OpenProject is the leading open source project management software.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
openproject/spec/requests/api/v3/membership_resources_spec.rb

1052 lines
29 KiB

#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) 2012-2021 the OpenProject GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See COPYRIGHT and LICENSE files for more details.
#++
require 'spec_helper'
require 'rack/test'
describe 'API v3 memberships resource', type: :request, content_type: :json do
include Rack::Test::Methods
include API::V3::Utilities::PathHelper
let(:current_user) do
FactoryBot.create(:user)
end
let(:admin) do
FactoryBot.create(:admin)
end
let(:own_member) do
FactoryBot.create(:member,
roles: [FactoryBot.create(:role, permissions: permissions)],
project: project,
user: current_user)
end
let(:permissions) { %i[view_members manage_members] }
let(:project) { FactoryBot.create(:project) }
let(:other_role) { FactoryBot.create(:role) }
let(:global_role) { FactoryBot.create(:global_role) }
let(:other_user) { FactoryBot.create(:user) }
let(:other_member) do
FactoryBot.create(:member,
roles: [other_role],
principal: other_user,
project: project)
end
let(:invisible_member) do
FactoryBot.create(:member,
roles: [FactoryBot.create(:role)])
end
let(:global_member) do
FactoryBot.create(:global_member,
roles: [global_role])
end
subject(:response) { last_response }
shared_examples_for 'sends mails' do
let(:expected_receivers) { defined?(receivers) ? receivers : [principal] }
it 'sends a mail to the principal of the member' do
expect(ActionMailer::Base.deliveries.size)
.to eql expected_receivers.length
expect(ActionMailer::Base.deliveries.map(&:to).flatten)
.to match_array expected_receivers.map(&:mail)
if defined?(custom_message)
expect(ActionMailer::Base.deliveries.map { |mail| mail.body.encoded })
.to all include(OpenProject::TextFormatting::Renderer.format_text(custom_message))
end
end
end
describe 'GET api/v3/memberships' do
let(:members) { [own_member, other_member, invisible_member, global_member] }
before do
members
login_as(current_user)
get path
end
let(:filters) { nil }
let(:path) { api_v3_paths.path_for(:memberships, filters: filters, sort_by: [%i(id asc)]) }
context 'without params' do
it 'responds 200 OK' do
expect(subject.status).to eq(200)
end
it 'returns a collection of memberships containing only the visible ones' do
expect(subject.body)
.to be_json_eql('Collection'.to_json)
.at_path('_type')
# the one membership stems from the membership the user has himself
expect(subject.body)
.to be_json_eql('2')
.at_path('total')
expect(subject.body)
.to be_json_eql(own_member.id.to_json)
.at_path('_embedded/elements/0/id')
expect(subject.body)
.to be_json_eql(other_member.id.to_json)
.at_path('_embedded/elements/1/id')
end
end
context 'as an admin' do
let(:current_user) { admin }
it 'returns a collection of memberships containing only the visible ones', :aggregate_failures do
expect(subject.status).to eq(200)
expect(subject.body)
.to be_json_eql('Collection'.to_json)
.at_path('_type')
# the one membership stems from the membership the user has himself
expect(subject.body)
.to be_json_eql('4')
.at_path('total')
expect(subject.body)
.to be_json_eql(own_member.id.to_json)
.at_path('_embedded/elements/0/id')
expect(subject.body)
.to be_json_eql(other_member.id.to_json)
.at_path('_embedded/elements/1/id')
expect(subject.body)
.to be_json_eql(invisible_member.id.to_json)
.at_path('_embedded/elements/2/id')
expect(subject.body)
.to be_json_eql(global_member.id.to_json)
.at_path('_embedded/elements/3/id')
end
end
context 'with pageSize, offset and sortBy' do
