user_spec.rb 60.9 KB
Newer Older
gitlabhq's avatar
gitlabhq committed
1 2
require 'spec_helper'

Douwe Maan's avatar
Douwe Maan committed
3
describe User, models: true do
4 5
  include Gitlab::CurrentSettings

6 7 8 9 10 11 12 13 14 15 16
  describe 'modules' do
    subject { described_class }

    it { is_expected.to include_module(Gitlab::ConfigHelper) }
    it { is_expected.to include_module(Gitlab::CurrentSettings) }
    it { is_expected.to include_module(Referable) }
    it { is_expected.to include_module(Sortable) }
    it { is_expected.to include_module(TokenAuthenticatable) }
  end

  describe 'associations' do
17
    it { is_expected.to have_one(:namespace) }
18
    it { is_expected.to have_many(:snippets).dependent(:destroy) }
19 20 21
    it { is_expected.to have_many(:project_members).dependent(:destroy) }
    it { is_expected.to have_many(:groups) }
    it { is_expected.to have_many(:keys).dependent(:destroy) }
22
    it { is_expected.to have_many(:deploy_keys).dependent(:destroy) }
23
    it { is_expected.to have_many(:events).dependent(:destroy) }
24
    it { is_expected.to have_many(:recent_events).class_name('Event') }
25
    it { is_expected.to have_many(:issues).dependent(:restrict_with_exception) }
26 27 28
    it { is_expected.to have_many(:notes).dependent(:destroy) }
    it { is_expected.to have_many(:merge_requests).dependent(:destroy) }
    it { is_expected.to have_many(:identities).dependent(:destroy) }
29
    it { is_expected.to have_many(:spam_logs).dependent(:destroy) }
30
    it { is_expected.to have_many(:todos).dependent(:destroy) }
31
    it { is_expected.to have_many(:award_emoji).dependent(:destroy) }
Valery Sizov's avatar
Valery Sizov committed
32
    it { is_expected.to have_many(:path_locks).dependent(:destroy) }
33
    it { is_expected.to have_many(:triggers).dependent(:destroy) }
34 35
    it { is_expected.to have_many(:builds).dependent(:nullify) }
    it { is_expected.to have_many(:pipelines).dependent(:nullify) }
36
    it { is_expected.to have_many(:chat_names).dependent(:destroy) }
37
    it { is_expected.to have_many(:uploads).dependent(:destroy) }
38
    it { is_expected.to have_many(:reported_abuse_reports).dependent(:destroy).class_name('AbuseReport') }
39

40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
    describe "#abuse_report" do
      let(:current_user) { create(:user) }
      let(:other_user) { create(:user) }

      it { is_expected.to have_one(:abuse_report) }

      it "refers to the abuse report whose user_id is the current user" do
        abuse_report = create(:abuse_report, reporter: other_user, user: current_user)

        expect(current_user.abuse_report).to eq(abuse_report)
      end

      it "does not refer to the abuse report whose reporter_id is the current user" do
        create(:abuse_report, reporter: current_user, user: other_user)

        expect(current_user.abuse_report).to be_nil
      end

      it "does not update the user_id of an abuse report when the user is updated" do
        abuse_report = create(:abuse_report, reporter: current_user, user: other_user)

        current_user.block

        expect(abuse_report.reload.user).to eq(other_user)
      end
    end

67 68 69
    describe '#group_members' do
      it 'does not include group memberships for which user is a requester' do
        user = create(:user)
70
        group = create(:group, :public, :access_requestable)
71 72 73 74 75 76 77 78 79
        group.request_access(user)

        expect(user.group_members).to be_empty
      end
    end

    describe '#project_members' do
      it 'does not include project memberships for which user is a requester' do
        user = create(:user)
80
        project = create(:empty_project, :public, :access_requestable)
81 82 83 84 85
        project.request_access(user)

        expect(user.project_members).to be_empty
      end
    end
86 87
  end

88 89 90 91
  describe 'nested attributes' do
    it { is_expected.to respond_to(:namespace_attributes=) }
  end

92
  describe 'validations' do
93 94 95 96 97 98 99 100 101 102 103 104
    describe 'username' do
      it 'validates presence' do
        expect(subject).to validate_presence_of(:username)
      end

      it 'rejects blacklisted names' do
        user = build(:user, username: 'dashboard')

        expect(user).not_to be_valid
        expect(user.errors.values).to eq [['dashboard is a reserved name']]
      end

105 106 107 108 109 110 111 112 113 114 115 116
      it 'allows child names' do
        user = build(:user, username: 'avatar')

        expect(user).to be_valid
      end

      it 'allows wildcard names' do
        user = build(:user, username: 'blob')

        expect(user).to be_valid
      end

117
      it 'validates uniqueness' do
118
        expect(subject).to validate_uniqueness_of(:username).case_insensitive
119 120 121
      end
    end

122 123 124 125
    it { is_expected.to validate_presence_of(:projects_limit) }
    it { is_expected.to validate_numericality_of(:projects_limit) }
    it { is_expected.to allow_value(0).for(:projects_limit) }
    it { is_expected.not_to allow_value(-1).for(:projects_limit) }
126
    it { is_expected.not_to allow_value(Gitlab::Database::MAX_INT_VALUE + 1).for(:projects_limit) }
127

128
    it { is_expected.to validate_length_of(:bio).is_at_most(255) }
129

130 131 132
    it_behaves_like 'an object with email-formated attributes', :email do
      subject { build(:user) }
    end
133

134 135 136
    it_behaves_like 'an object with email-formated attributes', :public_email, :notification_email do
      subject { build(:user).tap { |user| user.emails << build(:email, email: email_value) } }
    end
137

138
    describe 'email' do
139
      context 'when no signup domains whitelisted' do
140
        before do
141
          allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return([])
142
        end
143

144 145 146 147 148 149
        it 'accepts any email' do
          user = build(:user, email: "info@example.com")
          expect(user).to be_valid
        end
      end

150
      context 'when a signup domain is whitelisted and subdomains are allowed' do
151
        before do
152
          allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com', '*.example.com'])
153
        end
154

