TheDude
/
openproject
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
OpenProject is the leading open source project management software.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
58536 Commits
139 Branches
203 Tags
1.2 GiB
Tag: Branch: Tree: 8944c70ced
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8944c70ced'
${ noResults }
openproject/spec/requests/api/v3/user/user_resource_spec.rb

344 lines
9.2 KiB
Raw Normal View History Unescape

Add/update Copyright headers in specs [ci skip] Signed-off-by: Alex Coles <alex@alexbcoles.com>
10 years ago
#-- copyright
Update copyright notice
5 years ago
# OpenProject is an open source project management software.
update copyright to 2021 (#8925) Updates the copyright to 2021 for all files that have a copyright. Files in our source code without the copyright header still do not receive one automatically. Additionally, backlisted files are also excluded. Previously the copyright of chiliproject which references redmine stated a copyright of redmine up to and including 2017 which is not true for the code we have in here. Because of that I changed that to 2013
4 years ago
# Copyright (C) 2012-2021 the OpenProject GmbH
Add/update Copyright headers in specs [ci skip] Signed-off-by: Alex Coles <alex@alexbcoles.com>
10 years ago
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
update copyright to 2021 (#8925) Updates the copyright to 2021 for all files that have a copyright. Files in our source code without the copyright header still do not receive one automatically. Additionally, backlisted files are also excluded. Previously the copyright of chiliproject which references redmine stated a copyright of redmine up to and including 2017 which is not true for the code we have in here. Because of that I changed that to 2013
4 years ago
# Copyright (C) 2006-2013 Jean-Philippe Lang
Add/update Copyright headers in specs [ci skip] Signed-off-by: Alex Coles <alex@alexbcoles.com>
10 years ago
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
Bump copyright to 2018 (#6171) [ci skip]
7 years ago
# See docs/COPYRIGHT.rdoc for more details.
Add/update Copyright headers in specs [ci skip] Signed-off-by: Alex Coles <alex@alexbcoles.com>
10 years ago
#++
Added spec for user API resource
10 years ago
require 'spec_helper'
require 'rack/test'
Use AnyFixtures to generate fixtures from factories (#7230) Uses FactoryBot to keep and maintain specific records in a special transaction that does not get removed after each spec. They automatically are created whenever first hitting them. This makes an excellent time saver for items that are commonly used, such as an admin user account
5 years ago
describe 'API v3 User resource',
type: :request,
Remove usages of AnyFixture (#8987) AnyFixture will create once instance of a factory for reuse in a number of specs. This will work fine until we require a clean slate for a specific example. As we have numerous tests that test like the database is empty, we get a number of disadvantages: - After an example with `with_clean_fixture` metadata, the fixture will only be regenerated after the next example that uses it. This means the order of execution will change the number of objects in the DB. - The more `with_clean_fixture` we have, the smaller the performance advantage of AnyFixture will result in. - You cannot use an AnyFixture in a spec that needs a clean slate. This should be obvious but was overlooked by myself.
4 years ago
content_type: :json do
Added spec for user API resource
10 years ago
include Rack::Test::Methods
use path helper in integration tests this should help in avoiding broken links with passing integration tests... after all, the only links a client should use are the ones provided by us, so they should work as intended...