let(:path) { "#{api_v3_paths.path_for(:memberships, sort_by: [%i(id asc)])}&pageSize=1&offset=2" }
it 'returns a slice of the visible memberships' do
expect(subject.body)
.to be_json_eql('Collection'.to_json)
.at_path('_type')
expect(subject.body)
.to be_json_eql('2')
.at_path('total')
expect(subject.body)
.to be_json_eql('1')
.at_path('count')
expect(subject.body)
.to be_json_eql(other_member.id.to_json)
.at_path('_embedded/elements/0/id')
end
end
context 'with a group' do
let(:group) { FactoryBot.create(:group) }
let(:group_member) do
FactoryBot.create(:member,
roles: [FactoryBot.create(:role)],
project: project,
principal: group)
end
let(:members) { [own_member, group_member] }
it 'returns that group membership together with the rest of them' do
expect(subject.body)
.to be_json_eql('Collection'.to_json)
.at_path('_type')
expect(subject.body)
.to be_json_eql('2')
.at_path('total')
expect(subject.body)
.to be_json_eql(own_member.id.to_json)
.at_path('_embedded/elements/0/id')
expect(subject.body)
.to be_json_eql(group_member.id.to_json)
.at_path('_embedded/elements/1/id')
end
end
context 'with a placeholder_user' do
let(:placeholder_user) do
FactoryBot.create(:placeholder_user)
end
let(:placeholder_member) do
FactoryBot.create(:member,
roles: [FactoryBot.create(:role)],
project: project,
principal: placeholder_user)
end
let(:members) { [own_member, placeholder_member] }
it 'returns that placeholder user membership together with the rest of them' do
expect(subject.body)
.to be_json_eql('Collection'.to_json)
.at_path('_type')
expect(subject.body)
.to be_json_eql('2')
.at_path('total')
expect(subject.body)
.to be_json_eql(own_member.id.to_json)
.at_path('_embedded/elements/0/id')
expect(subject.body)
.to be_json_eql(placeholder_member.id.to_json)
.at_path('_embedded/elements/1/id')
end
end
context 'filtering by user name' do
let(:filters) do
[{ 'any_name_attribute' => {
'operator' => '~',
'values' => [other_member.principal.login]
} }]
end
it 'contains only the filtered member in the response' do
expect(subject.body)
.to be_json_eql('1')
.at_path('total')
expect(subject.body)
.to be_json_eql(other_member.id.to_json)
.at_path('_embedded/elements/0/id')
end
end
context 'filtering by project' do
let(:members) { [own_member, other_member, invisible_member, own_other_member] }
let(:own_other_member) do
FactoryBot.create(:member,
roles: [FactoryBot.create(:role, permissions: permissions)],
project: other_project,
user: current_user)
end
let(:other_project) { FactoryBot.create(:project) }
let(:filters) do
[{ 'project' => {
'operator' => '=',
'values' => [other_project.id]
} }]
end
it 'contains only the filtered memberships in the response' do
expect(subject.body)
.to be_json_eql('1')
.at_path('total')
expect(subject.body)
.to be_json_eql(own_other_member.id.to_json)
.at_path('_embedded/elements/0/id')
end
end
context 'filtering by principal' do
let(:group) { FactoryBot.create(:group) }
let(:group_member) do
FactoryBot.create(:member,
roles: [FactoryBot.create(:role)],
principal: group,
project: project)
end
let(:members) { [own_member, other_member, group_member, invisible_member] }
let(:filters) do
[{ 'principal' => {
'operator' => '=',
'values' => [group.id.to_s, current_user.id.to_s]
} }]
end
it 'contains only the filtered members in the response' do
expect(subject.body)
.to be_json_eql('2')
.at_path('total')
expect(subject.body)
.to be_json_eql(own_member.id.to_json)
.at_path('_embedded/elements/0/id')
expect(subject.body)
.to be_json_eql(group_member.id.to_json)
.at_path('_embedded/elements/1/id')
end
end
context 'with the outdated created_on sort by (renamed to created_at)' do