155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170
        it 'accepts info@example.com' do
          user = build(:user, email: "info@example.com")
          expect(user).to be_valid
        end

        it 'accepts info@test.example.com' do
          user = build(:user, email: "info@test.example.com")
          expect(user).to be_valid
        end

        it 'rejects example@test.com' do
          user = build(:user, email: "example@test.com")
          expect(user).to be_invalid
        end
      end

171
      context 'when a signup domain is whitelisted and subdomains are not allowed' do
172
        before do
173
          allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com'])
174
        end
175 176 177 178 179 180 181 182 183 184 185 186 187 188 189

        it 'accepts info@example.com' do
          user = build(:user, email: "info@example.com")
          expect(user).to be_valid
        end

        it 'rejects info@test.example.com' do
          user = build(:user, email: "info@test.example.com")
          expect(user).to be_invalid
        end

        it 'rejects example@test.com' do
          user = build(:user, email: "example@test.com")
          expect(user).to be_invalid
        end
190 191 192 193 194

        it 'accepts example@test.com when added by another user' do
          user = build(:user, email: "example@test.com", created_by_id: 1)
          expect(user).to be_valid
        end
195
      end
196

197 198 199 200 201 202
      context 'domain blacklist' do
        before do
          allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist_enabled?).and_return(true)
          allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['example.com'])
        end

203
        context 'when a signup domain is blacklisted' do
204 205 206 207 208 209 210 211 212
          it 'accepts info@test.com' do
            user = build(:user, email: 'info@test.com')
            expect(user).to be_valid
          end

          it 'rejects info@example.com' do
            user = build(:user, email: 'info@example.com')
            expect(user).not_to be_valid
          end
213 214 215 216 217

          it 'accepts info@example.com when added by another user' do
            user = build(:user, email: 'info@example.com', created_by_id: 1)
            expect(user).to be_valid
          end
218 219
        end

220
        context 'when a signup domain is blacklisted but a wildcard subdomain is allowed' do
221 222
          before do
            allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['test.example.com'])
223
            allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['*.example.com'])
224 225
          end

226
          it 'gives priority to whitelist and allow info@test.example.com' do
227 228 229 230 231 232 233
            user = build(:user, email: 'info@test.example.com')
            expect(user).to be_valid
          end
        end

        context 'with both lists containing a domain' do
          before do
234
            allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['test.com'])
235 236 237 238 239 240 241 242 243 244 245 246 247 248
          end

          it 'accepts info@test.com' do
            user = build(:user, email: 'info@test.com')
            expect(user).to be_valid
          end

          it 'rejects info@example.com' do
            user = build(:user, email: 'info@example.com')
            expect(user).not_to be_valid
          end
        end
      end

249 250 251 252 253 254
      context 'owns_notification_email' do
        it 'accepts temp_oauth_email emails' do
          user = build(:user, email: "temp-email-for-oauth@example.com")
          expect(user).to be_valid
        end
      end
255
    end
256 257 258 259 260 261

    it 'does not allow a user to be both an auditor and an admin' do
      user = build(:user, :admin, :auditor)

      expect(user).to be_invalid
    end
gitlabhq's avatar
gitlabhq committed
262
  end
263

264 265 266 267 268 269 270 271
  describe "non_ldap" do
    it "retuns non-ldap user" do
      User.delete_all
      create :user
      ldap_user = create :omniauth_user, provider: "ldapmain"
      create :omniauth_user, provider: "gitlub"

      users = User.non_ldap
Robert Speicher's avatar
Robert Speicher committed
272 273
      expect(users.count).to eq 2
      expect(users.detect { |user| user.username == ldap_user.username }).to be_nil
274 275 276
    end
  end

277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334
  describe "scopes" do
    describe ".with_two_factor" do
      it "returns users with 2fa enabled via OTP" do
        user_with_2fa = create(:user, :two_factor_via_otp)
        user_without_2fa = create(:user)
        users_with_two_factor = User.with_two_factor.pluck(:id)

        expect(users_with_two_factor).to include(user_with_2fa.id)
        expect(users_with_two_factor).not_to include(user_without_2fa.id)
      end

      it "returns users with 2fa enabled via U2F" do
        user_with_2fa = create(:user, :two_factor_via_u2f)
        user_without_2fa = create(:user)
        users_with_two_factor = User.with_two_factor.pluck(:id)

        expect(users_with_two_factor).to include(user_with_2fa.id)
        expect(users_with_two_factor).not_to include(user_without_2fa.id)
      end

      it "returns users with 2fa enabled via OTP and U2F" do
        user_with_2fa = create(:user, :two_factor_via_otp, :two_factor_via_u2f)
        user_without_2fa = create(:user)
        users_with_two_factor = User.with_two_factor.pluck(:id)

        expect(users_with_two_factor).to eq([user_with_2fa.id])
        expect(users_with_two_factor).not_to include(user_without_2fa.id)
      end
    end

    describe ".without_two_factor" do
      it "excludes users with 2fa enabled via OTP" do
        user_with_2fa = create(:user, :two_factor_via_otp)
        user_without_2fa = create(:user)
        users_without_two_factor = User.without_two_factor.pluck(:id)

        expect(users_without_two_factor).to include(user_without_2fa.id)
        expect(users_without_two_factor).not_to include(user_with_2fa.id)
      end

      it "excludes users with 2fa enabled via U2F" do
        user_with_2fa = create(:user, :two_factor_via_u2f)
        user_without_2fa = create(:user)
        users_without_two_factor = User.without_two_factor.pluck(:id)

        expect(users_without_two_factor).to include(user_without_2fa.id)
        expect(users_without_two_factor).not_to include(user_with_2fa.id)
      end

      it "excludes users with 2fa enabled via OTP and U2F" do
        user_with_2fa = create(:user, :two_factor_via_otp, :two_factor_via_u2f)
        user_without_2fa = create(:user)
        users_without_two_factor = User.without_two_factor.pluck(:id)

        expect(users_without_two_factor).to include(user_without_2fa.id)
        expect(users_without_two_factor).not_to include(user_with_2fa.id)
      end
    end
335 336 337 338 339 340 341 342 343 344 345 346 347 348

