openproject/spec/requests/auth/token_based_access_spec.rb

#-- encoding: UTF-8

#-- copyright
# OpenProject is a project management system.
# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2017 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
# See docs/COPYRIGHT.rdoc for more details.
#++

require 'spec_helper'

describe 'Token based access', type: :rails_request, with_settings: { login_required?: false } do
  let(:work_package) { FactoryBot.create(:work_package) }
  let(:user) do
    FactoryBot.create(:user,
                      member_in_project: work_package.project,
                      member_with_permissions: %i[view_work_packages])
  end
  let(:rss_key) { user.rss_key }

  it 'grants access but does not login the user' do
    # work_packages of a private project
    get "/work_packages/#{work_package.id}.atom"
    expect(response)
      .to redirect_to(signin_path(back_url: "http://www.example.com/work_packages/#{work_package.id}"))

    # access is possible with a token
    get "/work_packages/#{work_package.id}.atom?key=#{rss_key}"
    expect(response.body)
      .to include("<title>OpenProject - #{work_package.to_s}</title>")

    # but for the next request, the user is not logged in
    get "/work_packages/#{work_package.id}"
    expect(response)
      .to redirect_to(signin_path(back_url: "http://www.example.com/work_packages/#{work_package.id}"))
  end
end
Set source encoding to UTF-8 13 years ago			`#-- encoding: UTF-8`
Fix/replace deprecations (#5533) * replace alias_method_chain * remove deprecation silencing * bump controller-testing * introduce permitted params for settings * replace various deprecations in controllers * remove deprecation silencing for legacy_specs * remove `puts` from spec * replace deprecated access to errors * remove unnecessary AR::Parameters usage in spec * specify error to expect * replace deprecations * replace deprecated action calls in legacy function specs * replace deprecations in functional controller tests * replace deprecations in controllers/controller_specs * remove params parser which does not seem to be in effect It is registered for the content type :exclude which makes no sense as it should deal with :json. The desired behaviour of the api dealing with parsing errors is working with or without the code. * replace deprecations in unit specs * replace alias_method_chain [ci skip] 7 years ago
[#197] Upgrade the copyright in the code files 14 years ago			`#-- copyright`
provide every possible file with a short copyright notice This was done using the rake task: rake copyright:update 12 years ago			`# OpenProject is a project management system.`
Bump copyright to 2018 (#6171) [ci skip] 7 years ago			`# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)`
[#436] Remove trailing whitespace 14 years ago			`#`
Fixed a bug in localization introduced by r1131 (anonymous users inherit the language of the first anonymous user). git-svn-id: http://redmine.rubyforge.org/svn/trunk@1144 e93f8b46-1217-0410-a6f0-8f06a7374b81 17 years ago			`# This program is free software; you can redistribute it and/or`
provide every possible file with a short copyright notice This was done using the rake task: rake copyright:update 12 years ago			`# modify it under the terms of the GNU General Public License version 3.`
[#436] Remove trailing whitespace 14 years ago			`#`
new copyright header #1903 11 years ago			`# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:`
Update copyright notice 8 years ago			`# Copyright (C) 2006-2017 Jean-Philippe Lang`
new copyright header #1903 11 years ago			`# Copyright (C) 2010-2013 the ChiliProject Team`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU General Public License`
			`# as published by the Free Software Foundation; either version 2`
			`# of the License, or (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program; if not, write to the Free Software`
			`# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.`
			`#`
Bump copyright to 2018 (#6171) [ci skip] 7 years ago			`# See docs/COPYRIGHT.rdoc for more details.`
[#197] Upgrade the copyright in the code files 14 years ago			`#++`
Fixed a bug in localization introduced by r1131 (anonymous users inherit the language of the first anonymous user). git-svn-id: http://redmine.rubyforge.org/svn/trunk@1144 e93f8b46-1217-0410-a6f0-8f06a7374b81 17 years ago
replace spec_legacy integration specs 6 years ago			`require 'spec_helper'`
[#436] Remove trailing whitespace 14 years ago
replace spec_legacy integration specs 6 years ago			`describe 'Token based access', type: :rails_request, with_settings: { login_required?: false } do`
			`let(:work_package) { FactoryBot.create(:work_package) }`
			`let(:user) do`
			`FactoryBot.create(:user,`
			`member_in_project: work_package.project,`
			`member_with_permissions: %i[view_work_packages])`
Fix various legacy specs 9 years ago			`end`
replace spec_legacy integration specs 6 years ago			`let(:rss_key) { user.rss_key }`
Fix various legacy specs 9 years ago
replace spec_legacy integration specs 6 years ago			`it 'grants access but does not login the user' do`
enables the atom feed on work_packages#show 11 years ago			`# work_packages of a private project`
replace spec_legacy integration specs 6 years ago			`get "/work_packages/#{work_package.id}.atom"`
			`expect(response)`
			`.to redirect_to(signin_path(back_url: "http://www.example.com/work_packages/#{work_package.id}"))`

			`# access is possible with a token`
			`get "/work_packages/#{work_package.id}.atom?key=#{rss_key}"`
			`expect(response.body)`
			`.to include("<title>OpenProject - #{work_package.to_s}</title>")`

			`# but for the next request, the user is not logged in`
			`get "/work_packages/#{work_package.id}"`
			`expect(response)`
			`.to redirect_to(signin_path(back_url: "http://www.example.com/work_packages/#{work_package.id}"))`
Do not start user session when accessing atom feed with token-based authentication. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2779 e93f8b46-1217-0410-a6f0-8f06a7374b81 16 years ago			`end`
Fixed a bug in localization introduced by r1131 (anonymous users inherit the language of the first anonymous user). git-svn-id: http://redmine.rubyforge.org/svn/trunk@1144 e93f8b46-1217-0410-a6f0-8f06a7374b81 17 years ago			`end`