let(:path) { "#{api_v3_paths.path_for(:memberships, sort_by: [%i(created_on desc)])}&pageSize=1&offset=2" }
it 'is still supported and returns a slice of the visible memberships' do
expect(subject.body)
.to be_json_eql('Collection'.to_json)
.at_path('_type')
expect(subject.body)
.to be_json_eql('2')
.at_path('total')
expect(subject.body)
.to be_json_eql('1')
.at_path('count')
expect(subject.body)
.to be_json_eql(own_member.id.to_json)
.at_path('_embedded/elements/0/id')
end
end
context 'invalid filter' do
let(:members) { [own_member] }
let(:filters) do
[{ 'bogus' => {
'operator' => '=',
'values' => ['1']
} }]
end
it 'returns an error' do
expect(subject.status).to eq(400)
expect(subject.body)
.to be_json_eql('urn:openproject-org:api:v3:errors:InvalidQuery'.to_json)
.at_path('errorIdentifier')
end
end
context 'without permissions' do
let(:permissions) { [] }
it 'is empty' do
expect(subject.body)
.to be_json_eql('0')
.at_path('total')
end
end
end
describe 'POST api/v3/memberships' do
let(:path) { api_v3_paths.memberships }
let(:principal) { other_user }
let(:principal_path) { api_v3_paths.user(principal.id) }
let(:custom_message) { 'Wish you where **here**.' }
let(:body) do
{
_links: {
project: {
href: api_v3_paths.project(project.id)
},
principal: {
href: principal_path
},
roles: [
{
href: api_v3_paths.role(other_role.id)
}
]
},
_meta: {
notificationMessage: {
raw: custom_message
}
}
}.to_json
end
before do
own_member
login_as current_user
perform_enqueued_jobs do
post path, body
end
end
shared_examples_for 'successful member creation' do
let(:role) { defined?(expected_role) ? expected_role : other_role }
it 'responds with 201' do
expect(last_response.status).to eq(201)
end
it 'creates the member' do
expect(Member.find_by(user_id: principal.id, project: project))
.to be_present
end
it 'returns the newly created member' do
expect(last_response.body)
.to be_json_eql('Membership'.to_json)
.at_path('_type')
if project
expect(last_response.body)
.to be_json_eql(api_v3_paths.project(project.id).to_json)
.at_path('_links/project/href')
end
expect(last_response.body)
.to be_json_eql(principal_path.to_json)
.at_path('_links/principal/href')
expect(last_response.body)
.to have_json_size(1)
.at_path('_links/roles')
expect(last_response.body)
.to be_json_eql(api_v3_paths.role(role.id).to_json)
.at_path('_links/roles/0/href')
end
end
context 'for a user' do
it_behaves_like 'successful member creation'
it_behaves_like 'sends mails'
end
context 'for a group' do
let(:group) do
FactoryBot.create(:group, members: users)
end
let(:principal) { group }
let(:users) { [FactoryBot.create(:user), FactoryBot.create(:user)] }
let(:principal_path) { api_v3_paths.group(group.id) }
let(:body) do
{
_links: {
project: {
href: api_v3_paths.project(project.id)
},
principal: {
href: principal_path
},
roles: [
{
href: api_v3_paths.role(other_role.id)
}
]
},
_meta: {
notificationMessage: {
raw: custom_message
}
}
}.to_json
end
it_behaves_like 'successful member creation'
it_behaves_like 'sends mails' do
let(:receivers) { users }
end
it 'creates the memberships for the group members' do
users.each do |user|
expect(Member.find_by(user_id: user.id, project: project))
.to be_present
end
end
end
context 'for a placeholder user' do
let(:placeholder_user) { FactoryBot.create(:placeholder_user) }
let(:principal) { placeholder_user }
let(:principal_path) { api_v3_paths.placeholder_user(placeholder_user.id) }
let(:body) do
{
_links: {
project: {
href: api_v3_paths.project(project.id)
},
principal: {
href: principal_path
},
roles: [
{
href: api_v3_paths.role(other_role.id)
}
]
},
_meta: {
notificationMessage: {
raw: custom_message
}
}
}.to_json
