to admin actions * Add index action to add_user permission * Redirect to first admin item if only one * Hide status action for non admins * Break down user form into partials for easier rendering * Disable some user form tabs for non-admins * Make users API and services conformant with endpoints * Fix references to DeleteService#deletion_allowed? * Authorize add_user on show as well * Only show invite user toolbar item with permission * Fix Delete Service spec * Fix the way user prefs are handled in service * Ensure session_id is treated as string This causes a cast error otherwise as it passes rack session locally * Fix service call on onboarding controller * Fix service call on users controller * Add delete spec for global user * Hide login attribute again when adding a new user * Render auth source correctly in simple form * Fix creating invited users through service The invitation requires the mail attribute to be present. Previously, there was a manual error added to the mail. As the errors are now determined by the contract + model, we now end up with all missing properties as errors. * Properly constraint attributes for non-admins * Add specs for global user * Start working on how to update password from UsersController that code is a mess... * Change permitted_params spec to include non-admin params * Fix create user service spec * Remove mail_notification param from users controller It's not part of the contract/params passed to user * Remove todos * Extend docs * Correct the way backlogs patches into the user settings * Remove superfluous UpdateUserService * Rewrite duplicated update service examples into common shared example * Remove duplicate password writable check * Base Users::DeleteContract on base delete contract * Move checks for active users into the UserAllowedService * Restore password writable check as it is not an attribute * Fix menus for global user * Allow global users to add custom fields * Allow global user add permission to reinvite user * Fix changed var name in update service spec * Ensure also invited or registered users can be authroized This ensure that e.g., invited users can also be set as watchers * fix typo Co-authored-by: ulferts <jens.ulferts@googlemail.com>
4 years ago
it 'permits default permissions' do
expect(subject.keys).to match_array(default_permissions)
end
end
context 'non-admin with global :manage_user permission' do
let(:user) { FactoryBot.create(:user, global_permission: :manage_user) }
let(:hash) { Hash[all_permissions.zip(all_permissions)] }
it 'permits default permissions and "login"' do
expect(subject.keys).to match_array(default_permissions + ['login'])
end
end
context 'admin' do
let(:user) { admin }
all_permissions.each do |field|
context field do
let(:hash) { { field => 'test' } }
it "permits #{field}" do
expect(subject).to eq(field => 'test')
end
end
end
context 'with no password change allowed' do
let(:hash) { { 'force_password_change' => 'true' } }
let(:change_password_allowed) { false }
it 'does not permit force_password_change' do
expect(subject).to eq({})
end
end
context 'with external authentication' do
let(:hash) { { 'auth_source_id' => 'true' } }
let(:external_authentication) { true }
it 'does not permit auth_source_id' do
expect(subject).to eq({})
end
end
context 'custom field values' do
let(:hash) { { 'custom_field_values' => { '1' => '5' } } }
it 'permits custom_field_values' do
expect(subject).to eq(hash)
end
end
context "custom field values that do not follow the schema 'id as string' => 'value as string'" do
let(:hash) { { 'custom_field_values' => { 'blubs' => '5', '5' => { '1' => '2' } } } }
it 'are removed' do
expect(subject).to eq({})
end
end
end
end
user_permissions = [
'firstname',
'lastname',
'mail',
'language',
'custom_fields'
]
describe '#user' do
let(:attribute) { :user }
let(:user) { admin }
user_permissions.each do |field|
context field do
let(:hash) { { field => 'test' } }
it_behaves_like 'allows params'