10 years ago
include API::V3::Utilities::PathHelper
Added spec for user API resource
10 years ago
FactoryGirl => FactoryBot Removes the deprecation
7 years ago
let(:current_user) { FactoryBot.create(:user) }
let(:user) { FactoryBot.create(:user) }
prevent access to user api for locked admins
6 years ago
let(:admin) { FactoryBot.create(:admin) }
Placeholder user project members (#8961) * remove intermediate placeholder scope Doing so, placeholder users will begin to show up in the system * remove scope without value * extract scope * use enum for status * allow placeholder users to become project members * display placeholder user member on members widget * remove now superfluous method The status name can simply be queried via #status now * replace possible_assignees/responsibles on project This also leads to placeholder users becoming eligible as assignees and responsibles. * fix aggregated scope on bulk edit * linting * remove IssueHelper
4 years ago
let(:locked_admin) { FactoryBot.create :admin, status: Principal.statuses[:locked] }
[35507] Allow global permission to add and edit users (#8937) * Add global permission for add_user * Rename fieldset for global roles to "Global" * Add permission to admin actions * Add index action to add_user permission * Redirect to first admin item if only one * Hide status action for non admins * Break down user form into partials for easier rendering * Disable some user form tabs for non-admins * Make users API and services conformant with endpoints * Fix references to DeleteService#deletion_allowed? * Authorize add_user on show as well * Only show invite user toolbar item with permission * Fix Delete Service spec * Fix the way user prefs are handled in service * Ensure session_id is treated as string This causes a cast error otherwise as it passes rack session locally * Fix service call on onboarding controller * Fix service call on users controller * Add delete spec for global user * Hide login attribute again when adding a new user * Render auth source correctly in simple form * Fix creating invited users through service The invitation requires the mail attribute to be present. Previously, there was a manual error added to the mail. As the errors are now determined by the contract + model, we now end up with all missing properties as errors. * Properly constraint attributes for non-admins * Add specs for global user * Start working on how to update password from UsersController that code is a mess... * Change permitted_params spec to include non-admin params * Fix create user service spec * Remove mail_notification param from users controller It's not part of the contract/params passed to user * Remove todos * Extend docs * Correct the way backlogs patches into the user settings * Remove superfluous UpdateUserService * Rewrite duplicated update service examples into common shared example * Remove duplicate password writable check * Base Users::DeleteContract on base delete contract * Move checks for active users into the UserAllowedService * Restore password writable check as it is not an attribute * Fix menus for global user * Allow global users to add custom fields * Allow global user add permission to reinvite user * Fix changed var name in update service spec * Ensure also invited or registered users can be authroized This ensure that e.g., invited users can also be set as watchers * fix typo Co-authored-by: ulferts <jens.ulferts@googlemail.com>
4 years ago
let(:user_with_global_add_user) do
Remove usages of AnyFixture (#8987) AnyFixture will create once instance of a factory for reuse in a number of specs. This will work fine until we require a clean slate for a specific example. As we have numerous tests that test like the database is empty, we get a number of disadvantages: - After an example with `with_clean_fixture` metadata, the fixture will only be regenerated after the next example that uses it. This means the order of execution will change the number of objects in the DB. - The more `with_clean_fixture` we have, the smaller the performance advantage of AnyFixture will result in. - You cannot use an AnyFixture in a spec that needs a clean slate. This should be obvious but was overlooked by myself.
4 years ago
FactoryBot.create :user, firstname: 'Global', lastname: 'User', global_permission: :add_user