    describe '.todo_authors' do
      it 'filters users' do
        create :user
        user_2 = create :user
        user_3 = create :user
        current_user = create :user
        create(:todo, user: current_user, author: user_2, state: :done)
        create(:todo, user: current_user, author: user_3, state: :pending)

        expect(User.todo_authors(current_user.id, 'pending')).to eq [user_3]
        expect(User.todo_authors(current_user.id, 'done')).to eq [user_2]
      end
    end
gitlabhq's avatar
gitlabhq committed
349 350 351
  end

  describe "Respond to" do
352
    it { is_expected.to respond_to(:admin?) }
353 354
    it { is_expected.to respond_to(:name) }
    it { is_expected.to respond_to(:private_token) }
Zeger-Jan van de Weg's avatar
Zeger-Jan van de Weg committed
355 356 357 358 359 360 361 362 363 364 365 366 367 368
    it { is_expected.to respond_to(:external?) }
  end

  describe 'before save hook' do
    context 'when saving an external user' do
      let(:user)          { create(:user) }
      let(:external_user) { create(:user, external: true) }

      it "sets other properties aswell" do
        expect(external_user.can_create_team).to be_falsey
        expect(external_user.can_create_group).to be_falsey
        expect(external_user.projects_limit).to be 0
      end
    end
gitlabhq's avatar
gitlabhq committed
369 370
  end

371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398
  shared_context 'user keys' do
    let(:user) { create(:user) }
    let!(:key) { create(:key, user: user) }
    let!(:deploy_key) { create(:deploy_key, user: user) }
  end

  describe '#keys' do
    include_context 'user keys'

    context 'with key and deploy key stored' do
      it 'returns stored key, but not deploy_key' do
        expect(user.keys).to include key
        expect(user.keys).not_to include deploy_key
      end
    end
  end

  describe '#deploy_keys' do
    include_context 'user keys'

    context 'with key and deploy key stored' do
      it 'returns stored deploy key, but not normal key' do
        expect(user.deploy_keys).to include deploy_key
        expect(user.deploy_keys).not_to include key
      end
    end
  end

399
  describe '#confirm' do
400 401 402
    before do
      allow_any_instance_of(ApplicationSetting).to receive(:send_user_confirmation_email).and_return(true)
    end
403

404 405 406 407 408 409 410
    let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: 'test@gitlab.com') }

    it 'returns unconfirmed' do
      expect(user.confirmed?).to be_falsey
    end

    it 'confirms a user' do
411
      user.confirm
412 413 414 415
      expect(user.confirmed?).to be_truthy
    end
  end

416 417 418 419 420 421 422 423
  describe '#to_reference' do
    let(:user) { create(:user) }

    it 'returns a String reference to the object' do
      expect(user.to_reference).to eq "@#{user.username}"
    end
  end

424
  describe '#generate_password' do
425
    it "does not generate password by default" do
426
      user = create(:user, password: 'abcdefghe')
427
      expect(user.password).to eq('abcdefghe')
428
    end
429 430
  end

431
  describe 'authentication token' do
432
    it "has authentication token" do
433
      user = create(:user)
434
      expect(user.authentication_token).not_to be_blank
435
    end
Nihad Abbasov's avatar
Nihad Abbasov committed
436
  end
437

438
  describe '#recently_sent_password_reset?' do
439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457
    it 'is false when reset_password_sent_at is nil' do
      user = build_stubbed(:user, reset_password_sent_at: nil)

      expect(user.recently_sent_password_reset?).to eq false
    end

    it 'is false when sent more than one minute ago' do
      user = build_stubbed(:user, reset_password_sent_at: 5.minutes.ago)

      expect(user.recently_sent_password_reset?).to eq false
    end

    it 'is true when sent less than one minute ago' do
      user = build_stubbed(:user, reset_password_sent_at: Time.now)

      expect(user.recently_sent_password_reset?).to eq true
    end
  end

458 459 460 461 462 463 464
  describe '#disable_two_factor!' do
    it 'clears all 2FA-related fields' do
      user = create(:user, :two_factor)

      expect(user).to be_two_factor_enabled
      expect(user.encrypted_otp_secret).not_to be_nil
      expect(user.otp_backup_codes).not_to be_nil
465
      expect(user.otp_grace_period_started_at).not_to be_nil
466 467 468 469 470 471 472 473

      user.disable_two_factor!

      expect(user).not_to be_two_factor_enabled
      expect(user.encrypted_otp_secret).to be_nil
      expect(user.encrypted_otp_secret_iv).to be_nil
      expect(user.encrypted_otp_secret_salt).to be_nil
      expect(user.otp_backup_codes).to be_nil
474
      expect(user.otp_grace_period_started_at).to be_nil
475 476 477
    end
  end

478 479
  describe 'projects' do
    before do
480
      @user = create(:user)
481

482 483 484 485 486 487 488
      @project = create(:empty_project, namespace: @user.namespace)
      @project_2 = create(:empty_project, group: create(:group)) do |project|
        project.add_master(@user)
      end
      @project_3 = create(:empty_project, group: create(:group)) do |project|
        project.add_developer(@user)
      end
489 490
    end

491 492 493 494 495 496 497 498 499
    it { expect(@user.authorized_projects).to include(@project) }
    it { expect(@user.authorized_projects).to include(@project_2) }
    it { expect(@user.authorized_projects).to include(@project_3) }
    it { expect(@user.owned_projects).to include(@project) }
    it { expect(@user.owned_projects).not_to include(@project_2) }
    it { expect(@user.owned_projects).not_to include(@project_3) }
    it { expect(@user.personal_projects).to include(@project) }
    it { expect(@user.personal_projects).not_to include(@project_2) }
    it { expect(@user.personal_projects).not_to include(@project_3) }
500 501 502 503 504
  end

  describe 'groups' do
    before do
      @user = create :user
505 506
      @group = create :group
      @group.add_owner(@user)
507 508
    end

509 510 511
    it { expect(@user.several_namespaces?).to be_truthy }
    it { expect(@user.authorized_groups).to eq([@group]) }
    it { expect(@user.owned_groups).to eq([@group]) }
512
    it { expect(@user.namespaces).to match_array([@user.namespace, @group]) }
513 514
  end