end
it_behaves_like 'successful member creation'
it_behaves_like 'sends mails' do
let(:receivers) { [] }
end
end
context 'for a global membership' do
let(:expected_role) { global_role }
let(:body) do
{
_links: {
project: {
href: nil
},
principal: {
href: principal_path
},
roles: [
{
href: api_v3_paths.role(global_role.id)
}
]
},
_meta: {
notificationMessage: {
raw: custom_message
}
}
}.to_json
end
let(:project) { nil }
context 'as an admin' do
let(:current_user) { admin }
it_behaves_like 'successful member creation'
it_behaves_like 'sends mails'
end
context 'as a non admin' do
it 'responds with 422 and explains the error' do
expect(last_response.status).to eq(422)
expect(last_response.body)
.to be_json_eql("Project can't be blank.".to_json)
.at_path('message')
end
end
end
context 'if providing an already taken user' do
let(:body) do
{
_links: {
project: {
href: api_v3_paths.project(project.id)
},
principal: {
# invalid as the current_user is already member
href: api_v3_paths.user(current_user.id)
},
roles: [
{
href: api_v3_paths.role(other_role.id)
}
]
}
}.to_json
end
it 'responds with 422 and explains the error' do
expect(last_response.status).to eq(422)
expect(last_response.body)
.to be_json_eql("User has already been taken.".to_json)
.at_path('message')
end
end
context 'if providing erroneous hrefs' do
let(:body) do
{
_links: {
project: {
href: api_v3_paths.project(project.id)
},
principal: {
# role path instead of user
href: api_v3_paths.role(other_user.id)
},
roles: [
{
href: api_v3_paths.role(other_role.id)
}
]
}
}.to_json
end
it 'responds with 422 and explains the error' do
expect(last_response.status).to eq(422)
error_message = "For property 'user' a link like '/api/v3/groups/:id' or " +
"'/api/v3/users/:id' or '/api/v3/placeholder_users/:id' is expected, but got '#{api_v3_paths.role(other_user.id)}'."
expect(last_response.body)
.to be_json_eql(error_message.to_json)
.at_path('message')
end
end
context 'if providing no roles' do
let(:body) do
{
_links: {
project: {
href: api_v3_paths.project(project.id)
},
principal: {
href: principal_path
},
roles: []
}
}.to_json
end
it 'responds with 422 and explains the error' do
expect(last_response.status).to eq(422)
expect(last_response.body)
.to be_json_eql("Roles need to be assigned.".to_json)
.at_path('message')
end
end
context 'if lacking the manage permissions' do
let(:permissions) { [:view_members] }
it_behaves_like 'unauthorized access'
end
end
describe 'GET /api/v3/memberships/:id' do
let(:path) { api_v3_paths.membership(other_member.id) }
let(:members) { [own_member, other_member] }
before do
members
login_as(current_user)
get path
end
it 'returns 200 OK' do
expect(subject.status)
.to eql(200)
end
it 'returns the member' do
expect(subject.body)
.to be_json_eql('Membership'.to_json)
.at_path('_type')
expect(subject.body)
.to be_json_eql(other_member.id.to_json)
.at_path('id')
end
context 'if querying an invisible member' do
let(:path) { api_v3_paths.membership(invisible_member.id) }
let(:members) { [own_member, invisible_member] }
it 'returns 404 NOT FOUND' do
expect(subject.status)
.to eql(404)
end
end
context 'without the necessary permissions' do
let(:permissions) { [] }
it 'returns 404 NOT FOUND' do
expect(subject.status)
.to eql(404)
end
end
end
describe 'PATCH api/v3/memberships/:id' do
let(:path) { api_v3_paths.membership(other_member.id) }
let(:another_role) { FactoryBot.create(:role) }
let(:custom_message) { 'Wish you where **here**.' }
let(:body) do
{
_links: {
"roles": [
{
href: api_v3_paths.role(another_role.id)
}
]
},
_meta: {
notificationMessage: {
raw: custom_message
}
}
}.to_json
end