end
end
(all_permissions - user_permissions).each do |field|
context "#{field} (admin-only)" do
let(:hash) { { field => 'test' } }
it_behaves_like 'forbids params'
end
end
context 'custom field values' do
let(:hash) { { 'custom_field_values' => { '1' => '5' } } }
it_behaves_like 'allows params'
end
context "custom field values that do not follow the schema 'id as string' => 'value as string'" do
let(:hash) { { 'custom_field_values' => { 'blubs' => '5', '5' => { '1' => '2' } } } }
it_behaves_like 'forbids params'
end
context 'identity_url' do
let(:hash) { { 'identity_url' => 'test_identity_url' } }
it_behaves_like 'forbids params'
end
end
end
11 years ago
describe '#user_register_via_omniauth' do
let(:attribute) { :user_register_via_omniauth }
let(:hash_key) { 'user' }
user_permissions = %w(login firstname lastname mail language)
user_permissions.each do |field|
let(:hash) { { field => 'test' } }
it_behaves_like 'allows params'
end
11 years ago
context 'identity_url' do
let(:hash) { { 'identity_url' => 'test_identity_url' } }
it_behaves_like 'forbids params'
end
11 years ago
end
shared_examples_for 'allows enumeration move params' do
let(:hash) { { '2' => { 'move_to' => 'lower' } } }
it_behaves_like 'allows params'
end
11 years ago
shared_examples_for 'allows move params' do
let(:hash) { { 'move_to' => 'lower' } }
11 years ago
it_behaves_like 'allows params'
end
11 years ago
11 years ago
shared_examples_for 'allows custom fields' do
describe 'valid custom fields' do
let(:hash) { { '1' => { 'custom_field_values' => { '1' => '5' } } } }
11 years ago
11 years ago
it_behaves_like 'allows params'
end
describe 'invalid custom fields' do
let(:hash) { { 'custom_field_values' => { 'blubs' => '5', '5' => { '1' => '2' } } } }
11 years ago
it_behaves_like 'forbids params'
11 years ago
end
11 years ago
end
describe '#status' do
11 years ago
let (:attribute) { :status }
11 years ago
describe 'name' do
let(:hash) { { 'name' => 'blubs' } }
11 years ago
it_behaves_like 'allows params'
end
describe 'default_done_ratio' do
let(:hash) { { 'default_done_ratio' => '10' } }
11 years ago
it_behaves_like 'allows params'
end
describe 'is_closed' do
let(:hash) { { 'is_closed' => 'true' } }
11 years ago
it_behaves_like 'allows params'
end
describe 'is_default' do
let(:hash) { { 'is_default' => 'true' } }
11 years ago
it_behaves_like 'allows params'
end
describe 'move_to' do
11 years ago
it_behaves_like 'allows move params'
end
end
describe '#settings' do
let (:attribute) { :settings }
describe 'with password login enabled' do
before do
allow(OpenProject::Configuration)
.to receive(:disable_password_login?)
.and_return(false)
end
let(:hash) do
{
'sendmail_arguments' => 'value',
'brute_force_block_after_failed_logins' => 'value',
'password_active_rules' => ['value'],
'default_projects_modules' => ['value', 'value'],
'emails_footer' => { 'en' => 'value' }
}
end
it_behaves_like 'allows params'
end
describe 'with password login disabld' do
include_context 'prepare params comparison'
before do
allow(OpenProject::Configuration)
.to receive(:disable_password_login?)
.and_return(true)
end
let(:hash) do
{
'sendmail_arguments' => 'value',
'brute_force_block_after_failed_logins' => 'value',
'password_active_rules' => ['value'],
'default_projects_modules' => ['value', 'value'],
'emails_footer' => { 'en' => 'value' }
}
end
let(:permitted_hash) do
{
'sendmail_arguments' => 'value',
'brute_force_block_after_failed_logins' => 'value',
'default_projects_modules' => ['value', 'value'],
'emails_footer' => { 'en' => 'value' }
}
end
it { expect(subject).to eq(permitted_hash) }
end
describe 'with no registration footer configured' do
before do
allow(OpenProject::Configuration)
.to receive(:registration_footer)
.and_return({})
end
let(:hash) do
{
'registration_footer' => {
'en' => 'some footer'
}
}
end
it_behaves_like 'allows params'
end
describe 'with a registration footer configured' do
include_context 'prepare params comparison'