515 516 517 518
  describe 'group multiple owners' do
    before do
      @user = create :user
      @user2 = create :user
519 520
      @group = create :group
      @group.add_owner(@user)
521

522
      @group.add_user(@user2, GroupMember::OWNER)
523 524
    end

525
    it { expect(@user2.several_namespaces?).to be_truthy }
526 527
  end

528 529 530
  describe 'namespaced' do
    before do
      @user = create :user
531
      @project = create(:empty_project, namespace: @user.namespace)
532 533
    end

534
    it { expect(@user.several_namespaces?).to be_falsey }
535
    it { expect(@user.namespaces).to eq([@user.namespace]) }
536 537 538 539 540
  end

  describe 'blocking user' do
    let(:user) { create(:user, name: 'John Smith') }

541
    it "blocks user" do
542
      user.block
543
      expect(user.blocked?).to be_truthy
544 545 546
    end
  end

547 548 549 550 551 552 553
  describe '.filter' do
    let(:user) { double }

    it 'filters by active users by default' do
      expect(User).to receive(:active).and_return([user])

      expect(User.filter(nil)).to include user
554 555
    end

556 557 558 559
    it 'filters by admins' do
      expect(User).to receive(:admins).and_return([user])

      expect(User.filter('admins')).to include user
560 561
    end

562 563 564 565 566 567 568 569 570 571
    it 'filters by blocked' do
      expect(User).to receive(:blocked).and_return([user])

      expect(User.filter('blocked')).to include user
    end

    it 'filters by two_factor_disabled' do
      expect(User).to receive(:without_two_factor).and_return([user])

      expect(User.filter('two_factor_disabled')).to include user
572 573
    end

574 575 576 577 578 579 580 581 582 583 584
    it 'filters by two_factor_enabled' do
      expect(User).to receive(:with_two_factor).and_return([user])

      expect(User.filter('two_factor_enabled')).to include user
    end

    it 'filters by wop' do
      expect(User).to receive(:without_projects).and_return([user])

      expect(User.filter('wop')).to include user
    end
585 586
  end

587
  describe '.without_projects' do
588
    let!(:project) { create(:empty_project, :public, :access_requestable) }
589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608
    let!(:user) { create(:user) }
    let!(:user_without_project) { create(:user) }
    let!(:user_without_project2) { create(:user) }

    before do
      # add user to project
      project.team << [user, :master]

      # create invite to projet
      create(:project_member, :developer, project: project, invite_token: '1234', invite_email: 'inviteduser1@example.com')

      # create request to join project
      project.request_access(user_without_project2)
    end

    it { expect(User.without_projects).not_to include user }
    it { expect(User.without_projects).to include user_without_project }
    it { expect(User.without_projects).to include user_without_project2 }
  end

609
  describe '.not_in_project' do
610
    before do
611
      User.delete_all
612
      @user = create :user
613
      @project = create(:empty_project)
614 615
    end

616
    it { expect(User.not_in_project(@project)).to include(@user, @project.owner) }
617
  end
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
618

619 620 621
  describe 'user creation' do
    describe 'normal user' do
      let(:user) { create(:user, name: 'John Smith') }
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
622

623
      it { expect(user.admin?).to be_falsey }
624 625 626 627
      it { expect(user.require_ssh_key?).to be_truthy }
      it { expect(user.can_create_group?).to be_truthy }
      it { expect(user.can_create_project?).to be_truthy }
      it { expect(user.first_name).to eq('John') }
628
      it { expect(user.external).to be_falsey }
629
    end
630

Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
631
    describe 'with defaults' do
632
      let(:user) { User.new }
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
633

634
      it "applies defaults to user" do
635 636
        expect(user.projects_limit).to eq(Gitlab.config.gitlab.default_projects_limit)
        expect(user.can_create_group).to eq(Gitlab.config.gitlab.default_can_create_group)
Zeger-Jan van de Weg's avatar
Zeger-Jan van de Weg committed
637
        expect(user.external).to be_falsey
638 639 640
      end
    end

Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
641
    describe 'with default overrides' do
642
      let(:user) { User.new(projects_limit: 123, can_create_group: false, can_create_team: true) }
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
643

644
      it "applies defaults to user" do
645 646
        expect(user.projects_limit).to eq(123)
        expect(user.can_create_group).to be_falsey
647
      end
648
    end
649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668

    context 'when current_application_settings.user_default_external is true' do
      before do
        stub_application_setting(user_default_external: true)
      end

      it "creates external user by default" do
        user = build(:user)

        expect(user.external).to be_truthy
      end

      describe 'with default overrides' do
        it "creates a non-external user" do
          user = build(:user, external: false)

          expect(user.external).to be_falsey
        end
      end
    end
669

670 671 672 673 674 675 676 677 678 679 680 681 682 683
    describe '#require_ssh_key?' do
      protocol_and_expectation = {
        'http' => false,
        'ssh' => true,
        '' => true,
      }

      protocol_and_expectation.each do |protocol, expected|
        it "has correct require_ssh_key?" do
          stub_application_setting(enabled_git_access_protocol: protocol)
          user = build(:user)

          expect(user.require_ssh_key?).to eq(expected)
        end
684 685
      end
    end
686
  end
687

688
  describe '.find_by_any_email' do
689 690 691
    it 'finds by primary email' do
      user = create(:user, email: 'foo@example.com')

692
      expect(User.find_by_any_email(user.email)).to eq user
693 694 695 696 697 698
    end

    it 'finds by secondary email' do
      email = create(:email, email: 'foo@example.com')
      user  = email.user

699
      expect(User.find_by_any_email(email.email)).to eq user
700 701 702
    end

    it 'returns nil when nothing found' do
703
      expect(User.find_by_any_email('')).to be_nil
704 705 706
    end
  end

707 708 709 710 711 712 713 714 715 716 717
  describe '.search' do
    let(:user) { create(:user) }

    it 'returns users with a matching name' do
      expect(described_class.search(user.name)).to eq([user])
    end

    it 'returns users with a partially matching name' do
      expect(described_class.search(user.name[0..2])).to eq([user])
    end