let(:members) { [own_member, other_member] }
let!(:other_member_updated_at) { other_member.updated_at }
before do
members
login_as current_user
perform_enqueued_jobs do
patch path, body
end
end
context 'for a user' do
it 'responds with 200' do
expect(last_response.status).to eq(200)
end
it 'updates the member' do
other_member.reload
expect(other_member.roles)
.to match_array [another_role]
# Assigning a new role also updates the member
expect(other_member.updated_at > other_member_updated_at)
.to be_truthy
end
it 'returns the updated membership' do
expect(last_response.body)
.to be_json_eql('Membership'.to_json)
.at_path('_type')
expect(last_response.body)
.to be_json_eql([{ href: api_v3_paths.role(another_role.id), title: another_role.name }].to_json)
.at_path('_links/roles')
# unchanged
expect(last_response.body)
.to be_json_eql(project.name.to_json)
.at_path('_links/project/title')
expect(last_response.body)
.to be_json_eql(other_user.name.to_json)
.at_path('_links/principal/title')
end
it_behaves_like 'sends mails' do
let(:receivers) { [other_member.principal] }
end
end
context 'with a group' do
let(:group) do
FactoryBot.create(:group, member_in_project: project, member_through_role: other_role, members: users)
end
let(:principal) { group }
let(:users) { [FactoryBot.create(:user), FactoryBot.create(:user)] }
let(:other_member) do
Member.find_by(principal: group).tap do |m|
# Behaves as if the user had that role before the role's membership was created.
# Because the user had the role independent of the group, it is not to be removed.
user_member = Member.find_by(principal: users.first)
MemberRole
.where(member_id: user_member.id)
.update_all(inherited_from: nil)
# The user also had the newly assigned role before. The membership should therefore remain unchanged.
user_member.member_roles.create(role_id: another_role.id)
first_user_member_updated_at
last_user_member_updated_at
end
end
let(:first_user_member_updated_at) { Member.find_by(principal: users.first).updated_at }
let(:last_user_member_updated_at) { Member.find_by(principal: users.last).updated_at }
it 'responds with 200' do
expect(last_response.status).to eq(200)
end
it 'updates the member and all inherited members but does not update memberships users have already had' do
expect(other_member.reload.roles)
.to match_array [another_role]
expect(other_member.updated_at > other_member_updated_at)
.to be_truthy
last_user_member = Member.find_by(principal: users.last)
expect(last_user_member.roles)
.to match_array [another_role]
expect(last_user_member.updated_at > last_user_member_updated_at)
.to be_truthy
first_user_member = Member.find_by(principal: users.first)
expect(first_user_member.roles.uniq)
.to match_array [other_role, another_role]
expect(first_user_member.updated_at)
.to eql first_user_member_updated_at
end
it 'returns the updated membership' do
expect(last_response.body)
.to be_json_eql('Membership'.to_json)
.at_path('_type')
expect(last_response.body)
.to be_json_eql([{ href: api_v3_paths.role(another_role.id), title: another_role.name }].to_json)
.at_path('_links/roles')
# unchanged
expect(last_response.body)
.to be_json_eql(project.name.to_json)
.at_path('_links/project/title')
expect(last_response.body)
.to be_json_eql(group.name.to_json)
.at_path('_links/principal/title')
end
it_behaves_like 'sends mails' do
# Only sends to the second user since the first user's membership is unchanged
let(:receivers) { [users.last] }
end
end
context 'if attempting to empty the roles' do
let(:body) do
{
_links: {
"roles": []
}
}.to_json
end
it 'returns 422' do
expect(last_response.status)
.to eql(422)
expect(last_response.body)