[35507] Allow global permission to add and edit users (#8937) * Add global permission for add_user * Rename fieldset for global roles to "Global" * Add permission to admin actions * Add index action to add_user permission * Redirect to first admin item if only one * Hide status action for non admins * Break down user form into partials for easier rendering * Disable some user form tabs for non-admins * Make users API and services conformant with endpoints * Fix references to DeleteService#deletion_allowed? * Authorize add_user on show as well * Only show invite user toolbar item with permission * Fix Delete Service spec * Fix the way user prefs are handled in service * Ensure session_id is treated as string This causes a cast error otherwise as it passes rack session locally * Fix service call on onboarding controller * Fix service call on users controller * Add delete spec for global user * Hide login attribute again when adding a new user * Render auth source correctly in simple form * Fix creating invited users through service The invitation requires the mail attribute to be present. Previously, there was a manual error added to the mail. As the errors are now determined by the contract + model, we now end up with all missing properties as errors. * Properly constraint attributes for non-admins * Add specs for global user * Start working on how to update password from UsersController that code is a mess... * Change permitted_params spec to include non-admin params * Fix create user service spec * Remove mail_notification param from users controller It's not part of the contract/params passed to user * Remove todos * Extend docs * Correct the way backlogs patches into the user settings * Remove superfluous UpdateUserService * Rewrite duplicated update service examples into common shared example * Remove duplicate password writable check * Base Users::DeleteContract on base delete contract * Move checks for active users into the UserAllowedService * Restore password writable check as it is not an attribute * Fix menus for global user * Allow global users to add custom fields * Allow global user add permission to reinvite user * Fix changed var name in update service spec * Ensure also invited or registered users can be authroized This ensure that e.g., invited users can also be set as watchers * fix typo Co-authored-by: ulferts <jens.ulferts@googlemail.com>
4 years ago
end
Added spec for user API resource
10 years ago
add basic GET api/v3/users
8 years ago
subject(:response) { last_response }
prevent access to user api for locked admins
6 years ago
before do
Fix/duplicate work packages across pages (#8651) * deprecated method * remove apparently unused methods * append id desc sorting to work packages * enforce sorting is applied in query results * ensure deterministic order in base query
4 years ago
login_as(current_user)
prevent access to user api for locked admins
6 years ago
end
add basic GET api/v3/users
8 years ago
describe '#index' do
ensure order in spec
5 years ago
let(:get_path) { api_v3_paths.path_for(:users, sort_by: [%i[id asc]]) }
add basic GET api/v3/users
8 years ago
before do
user
get get_path
end
[35507] Allow global permission to add and edit users (#8937) * Add global permission for add_user * Rename fieldset for global roles to "Global" * Add permission to admin actions * Add index action to add_user permission * Redirect to first admin item if only one * Hide status action for non admins * Break down user form into partials for easier rendering * Disable some user form tabs for non-admins * Make users API and services conformant with endpoints * Fix references to DeleteService#deletion_allowed? * Authorize add_user on show as well * Only show invite user toolbar item with permission * Fix Delete Service spec * Fix the way user prefs are handled in service * Ensure session_id is treated as string This causes a cast error otherwise as it passes rack session locally * Fix service call on onboarding controller * Fix service call on users controller * Add delete spec for global user * Hide login attribute again when adding a new user * Render auth source correctly in simple form * Fix creating invited users through service The invitation requires the mail attribute to be present. Previously, there was a manual error added to the mail. As the errors are now determined by the contract + model, we now end up with all missing properties as errors. * Properly constraint attributes for non-admins * Add specs for global user * Start working on how to update password from UsersController that code is a mess... * Change permitted_params spec to include non-admin params * Fix create user service spec * Remove mail_notification param from users controller It's not part of the contract/params passed to user * Remove todos * Extend docs * Correct the way backlogs patches into the user settings * Remove superfluous UpdateUserService * Rewrite duplicated update service examples into common shared example * Remove duplicate password writable check * Base Users::DeleteContract on base delete contract * Move checks for active users into the UserAllowedService * Restore password writable check as it is not an attribute * Fix menus for global user * Allow global users to add custom fields * Allow global user add permission to reinvite user * Fix changed var name in update service spec * Ensure also invited or registered users can be authroized This ensure that e.g., invited users can also be set as watchers * fix typo Co-authored-by: ulferts <jens.ulferts@googlemail.com>