Yorick Peterse's avatar
Yorick Peterse committed
718
    it 'returns users with a matching name regardless of the casing' do
719 720 721 722 723 724 725 726 727 728 729
      expect(described_class.search(user.name.upcase)).to eq([user])
    end

    it 'returns users with a matching Email' do
      expect(described_class.search(user.email)).to eq([user])
    end

    it 'returns users with a partially matching Email' do
      expect(described_class.search(user.email[0..2])).to eq([user])
    end

Yorick Peterse's avatar
Yorick Peterse committed
730
    it 'returns users with a matching Email regardless of the casing' do
731 732 733 734 735 736 737 738 739 740 741
      expect(described_class.search(user.email.upcase)).to eq([user])
    end

    it 'returns users with a matching username' do
      expect(described_class.search(user.username)).to eq([user])
    end

    it 'returns users with a partially matching username' do
      expect(described_class.search(user.username[0..2])).to eq([user])
    end

Yorick Peterse's avatar
Yorick Peterse committed
742
    it 'returns users with a matching username regardless of the casing' do
743
      expect(described_class.search(user.username.upcase)).to eq([user])
744 745 746
    end
  end

747
  describe '.search_with_secondary_emails' do
Douwe Maan's avatar
Douwe Maan committed
748
    delegate :search_with_secondary_emails, to: :described_class
749

750 751
    let!(:user) { create(:user, name: 'John Doe', username: 'john.doe', email: 'john.doe@example.com' ) }
    let!(:another_user) { create(:user, name: 'Albert Smith', username: 'albert.smith', email: 'albert.smith@example.com' ) }
752 753 754
    let!(:email) do
      create(:email, user: another_user, email: 'alias@example.com')
    end
755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819

    it 'returns users with a matching name' do
      expect(search_with_secondary_emails(user.name)).to eq([user])
    end

    it 'returns users with a partially matching name' do
      expect(search_with_secondary_emails(user.name[0..2])).to eq([user])
    end

    it 'returns users with a matching name regardless of the casing' do
      expect(search_with_secondary_emails(user.name.upcase)).to eq([user])
    end

    it 'returns users with a matching email' do
      expect(search_with_secondary_emails(user.email)).to eq([user])
    end

    it 'returns users with a partially matching email' do
      expect(search_with_secondary_emails(user.email[0..2])).to eq([user])
    end

    it 'returns users with a matching email regardless of the casing' do
      expect(search_with_secondary_emails(user.email.upcase)).to eq([user])
    end

    it 'returns users with a matching username' do
      expect(search_with_secondary_emails(user.username)).to eq([user])
    end

    it 'returns users with a partially matching username' do
      expect(search_with_secondary_emails(user.username[0..2])).to eq([user])
    end

    it 'returns users with a matching username regardless of the casing' do
      expect(search_with_secondary_emails(user.username.upcase)).to eq([user])
    end

    it 'returns users with a matching whole secondary email' do
      expect(search_with_secondary_emails(email.email)).to eq([email.user])
    end

    it 'returns users with a matching part of secondary email' do
      expect(search_with_secondary_emails(email.email[1..4])).to eq([email.user])
    end

    it 'return users with a matching part of secondary email regardless of case' do
      expect(search_with_secondary_emails(email.email[1..4].upcase)).to eq([email.user])
      expect(search_with_secondary_emails(email.email[1..4].downcase)).to eq([email.user])
      expect(search_with_secondary_emails(email.email[1..4].capitalize)).to eq([email.user])
    end

    it 'returns multiple users with matching secondary emails' do
      email1 = create(:email, email: '1_testemail@example.com')
      email2 = create(:email, email: '2_testemail@example.com')
      email3 = create(:email, email: 'other@email.com')
      email3.user.update_attributes!(email: 'another@mail.com')

      expect(
        search_with_secondary_emails('testemail@example.com').map(&:id)
      ).to include(email1.user.id, email2.user.id)

      expect(
        search_with_secondary_emails('testemail@example.com').map(&:id)
      ).not_to include(email3.user.id)
    end
820 821
  end

822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838
  describe '.find_by_ssh_key_id' do
    context 'using an existing SSH key ID' do
      let(:user) { create(:user) }
      let(:key) { create(:key, user: user) }

      it 'returns the corresponding User' do
        expect(described_class.find_by_ssh_key_id(key.id)).to eq(user)
      end
    end

    context 'using an invalid SSH key ID' do
      it 'returns nil' do
        expect(described_class.find_by_ssh_key_id(-1)).to be_nil
      end
    end
  end

839 840 841 842
  describe '.by_login' do
    let(:username) { 'John' }
    let!(:user) { create(:user, username: username) }

843
    it 'gets the correct user' do
844 845 846 847 848 849 850 851 852
      expect(User.by_login(user.email.upcase)).to eq user
      expect(User.by_login(user.email)).to eq user
      expect(User.by_login(username.downcase)).to eq user
      expect(User.by_login(username)).to eq user
      expect(User.by_login(nil)).to be_nil
      expect(User.by_login('')).to be_nil
    end
  end

853 854 855 856 857 858 859 860 861 862 863
  describe '.find_by_username' do
    it 'returns nil if not found' do
      expect(described_class.find_by_username('JohnDoe')).to be_nil
    end

    it 'is case-insensitive' do
      user = create(:user, username: 'JohnDoe')
      expect(described_class.find_by_username('JOHNDOE')).to eq user
    end
  end

864 865
  describe '.find_by_username!' do
    it 'raises RecordNotFound' do
866 867
      expect { described_class.find_by_username!('JohnDoe') }.
        to raise_error(ActiveRecord::RecordNotFound)
868 869 870 871 872 873 874 875
    end

    it 'is case-insensitive' do
      user = create(:user, username: 'JohnDoe')
      expect(described_class.find_by_username!('JOHNDOE')).to eq user
    end
  end