.to be_json_eql("Roles need to be assigned.".to_json)
.at_path('message')
end
end
context 'if attempting to assign unassignable roles' do
let(:anonymous_role) { FactoryBot.create(:anonymous_role) }
let(:body) do
{
_links: {
"roles": [
{
href: api_v3_paths.role(anonymous_role.id)
}
]
}
}.to_json
end
it 'returns 422' do
expect(last_response.status)
.to eql(422)
expect(last_response.body)
.to be_json_eql("Roles has an unassignable role.".to_json)
.at_path('message')
end
end
context 'when attempting to switch the project' do
let(:other_project) do
FactoryBot.create(:project).tap do |p|
FactoryBot.create(:member,
project: p,
roles: [FactoryBot.create(:role, permissions: [:manage_members])],
user: current_user)
end
end
let(:body) do
{
_links: {
"project": {
"href": api_v3_paths.project(other_project.id)
}
}
}.to_json
end
it_behaves_like 'read-only violation', 'project', Member
end
context 'if attempting to switch the principal' do
let(:another_user) do
FactoryBot.create(:user)
end
let(:body) do
{
_links: {
"principal": {
"href": api_v3_paths.user(another_user.id)
}
}
}.to_json
end
it_behaves_like 'read-only violation', 'user', Member
end
context 'if lacking the manage permissions' do
let(:permissions) { [:view_members] }
it_behaves_like 'unauthorized access'
end
context 'if lacking the view permissions' do
let(:permissions) { [] }
it_behaves_like 'not found'
end
end
describe 'DELETE /api/v3/memberships/:id' do
let(:path) { api_v3_paths.membership(other_member.id) }
let(:members) { [own_member, other_member] }
before do
members
login_as current_user
perform_enqueued_jobs do
delete path
end
end
subject { last_response }
context 'with required permissions' do
it 'responds with HTTP No Content' do
expect(subject.status).to eq 204
end
it 'deletes the member' do
expect(Member.exists?(other_member.id)).to be_falsey
end
context 'for a non-existent version' do
let(:path) { api_v3_paths.membership 1337 }
it_behaves_like 'not found'
end
end
context 'with a group' do
let(:group) do
FactoryBot.create(:group, member_in_project: project, member_through_role: other_role, members: users)
end
let(:principal) { group }
let(:users) { [FactoryBot.create(:user), FactoryBot.create(:user)] }
let(:another_role) { FactoryBot.create(:role) }
let(:other_member) do
Member.find_by(principal: group).tap do
# Behaves as if the user had a role before the role's membership was created.
# Because the user had the role independent of the group, it is not to be removed.
user_member = Member.find_by(principal: users.first)
# The user also had the newly assigned role before. The membership should therefore remain unchanged.
user_member.member_roles.create(role_id: another_role.id)
first_user_member_updated_at
end
end
let(:first_user_member_updated_at) { Member.find_by(principal: users.first).updated_at }
it 'responds with HTTP No Content' do
expect(subject.status).to eq 204
end
it 'deletes the member but does not remove the previously assigned role' do
expect(Member.exists?(other_member.id)).to be_falsey
expect(Member.where(principal: users.last)).not_to be_exists
first_user_member = Member.find_by(principal: users.first)
expect(first_user_member.roles)
.to match_array [another_role]
expect(first_user_member.updated_at > first_user_member_updated_at)
.to be_truthy
end
it_behaves_like 'sends mails' do
# Only sends to the user who's membership only got updated, not removed
let(:receivers) { [users.first] }
end
end
context 'without permission to delete members' do
let(:permissions) { [:view_members] }
it_behaves_like 'unauthorized access'
it 'does not delete the member' do
expect(Member.exists?(other_member.id)).to be_truthy
end
end
end
end