4 years ago
shared_examples 'flow with permitted user' do
add basic GET api/v3/users
8 years ago
it 'should respond with 200' do
expect(subject.status).to eq(200)
end
# note that the order of the users is depending on the id
# meaning the order in which they where saved
it 'contains the user in the response' do
expect(subject.body)
prevent access to user api for locked admins
6 years ago
.to be_json_eql(current_user.name.to_json)
delay all jobs
5 years ago
.at_path('_embedded/elements/0/name')
add basic GET api/v3/users
8 years ago
end
Added spec for user API resource
10 years ago
add basic GET api/v3/users
8 years ago
it 'contains the current user in the response' do
expect(subject.body)
prevent access to user api for locked admins
6 years ago
.to be_json_eql(user.name.to_json)
delay all jobs
5 years ago
.at_path('_embedded/elements/1/name')
add basic GET api/v3/users
8 years ago
end
it 'has the users index path for link self href' do
expect(subject.body)
support perPage and offset on users index
8 years ago
.to be_json_eql((api_v3_paths.users + '?offset=1&pageSize=30').to_json)
delay all jobs
5 years ago
.at_path('_links/self/href')
add basic GET api/v3/users
8 years ago
end
support perPage and offset on users index
8 years ago
context 'if pageSize = 1 and offset = 2' do
let(:get_path) { api_v3_paths.users + '?pageSize=1&offset=2' }
it 'contains the current user in the response' do
expect(subject.body)
Fix/duplicate work packages across pages (#8651) * deprecated method * remove apparently unused methods * append id desc sorting to work packages * enforce sorting is applied in query results * ensure deterministic order in base query
4 years ago
.to be_json_eql(current_user.name.to_json)
delay all jobs
5 years ago
.at_path('_embedded/elements/0/name')
support perPage and offset on users index
8 years ago
end
end
add user query and enabled it in the users api
8 years ago
context 'on filtering for name' do
let(:get_path) do
safe automatic fixes by rubocop (#8994)
4 years ago
filter = [{ 'name' => {
add user query and enabled it in the users api
8 years ago
'operator' => '~',
'values' => [user.name]
safe automatic fixes by rubocop (#8994)
4 years ago
} }]
add user query and enabled it in the users api
8 years ago
safe automatic fixes by rubocop (#8994)
4 years ago
"#{api_v3_paths.users}?#{{ filters: filter.to_json }.to_query}"
add user query and enabled it in the users api
8 years ago
end
it 'contains the filtered user in the response' do
expect(subject.body)
.to be_json_eql(user.name.to_json)
delay all jobs
5 years ago
.at_path('_embedded/elements/0/name')
add user query and enabled it in the users api
8 years ago
end
it 'contains no more users' do
expect(subject.body)
.to be_json_eql(1.to_json)
delay all jobs
5 years ago
.at_path('total')
add user query and enabled it in the users api
8 years ago
end
end
context 'on sorting' do
let(:users_by_name_order) do
[36136] Rework members page to show name and avatars for principals (#8973) * Rewrite members page to output name column * Remove white-space nowrap for long login names in administration * Extend member specs * Allow query instance to be used in table cell * Fix memberships specs with changed columns * Add order for email * Review feedback * Allow x to close add member form * WIP sort firstname/lastname * Make status sortable * Extract order_by_name into the order class * Re-add but deprecate order_by_name It's still in use in combination with some special scopes (custom actions for example) that I don't want to remove right now * Rewrite order_by_name into scope
4 years ago
User.human.ordered_by_name(desc: true)
add user query and enabled it in the users api
8 years ago
end
let(:get_path) do
sort = [['name', 'desc']]
safe automatic fixes by rubocop (#8994)
4 years ago
"#{api_v3_paths.users}?#{{ sortBy: sort.to_json }.to_query}"
add user query and enabled it in the users api
8 years ago
end
it 'contains the first user as the first element' do
expect(subject.body)
.to be_json_eql(users_by_name_order[0].name.to_json)
delay all jobs
5 years ago
.at_path('_embedded/elements/0/name')
add user query and enabled it in the users api
8 years ago
end
it 'contains the first user as the second element' do
expect(subject.body)
.to be_json_eql(users_by_name_order[1].name.to_json)
delay all jobs
5 years ago
.at_path('_embedded/elements/1/name')
add user query and enabled it in the users api
8 years ago
end
end
context 'on an invalid filter' do
let(:get_path) do
safe automatic fixes by rubocop (#8994)
4 years ago
filter = [{ 'name' => {
add user query and enabled it in the users api
8 years ago
'operator' => 'a',
'values' => [user.name]