876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934
  describe '.find_by_full_path' do
    let!(:user) { create(:user) }

    context 'with a route matching the given path' do
      let!(:route) { user.namespace.route }

      it 'returns the user' do
        expect(User.find_by_full_path(route.path)).to eq(user)
      end

      it 'is case-insensitive' do
        expect(User.find_by_full_path(route.path.upcase)).to eq(user)
        expect(User.find_by_full_path(route.path.downcase)).to eq(user)
      end
    end

    context 'with a redirect route matching the given path' do
      let!(:redirect_route) { user.namespace.redirect_routes.create(path: 'foo') }

      context 'without the follow_redirects option' do
        it 'returns nil' do
          expect(User.find_by_full_path(redirect_route.path)).to eq(nil)
        end
      end

      context 'with the follow_redirects option set to true' do
        it 'returns the user' do
          expect(User.find_by_full_path(redirect_route.path, follow_redirects: true)).to eq(user)
        end

        it 'is case-insensitive' do
          expect(User.find_by_full_path(redirect_route.path.upcase, follow_redirects: true)).to eq(user)
          expect(User.find_by_full_path(redirect_route.path.downcase, follow_redirects: true)).to eq(user)
        end
      end
    end

    context 'without a route or a redirect route matching the given path' do
      context 'without the follow_redirects option' do
        it 'returns nil' do
          expect(User.find_by_full_path('unknown')).to eq(nil)
        end
      end
      context 'with the follow_redirects option set to true' do
        it 'returns nil' do
          expect(User.find_by_full_path('unknown', follow_redirects: true)).to eq(nil)
        end
      end
    end

    context 'with a group route matching the given path' do
      let!(:group) { create(:group, path: 'group_path') }

      it 'returns nil' do
        expect(User.find_by_full_path('group_path')).to eq(nil)
      end
    end
  end

935
  describe 'all_ssh_keys' do
936
    it { is_expected.to have_many(:keys).dependent(:destroy) }
937

938
    it "has all ssh keys" do
939 940 941
      user = create :user
      key = create :key, key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD33bWLBxu48Sev9Fert1yzEO4WGcWglWF7K/AwblIUFselOt/QdOL9DSjpQGxLagO1s9wl53STIO8qGS4Ms0EJZyIXOEFMjFJ5xmjSy+S37By4sG7SsltQEHMxtbtFOaW5LV2wCrX+rUsRNqLMamZjgjcPO0/EgGCXIGMAYW4O7cwGZdXWYIhQ1Vwy+CsVMDdPkPgBXqK7nR/ey8KMs8ho5fMNgB5hBw/AL9fNGhRw3QTD6Q12Nkhl4VZES2EsZqlpNnJttnPdp847DUsT6yuLRlfiQfz5Cn9ysHFdXObMN5VYIiPFwHeYCZp1X2S4fDZooRE8uOLTfxWHPXwrhqSH", user_id: user.id

942
      expect(user.all_ssh_keys).to include(a_string_starting_with(key.key))
943
    end
944
  end
945

946
  describe '#avatar_type' do
947 948
    let(:user) { create(:user) }

949
    it 'is true if avatar is image' do
950
      user.update_attribute(:avatar, 'uploads/avatar.png')
951
      expect(user.avatar_type).to be_truthy
952 953
    end

954
    it 'is false if avatar is html page' do
955
      user.update_attribute(:avatar, 'uploads/avatar.html')
956
      expect(user.avatar_type).to eq(['only images allowed'])
957 958
    end
  end
Jerome Dalbert's avatar
Jerome Dalbert committed
959

960
  describe '#avatar_url' do
961
    let(:user) { create(:user, :with_avatar) }
962 963 964
    subject { user.avatar_url }

    context 'when avatar file is uploaded' do
965
      let(:avatar_path) { "/uploads/user/avatar/#{user.id}/dk.png" }
966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981

      it { should eq "http://#{Gitlab.config.gitlab.host}#{avatar_path}" }

      context 'when in a geo secondary node' do
        let(:geo_url) { 'http://geo.example.com' }

        before do
          allow(Gitlab::Geo).to receive(:secondary?) { true }
          allow(Gitlab::Geo).to receive_message_chain(:primary_node, :url) { geo_url }
        end

        it { should eq "#{geo_url}#{avatar_path}" }
      end
    end
  end

982
  describe '#requires_ldap_check?' do
983 984
    let(:user) { User.new }

985 986
    it 'is false when LDAP is disabled' do
      # Create a condition which would otherwise cause 'true' to be returned
987
      allow(user).to receive(:ldap_user?).and_return(true)
988
      user.last_credential_check_at = nil
989
      expect(user.requires_ldap_check?).to be_falsey
990 991
    end

992
    context 'when LDAP is enabled' do
993 994 995
      before do
        allow(Gitlab.config.ldap).to receive(:enabled).and_return(true)
      end
996

997
      it 'is false for non-LDAP users' do
998
        allow(user).to receive(:ldap_user?).and_return(false)
999
        expect(user.requires_ldap_check?).to be_falsey
1000 1001
      end

1002
      context 'and when the user is an LDAP user' do
1003 1004 1005
        before do
          allow(user).to receive(:ldap_user?).and_return(true)
        end
1006 1007 1008

        it 'is true when the user has never had an LDAP check before' do
          user.last_credential_check_at = nil
1009
          expect(user.requires_ldap_check?).to be_truthy
1010 1011 1012 1013
        end

        it 'is true when the last LDAP check happened over 1 hour ago' do
          user.last_credential_check_at = 2.hours.ago
1014
          expect(user.requires_ldap_check?).to be_truthy
1015
        end
1016 1017 1018 1019
      end
    end
  end

1020
  context 'ldap synchronized user' do
1021
    describe '#ldap_user?' do
1022 1023 1024 1025
      it 'is true if provider name starts with ldap' do
        user = create(:omniauth_user, provider: 'ldapmain')
        expect(user.ldap_user?).to be_truthy
      end
1026

1027 1028 1029 1030 1031 1032 1033 1034 1035
      it 'is false for other providers' do
        user = create(:omniauth_user, provider: 'other-provider')
        expect(user.ldap_user?).to be_falsey
      end

      it 'is false if no extern_uid is provided' do
        user = create(:omniauth_user, extern_uid: nil)
        expect(user.ldap_user?).to be_falsey
      end
1036 1037
    end

1038
    describe '#ldap_identity' do
1039 1040 1041 1042
      it 'returns ldap identity' do
        user = create :omniauth_user
        expect(user.ldap_identity.provider).not_to be_empty
      end
1043 1044
    end

