|
|
|
@ -35,20 +35,25 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
|
|
|
|
|
let(:current_user) { FactoryBot.create(:user) } |
|
|
|
|
let(:user) { FactoryBot.create(:user) } |
|
|
|
|
let(:admin) { FactoryBot.create(:admin) } |
|
|
|
|
let(:locked_admin) { FactoryBot.create :admin, status: Principal::STATUSES[:locked] } |
|
|
|
|
|
|
|
|
|
subject(:response) { last_response } |
|
|
|
|
|
|
|
|
|
before do |
|
|
|
|
allow(User).to receive(:current).and_return current_user |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
describe '#index' do |
|
|
|
|
let(:get_path) { api_v3_paths.users } |
|
|
|
|
|
|
|
|
|
before do |
|
|
|
|
user |
|
|
|
|
allow(User).to receive(:current).and_return current_user |
|
|
|
|
get get_path |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'admin user' do |
|
|
|
|
let(:current_user) { FactoryBot.create(:admin) } |
|
|
|
|
let(:current_user) { admin } |
|
|
|
|
|
|
|
|
|
it 'should respond with 200' do |
|
|
|
|
expect(subject.status).to eq(200) |
|
|
|
@ -58,13 +63,13 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
# meaning the order in which they where saved |
|
|
|
|
it 'contains the user in the response' do |
|
|
|
|
expect(subject.body) |
|
|
|
|
.to be_json_eql(user.name.to_json) |
|
|
|
|
.to be_json_eql(current_user.name.to_json) |
|
|
|
|
.at_path('_embedded/elements/0/name') |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'contains the current user in the response' do |
|
|
|
|
expect(subject.body) |
|
|
|
|
.to be_json_eql(current_user.name.to_json) |
|
|
|
|
.to be_json_eql(user.name.to_json) |
|
|
|
|
.at_path('_embedded/elements/1/name') |
|
|
|
|
end |
|
|
|
|
|
|
|
|
@ -79,7 +84,7 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
|
|
|
|
|
it 'contains the current user in the response' do |
|
|
|
|
expect(subject.body) |
|
|
|
|
.to be_json_eql(current_user.name.to_json) |
|
|
|
|
.to be_json_eql(user.name.to_json) |
|
|
|
|
.at_path('_embedded/elements/0/name') |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
@ -147,21 +152,25 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'locked admin' do |
|
|
|
|
let(:current_user) { locked_admin } |
|
|
|
|
|
|
|
|
|
it_behaves_like 'unauthorized access' |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'other user' do |
|
|
|
|
it 'should respond with 403' do |
|
|
|
|
expect(subject.status).to eq(403) |
|
|
|
|
end |
|
|
|
|
it_behaves_like 'unauthorized access' |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
describe '#get' do |
|
|
|
|
context 'logged in user' do |
|
|
|
|
let(:get_path) { api_v3_paths.user user.id } |
|
|
|
|
before do |
|
|
|
|
allow(User).to receive(:current).and_return current_user |
|
|
|
|
get get_path |
|
|
|
|
end |
|
|
|
|
let(:get_path) { api_v3_paths.user user.id } |
|
|
|
|
|
|
|
|
|
before do |
|
|
|
|
get get_path |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'logged in user' do |
|
|
|
|
it 'should respond with 200' do |
|
|
|
|
expect(subject.status).to eq(200) |
|
|
|
|
end |
|
|
|
@ -191,10 +200,6 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
|
|
|
|
|
context 'get with login' do |
|
|
|
|
let(:get_path) { api_v3_paths.user user.login } |
|
|
|
|
before do |
|
|
|
|
allow(User).to receive(:current).and_return current_user |
|
|
|
|
get get_path |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
it 'should respond with 200' do |
|
|
|
|
expect(subject.status).to eq(200) |
|
|
|
@ -208,6 +213,12 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
it_behaves_like 'handling anonymous user' do |
|
|
|
|
let(:path) { api_v3_paths.user user.id } |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'locked admin' do |
|
|
|
|
let(:current_user) { locked_admin } |
|
|
|
|
|
|
|
|
|
it_behaves_like 'unauthorized access' |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
describe '#delete' do |
|
|
|
@ -216,15 +227,13 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
let(:self_delete) { true } |
|
|
|
|
|
|
|
|
|
before do |
|
|
|
|
allow(User).to receive(:current).and_return current_user |
|
|
|
|
|
|
|
|
|
allow(Setting).to receive(:users_deletable_by_admins?).and_return(admin_delete) |
|
|
|
|
allow(Setting).to receive(:users_deletable_by_self?).and_return(self_delete) |
|
|
|
|
|
|
|
|
|
delete path |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
shared_examples 'deletion through allowed user' do |
|
|
|
|
shared_examples 'deletion allowed' do |
|
|
|
|
it 'should respond with 202' do |
|
|
|
|
expect(subject.status).to eq 202 |
|
|
|
|
end |
|
|
|
@ -241,14 +250,6 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
let(:type) { 'User' } |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'with non-admin user' do |
|
|
|
|
let(:current_user) { FactoryBot.create :user, admin: false } |
|
|
|
|
|
|
|
|
|
it 'responds with 403' do |
|
|
|
|
expect(subject.status).to eq 403 |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
shared_examples 'deletion is not allowed' do |
|
|
|
@ -262,12 +263,12 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'as admin' do |
|
|
|
|
let(:current_user) { FactoryBot.create :admin } |
|
|
|
|
let(:current_user) { admin } |
|
|
|
|
|
|
|
|
|
context 'with users deletable by admins' do |
|
|
|
|
let(:admin_delete) { true } |
|
|
|
|
|
|
|
|
|
it_behaves_like 'deletion through allowed user' |
|
|
|
|
it_behaves_like 'deletion allowed' |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'with users not deletable by admins' do |
|
|
|
@ -277,6 +278,12 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
end |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'as locked admin' do |
|
|
|
|
let(:current_user) { locked_admin } |
|
|
|
|
|
|
|
|
|
it_behaves_like 'deletion is not allowed' |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'as non-admin' do |
|
|
|
|
let(:current_user) { FactoryBot.create :user, admin: false } |
|
|
|
|
|
|
|
|
@ -289,7 +296,7 @@ describe 'API v3 User resource', type: :request, content_type: :json do |
|
|
|
|
context 'with self-deletion allowed' do |
|
|
|
|
let(:self_delete) { true } |
|
|
|
|
|
|
|
|
|
it_behaves_like 'deletion through allowed user' |
|
|
|
|
it_behaves_like 'deletion allowed' |
|
|
|
|
end |
|
|
|
|
|
|
|
|
|
context 'with self-deletion not allowed' do |
|
|
|
|