safe automatic fixes by rubocop (#8994)
4 years ago
} }]
add user query and enabled it in the users api
8 years ago
safe automatic fixes by rubocop (#8994)
4 years ago
"#{api_v3_paths.users}?#{{ filters: filter.to_json }.to_query}"
add user query and enabled it in the users api
8 years ago
end
it 'returns an error' do
expect(subject.status).to eql(400)
end
end
add basic GET api/v3/users
8 years ago
end
[35507] Allow global permission to add and edit users (#8937) * Add global permission for add_user * Rename fieldset for global roles to "Global" * Add permission to admin actions * Add index action to add_user permission * Redirect to first admin item if only one * Hide status action for non admins * Break down user form into partials for easier rendering * Disable some user form tabs for non-admins * Make users API and services conformant with endpoints * Fix references to DeleteService#deletion_allowed? * Authorize add_user on show as well * Only show invite user toolbar item with permission * Fix Delete Service spec * Fix the way user prefs are handled in service * Ensure session_id is treated as string This causes a cast error otherwise as it passes rack session locally * Fix service call on onboarding controller * Fix service call on users controller * Add delete spec for global user * Hide login attribute again when adding a new user * Render auth source correctly in simple form * Fix creating invited users through service The invitation requires the mail attribute to be present. Previously, there was a manual error added to the mail. As the errors are now determined by the contract + model, we now end up with all missing properties as errors. * Properly constraint attributes for non-admins * Add specs for global user * Start working on how to update password from UsersController that code is a mess... * Change permitted_params spec to include non-admin params * Fix create user service spec * Remove mail_notification param from users controller It's not part of the contract/params passed to user * Remove todos * Extend docs * Correct the way backlogs patches into the user settings * Remove superfluous UpdateUserService * Rewrite duplicated update service examples into common shared example * Remove duplicate password writable check * Base Users::DeleteContract on base delete contract * Move checks for active users into the UserAllowedService * Restore password writable check as it is not an attribute * Fix menus for global user * Allow global users to add custom fields * Allow global user add permission to reinvite user * Fix changed var name in update service spec * Ensure also invited or registered users can be authroized This ensure that e.g., invited users can also be set as watchers * fix typo Co-authored-by: ulferts <jens.ulferts@googlemail.com>
4 years ago
context 'admin' do
let(:current_user) { admin }
it_behaves_like 'flow with permitted user'
end
context 'user with global add_user permission' do
let(:current_user) { user_with_global_add_user }
it_behaves_like 'flow with permitted user'
end
prevent access to user api for locked admins
6 years ago
context 'locked admin' do
let(:current_user) { locked_admin }
it_behaves_like 'unauthorized access'
end
add basic GET api/v3/users
8 years ago
context 'other user' do
prevent access to user api for locked admins
6 years ago
it_behaves_like 'unauthorized access'
add basic GET api/v3/users
8 years ago
end
end
describe '#get' do
prevent access to user api for locked admins
6 years ago
let(:get_path) { api_v3_paths.user user.id }
before do
get get_path
end
Added spec for user API resource
10 years ago
prevent access to user api for locked admins
6 years ago
context 'logged in user' do
Added spec for user API resource
10 years ago
it 'should respond with 200' do
expect(subject.status).to eq(200)
end
add basic GET api/v3/users
8 years ago
it 'should respond with correct body' do
Stoped using representers in API resource specs
10 years ago
expect(subject.body).to be_json_eql(user.name.to_json).at_path('name')
Added spec for user API resource
10 years ago
end
context 'requesting nonexistent user' do
use path helper in integration tests this should help in avoiding broken links with passing integration tests... after all, the only links a client should use are the ones provided by us, so they should work as intended...
10 years ago
let(:get_path) { api_v3_paths.user 9999 }
Added spec for user API resource
10 years ago
avoid explicit ids in spec
10 years ago
it_behaves_like 'not found' do
let(:id) { 9999 }
let(:type) { 'User' }
end
Added spec for user API resource
10 years ago
end
[26069] Allow passing of me-value link for principal filters again The 'me' value is currently automatically normalized to the current user, making it impossible to store queries that reference the current user whenever accessing the query as before.