1045 1046 1047 1048 1049 1050 1051 1052
    describe '#ldap_block' do
      let(:user) { create(:omniauth_user, provider: 'ldapmain', name: 'John Smith') }

      it 'blocks user flaging the action caming from ldap' do
        user.ldap_block
        expect(user.blocked?).to be_truthy
        expect(user.ldap_blocked?).to be_truthy
      end
1053 1054 1055
    end
  end

Jerome Dalbert's avatar
Jerome Dalbert committed
1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094
  describe '#full_website_url' do
    let(:user) { create(:user) }

    it 'begins with http if website url omits it' do
      user.website_url = 'test.com'

      expect(user.full_website_url).to eq 'http://test.com'
    end

    it 'begins with http if website url begins with http' do
      user.website_url = 'http://test.com'

      expect(user.full_website_url).to eq 'http://test.com'
    end

    it 'begins with https if website url begins with https' do
      user.website_url = 'https://test.com'

      expect(user.full_website_url).to eq 'https://test.com'
    end
  end

  describe '#short_website_url' do
    let(:user) { create(:user) }

    it 'does not begin with http if website url omits it' do
      user.website_url = 'test.com'

      expect(user.short_website_url).to eq 'test.com'
    end

    it 'does not begin with http if website url begins with http' do
      user.website_url = 'http://test.com'

      expect(user.short_website_url).to eq 'test.com'
    end

    it 'does not begin with https if website url begins with https' do
      user.website_url = 'https://test.com'
1095

Jerome Dalbert's avatar
Jerome Dalbert committed
1096 1097
      expect(user.short_website_url).to eq 'test.com'
    end
1098
  end
Ciro Santilli's avatar
Ciro Santilli committed
1099

1100 1101
  describe '#starred?' do
    it 'determines if user starred a project' do
1102
      user = create :user
1103 1104
      project1 = create(:empty_project, :public)
      project2 = create(:empty_project, :public)
1105

1106 1107
      expect(user.starred?(project1)).to be_falsey
      expect(user.starred?(project2)).to be_falsey
1108 1109

      star1 = UsersStarProject.create!(project: project1, user: user)
1110 1111
      expect(user.starred?(project1)).to be_truthy
      expect(user.starred?(project2)).to be_falsey
1112 1113

      star2 = UsersStarProject.create!(project: project2, user: user)
1114 1115
      expect(user.starred?(project1)).to be_truthy
      expect(user.starred?(project2)).to be_truthy
1116 1117

      star1.destroy
1118 1119
      expect(user.starred?(project1)).to be_falsey
      expect(user.starred?(project2)).to be_truthy
1120 1121

      star2.destroy
1122 1123
      expect(user.starred?(project1)).to be_falsey
      expect(user.starred?(project2)).to be_falsey
1124 1125 1126
    end
  end

1127 1128
  describe '#toggle_star' do
    it 'toggles stars' do
Ciro Santilli's avatar
Ciro Santilli committed
1129
      user = create :user
1130
      project = create(:empty_project, :public)
Ciro Santilli's avatar
Ciro Santilli committed
1131

1132
      expect(user.starred?(project)).to be_falsey
Ciro Santilli's avatar
Ciro Santilli committed
1133
      user.toggle_star(project)
1134
      expect(user.starred?(project)).to be_truthy
Ciro Santilli's avatar
Ciro Santilli committed
1135
      user.toggle_star(project)
1136
      expect(user.starred?(project)).to be_falsey
Ciro Santilli's avatar
Ciro Santilli committed
1137 1138
    end
  end
Valery Sizov's avatar
Valery Sizov committed
1139

1140 1141 1142 1143
  describe "#existing_member?" do
    it "returns true for exisitng user" do
      create :user, email: "bruno@example.com"

1144
      expect(User.existing_member?("bruno@example.com")).to be_truthy
1145 1146 1147 1148 1149
    end

    it "returns false for unknown exisitng user" do
      create :user, email: "bruno@example.com"

1150
      expect(User.existing_member?("rendom@example.com")).to be_falsey
1151 1152 1153 1154 1155 1156
    end

    it "returns true if additional email exists" do
      user = create :user
      user.emails.create(email: "bruno@example.com")

1157
      expect(User.existing_member?("bruno@example.com")).to be_truthy
1158 1159 1160
    end
  end

1161
  describe '#sort' do
Valery Sizov's avatar
Valery Sizov committed
1162 1163 1164 1165
    before do
      User.delete_all
      @user = create :user, created_at: Date.today, last_sign_in_at: Date.today, name: 'Alpha'
      @user1 = create :user, created_at: Date.today - 1, last_sign_in_at: Date.today - 1, name: 'Omega'
1166
      @user2 = create :user, created_at: Date.today - 2, last_sign_in_at: nil, name: 'Beta'
Valery Sizov's avatar
Valery Sizov committed
1167
    end
1168

1169 1170 1171 1172 1173 1174 1175 1176
    context 'when sort by recent_sign_in' do
      it 'sorts users by the recent sign-in time' do
        expect(User.sort('recent_sign_in').first).to eq(@user)
      end

      it 'pushes users who never signed in to the end' do
        expect(User.sort('recent_sign_in').third).to eq(@user2)
      end
Valery Sizov's avatar
Valery Sizov committed
1177 1178
    end

1179 1180 1181 1182 1183 1184 1185 1186
    context 'when sort by oldest_sign_in' do
      it 'sorts users by the oldest sign-in time' do
        expect(User.sort('oldest_sign_in').first).to eq(@user1)
      end

      it 'pushes users who never signed in to the end' do
        expect(User.sort('oldest_sign_in').third).to eq(@user2)
      end
Valery Sizov's avatar
Valery Sizov committed
1187 1188
    end

1189
    it 'sorts users in descending order by their creation time' do
1190
      expect(User.sort('created_desc').first).to eq(@user)
Valery Sizov's avatar
Valery Sizov committed
1191 1192
    end

1193 1194
    it 'sorts users in ascending order by their creation time' do
      expect(User.sort('created_asc').first).to eq(@user2)
Valery Sizov's avatar
Valery Sizov committed
1195 1196
    end