before do
allow(OpenProject::Configuration)
.to receive(:registration_footer)
.and_return("en" => "configured footer")
end
let(:hash) do
{
'registration_footer' => {
'en' => 'some footer'
}
}
end
let(:permitted_hash) do
{}
end
it { expect(subject).to eq(permitted_hash) }
end
end
describe '#enumerations' do
let (:attribute) { :enumerations }
11 years ago
describe 'name' do
let(:hash) { { '1' => { 'name' => 'blubs' } } }
11 years ago
it_behaves_like 'allows params'
end
describe 'active' do
let(:hash) { { '1' => { 'active' => 'true' } } }
11 years ago
it_behaves_like 'allows params'
end
11 years ago
describe 'is_default' do
let(:hash) { { '1' => { 'is_default' => 'true' } } }
11 years ago
it_behaves_like 'allows params'
end
describe 'reassign_to_id' do
let(:hash) { { '1' => { 'reassign_to_id' => '1' } } }
11 years ago
it_behaves_like 'allows params'
end
describe 'move_to' do
it_behaves_like 'allows enumeration move params'
11 years ago
end
describe 'custom fields' do
it_behaves_like 'allows custom fields'
end
11 years ago
end
11 years ago
describe '#wiki_page_rename' do
let(:hash_key) { :page }
let (:attribute) { :wiki_page_rename }
describe 'title' do
let(:hash) { { 'title' => 'blubs' } }
it_behaves_like 'allows params'
end
describe 'redirect_existing_links' do
let(:hash) { { 'redirect_existing_links' => '1' } }
it_behaves_like 'allows params'
end
end
describe '#wiki_page' do
let(:hash_key) { :content }
let(:nested_key) { :page }
11 years ago
let (:attribute) { :wiki_page }
describe 'title' do
let(:hash) { { 'title' => 'blubs' } }
11 years ago
it_behaves_like 'allows nested params'
11 years ago
end
describe 'parent_id' do
let(:hash) { { 'parent_id' => '1' } }
11 years ago
it_behaves_like 'allows nested params'
11 years ago
end
describe 'redirect_existing_links' do
let(:hash) { { 'redirect_existing_links' => '1' } }
11 years ago
it_behaves_like 'allows nested params'
11 years ago
end
end
describe '#wiki_content' do
11 years ago
let (:hash_key) { :content }
let (:attribute) { :wiki_content }
describe 'title' do
let(:hash) { { 'comments' => 'blubs' } }
11 years ago
it_behaves_like 'allows params'
end
describe 'text' do
let(:hash) { { 'text' => 'blubs' } }
11 years ago
it_behaves_like 'allows params'
end
describe 'lock_version' do
let(:hash) { { 'lock_version' => '1' } }
11 years ago
it_behaves_like 'allows params'
end
end
describe 'member' do
let (:attribute) { :member }
describe 'role_ids' do
let(:hash) { { 'role_ids' => [] } }
it_behaves_like 'allows params'
end
describe 'user_id' do
let(:hash) { { 'user_id' => 'blubs' } }
it_behaves_like 'forbids params'
end
describe 'project_id' do
let(:hash) { { 'user_id' => 'blubs' } }
it_behaves_like 'forbids params'
end
describe 'created_at' do
let(:hash) { { 'created_at' => 'blubs' } }
it_behaves_like 'forbids params'
end
end
describe '.add_permitted_attributes' do
before do
@original_permitted_attributes = PermittedParams.permitted_attributes.clone
end
after do
# Class variable is not accessible within class_eval
original_permitted_attributes = @original_permitted_attributes
PermittedParams.class_eval do
@whitelisted_params = original_permitted_attributes
end
end
describe 'with a known key' do
let(:attribute) { :user }
before do
PermittedParams.send(:add_permitted_attributes, user: [:a_test_field])
end
context 'with an allowed parameter' do
let(:hash) { { 'a_test_field' => 'a test value' } }
it_behaves_like 'allows params'
end
context 'with a disallowed parameter' do
let(:hash) { { 'a_not_allowed_field' => 'a test value' } }
it_behaves_like 'forbids params'
end
end
describe 'with an unknown key' do
let(:attribute) { :unknown_key }
let(:hash) { { 'a_test_field' => 'a test value' } }
before do
expect(Rails.logger).not_to receive(:warn)
PermittedParams.send(:add_permitted_attributes, unknown_key: [:a_test_field])
end
it 'permitted attributes should include the key' do
expect(PermittedParams.permitted_attributes.keys).to include(:unknown_key)
end
end
end
end