7 years ago
context 'requesting current user' do
let(:get_path) { api_v3_paths.user 'me' }
it 'should response with 200' do
expect(subject.status).to eq(200)
expect(subject.body).to be_json_eql(user.name.to_json).at_path('name')
end
end
Added spec for user API resource
10 years ago
end
Allow users to be uniquely identified by login
8 years ago
context 'get with login' do
let(:get_path) { api_v3_paths.user user.login }
it 'should respond with 200' do
expect(subject.status).to eq(200)
end
it 'should respond with correct body' do
expect(subject.body).to be_json_eql(user.name.to_json).at_path('name')
end
end
migrate APIv3 to aggregated journals - turns out agrgegated journals needed more features - turns out specs were incomplete and bogus
9 years ago
it_behaves_like 'handling anonymous user' do
let(:path) { api_v3_paths.user user.id }
Added spec for user API resource
10 years ago
end
end
API v3 delete user
10 years ago
describe '#delete' do
use path helper in integration tests this should help in avoiding broken links with passing integration tests... after all, the only links a client should use are the ones provided by us, so they should work as intended...
10 years ago
let(:path) { api_v3_paths.user user.id }
API v3 delete user
10 years ago
let(:admin_delete) { true }
let(:self_delete) { true }
before do
allow(Setting).to receive(:users_deletable_by_admins?).and_return(admin_delete)
allow(Setting).to receive(:users_deletable_by_self?).and_return(self_delete)
delete path
Rewrite jobs to use ActiveJob syntax
5 years ago
user.reload
API v3 delete user
10 years ago
end
prevent access to user api for locked admins
6 years ago
shared_examples 'deletion allowed' do
API v3 delete user
10 years ago
it 'should respond with 202' do
expect(subject.status).to eq 202
end
Rewrite jobs to use ActiveJob syntax
5 years ago
it 'should lock the account and mark for deletion' do
[36238] Extract and fix user references in other objects (#9007) * Move replacing invalid references into separate job for principals * Write migration to remove existing invalid custom values and responsible * Fix other specs * Fix other specs * rewrite replacing user in records * consolidate principal deletion * include placeholder users in spec Co-authored-by: ulferts <jens.ulferts@googlemail.com>
4 years ago
expect(Principals::DeleteJob)
Rewrite jobs to use ActiveJob syntax
5 years ago
.to have_been_enqueued
.with(user)
expect(user).to be_locked
API v3 delete user
10 years ago
end
context 'with a non-existent user' do
use path helper in integration tests this should help in avoiding broken links with passing integration tests... after all, the only links a client should use are the ones provided by us, so they should work as intended...
10 years ago
let(:path) { api_v3_paths.user 1337 }
API v3 delete user
10 years ago
avoid explicit ids in spec
10 years ago
it_behaves_like 'not found' do
let(:id) { 1337 }
let(:type) { 'User' }
end
API v3 delete user
10 years ago
end
end
shared_examples 'deletion is not allowed' do
it 'should respond with 403' do
expect(subject.status).to eq 403
end
it 'should not delete the user' do
Convert specs to RSpec 3.2.0 syntax with Transpec This conversion is done by Transpec 3.0.7 with the following command: transpec -f * 34 conversions from: it { should ... } to: it { is_expected.to ... } * 14 conversions from: obj.stub_chain(:message1, :message2) to: allow(obj).to receive_message_chain(:message1, :message2) * 7 conversions from: obj.stub(:message) to: allow(obj).to receive(:message) * 4 conversions from: be_true to: be_truthy * 3 conversions from: obj.should_receive(:message) to: expect(obj).to receive(:message) * 2 conversions from: failure_message_for_should { } to: failure_message { } * 2 conversions from: failure_message_for_should_not { } to: failure_message_when_negated { } * 1 conversion from: Klass.any_instance.stub(:message => value) to: allow_any_instance_of(Klass).to receive_messages(:message => value) * 1 conversion from: be_false to: be_falsey * 1 conversion from: obj.should_not_receive(:message) to: expect(obj).not_to receive(:message) * 1 conversion from: stub('something') to: double('something') * 1 addition of: RSpec.configure { |c| c.infer_spec_type_from_file_location! } For more details: https://github.com/yujinakayama/transpec#supported-conversions
10 years ago
expect(User.exists?(user.id)).to be_truthy
API v3 delete user
10 years ago
end
end
context 'as admin' do
prevent access to user api for locked admins
6 years ago
let(:current_user) { admin }
API v3 delete user
10 years ago
context 'with users deletable by admins' do
let(:admin_delete) { true }
prevent access to user api for locked admins
6 years ago
it_behaves_like 'deletion allowed'
API v3 delete user
10 years ago
end
context 'with users not deletable by admins' do
let(:admin_delete) { false }
it_behaves_like 'deletion is not allowed'
end
end
prevent access to user api for locked admins
6 years ago
context 'as locked admin' do
let(:current_user) { locked_admin }
it_behaves_like 'deletion is not allowed'
end
API v3 delete user
10 years ago
context 'as non-admin' do
FactoryGirl => FactoryBot Removes the deprecation
7 years ago
let(:current_user) { FactoryBot.create :user, admin: false }
API v3 delete user
10 years ago
it_behaves_like 'deletion is not allowed'
end
[35507] Allow global permission to add and edit users (#8937) * Add global permission for add_user * Rename fieldset for global roles to "Global" * Add permission to admin actions * Add index action to add_user permission * Redirect to first admin item if only one * Hide status action for non admins * Break down user form into partials for easier rendering * Disable some user form tabs for non-admins * Make users API and services conformant with endpoints * Fix references to DeleteService#deletion_allowed? * Authorize add_user on show as well * Only show invite user toolbar item with permission * Fix Delete Service spec * Fix the way user prefs are handled in service * Ensure session_id is treated as string This causes a cast error otherwise as it passes rack session locally * Fix service call on onboarding controller * Fix service call on users controller * Add delete spec for global user * Hide login attribute again when adding a new user * Render auth source correctly in simple form * Fix creating invited users through service The invitation requires the mail attribute to be present. Previously, there was a manual error added to the mail. As the errors are now determined by the contract + model, we now end up with all missing properties as errors. * Properly constraint attributes for non-admins * Add specs for global user * Start working on how to update password from UsersController that code is a mess... * Change permitted_params spec to include non-admin params * Fix create user service spec * Remove mail_notification param from users controller It's not part of the contract/params passed to user * Remove todos * Extend docs * Correct the way backlogs patches into the user settings * Remove superfluous UpdateUserService * Rewrite duplicated update service examples into common shared example * Remove duplicate password writable check * Base Users::DeleteContract on base delete contract * Move checks for active users into the UserAllowedService * Restore password writable check as it is not an attribute * Fix menus for global user * Allow global users to add custom fields * Allow global user add permission to reinvite user * Fix changed var name in update service spec * Ensure also invited or registered users can be authroized This ensure that e.g., invited users can also be set as watchers * fix typo Co-authored-by: ulferts <jens.ulferts@googlemail.com>
4 years ago
context 'as user with add_user permission' do
let(:current_user) { user_with_global_add_user }
it_behaves_like 'deletion is not allowed'
end
API v3 delete user
10 years ago
context 'as self' do
let(:current_user) { user }
context 'with self-deletion allowed' do
let(:self_delete) { true }
prevent access to user api for locked admins
6 years ago
it_behaves_like 'deletion allowed'
API v3 delete user
10 years ago
end
context 'with self-deletion not allowed' do
let(:self_delete) { false }
it_behaves_like 'deletion is not allowed'
end
end
context 'as anonymous user' do
FactoryGirl => FactoryBot Removes the deprecation
7 years ago
let(:current_user) { FactoryBot.create :anonymous }
API v3 delete user
10 years ago
it_behaves_like 'deletion is not allowed'
[26069] Allow passing of me-value link for principal filters again The 'me' value is currently automatically normalized to the current user, making it impossible to store queries that reference the current user whenever accessing the query as before.
7 years ago
context 'requesting current user' do
let(:get_path) { api_v3_paths.user 'me' }
it 'should response with 403' do
expect(subject.status).to eq(403)
end
end
API v3 delete user
10 years ago
end
end
Added spec for user API resource
10 years ago
end