1197 1198
    it 'sorts users by id in descending order when nil is passed' do
      expect(User.sort(nil).first).to eq(@user2)
Valery Sizov's avatar
Valery Sizov committed
1199 1200
    end
  end
1201

1202
  describe "#contributed_projects" do
1203
    subject { create(:user) }
1204 1205 1206
    let!(:project1) { create(:empty_project) }
    let!(:project2) { create(:empty_project, forked_from_project: project3) }
    let!(:project3) { create(:empty_project) }
1207
    let!(:merge_request) { create(:merge_request, source_project: project2, target_project: project3, author: subject) }
1208 1209
    let!(:push_event) { create(:event, :pushed, project: project1, target: project1, author: subject) }
    let!(:merge_event) { create(:event, :created, project: project3, target: merge_request, author: subject) }
1210 1211 1212 1213 1214 1215 1216

    before do
      project1.team << [subject, :master]
      project2.team << [subject, :master]
    end

    it "includes IDs for projects the user has pushed to" do
1217
      expect(subject.contributed_projects).to include(project1)
1218 1219 1220
    end

    it "includes IDs for projects the user has had merge requests merged into" do
1221
      expect(subject.contributed_projects).to include(project3)
1222 1223 1224
    end

    it "doesn't include IDs for unrelated projects" do
1225
      expect(subject.contributed_projects).not_to include(project2)
1226 1227
    end
  end
1228

1229
  describe '#can_be_removed?' do
1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244
    subject { create(:user) }

    context 'no owned groups' do
      it { expect(subject.can_be_removed?).to be_truthy }
    end

    context 'has owned groups' do
      before do
        group = create(:group)
        group.add_owner(subject)
      end

      it { expect(subject.can_be_removed?).to be_falsey }
    end
  end
1245 1246 1247

  describe "#recent_push" do
    subject { create(:user) }
1248 1249
    let!(:project1) { create(:project, :repository) }
    let!(:project2) { create(:project, :repository, forked_from_project: project1) }
1250
    let!(:push_data) do
1251
      Gitlab::DataBuilder::Push.build_sample(project2, subject)
1252
    end
1253
    let!(:push_event) { create(:event, :pushed, project: project2, target: project1, author: subject, data: push_data) }
1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274

    before do
      project1.team << [subject, :master]
      project2.team << [subject, :master]
    end

    it "includes push event" do
      expect(subject.recent_push).to eq(push_event)
    end

    it "excludes push event if branch has been deleted" do
      allow_any_instance_of(Repository).to receive(:branch_names).and_return(['foo'])

      expect(subject.recent_push).to eq(nil)
    end

    it "excludes push event if MR is opened for it" do
      create(:merge_request, source_project: project2, target_project: project1, source_branch: project2.default_branch, target_branch: 'fix', author: subject)

      expect(subject.recent_push).to eq(nil)
    end
1275 1276 1277 1278 1279 1280

    it "includes push events on any of the provided projects" do
      expect(subject.recent_push(project1)).to eq(nil)
      expect(subject.recent_push(project2)).to eq(push_event)

      push_data1 = Gitlab::DataBuilder::Push.build_sample(project1, subject)
1281
      push_event1 = create(:event, :pushed, project: project1, target: project1, author: subject, data: push_data1)
1282 1283 1284

      expect(subject.recent_push([project1, project2])).to eq(push_event1) # Newest
    end
1285
  end
1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299

  describe '#authorized_groups' do
    let!(:user) { create(:user) }
    let!(:private_group) { create(:group) }

    before do
      private_group.add_user(user, Gitlab::Access::MASTER)
    end

    subject { user.authorized_groups }

    it { is_expected.to eq([private_group]) }
  end

1300
  describe '#authorized_projects', truncate: true do
1301 1302 1303 1304
    context 'with a minimum access level' do
      it 'includes projects for which the user is an owner' do
        user = create(:user)
        project = create(:empty_project, :private, namespace: user.namespace)
1305

1306 1307
        expect(user.authorized_projects(Gitlab::Access::REPORTER))
          .to contain_exactly(project)
1308
      end
1309

1310 1311 1312
      it 'includes projects for which the user is a master' do
        user = create(:user)
        project = create(:empty_project, :private)
1313

1314
        project.team << [user, Gitlab::Access::MASTER]
1315

1316 1317
        expect(user.authorized_projects(Gitlab::Access::REPORTER))
          .to contain_exactly(project)
1318 1319
      end
    end
1320 1321 1322

    it "includes user's personal projects" do
      user    = create(:user)
1323
      project = create(:empty_project, :private, namespace: user.namespace)
1324 1325 1326 1327 1328 1329 1330

      expect(user.authorized_projects).to include(project)
    end

    it "includes personal projects user has been given access to" do
      user1   = create(:user)
      user2   = create(:user)
1331
      project = create(:empty_project, :private, namespace: user1.namespace)
1332 1333 1334 1335 1336 1337 1338 1339

      project.team << [user2, Gitlab::Access::DEVELOPER]

      expect(user2.authorized_projects).to include(project)
    end

    it "includes projects of groups user has been added to" do
      group   = create(:group)
1340
      project = create(:empty_project, group: group)
1341 1342 1343 1344 1345 1346 1347 1348 1349
      user    = create(:user)

      group.add_developer(user)

      expect(user.authorized_projects).to include(project)
    end

    it "does not include projects of groups user has been removed from" do
      group   = create(:group)
1350
      project = create(:empty_project, group: group)
1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361
      user    = create(:user)

      member = group.add_developer(user)
      expect(user.authorized_projects).to include(project)

      member.destroy
      expect(user.authorized_projects).not_to include(project)
    end

    it "includes projects shared with user's group" do
      user    = create(:user)
1362
      project = create(:empty_project, :private)
1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373
      group   = create(:group)

      group.add_reporter(user)
      project.project_group_links.create(group: group)

      expect(user.authorized_projects).to include(project)
    end

    it "does not include destroyed projects user had access to" do
      user1   = create(:user)
      user2   = create(:user)
1374
      project = create(:empty_project, :private, namespace: user1.namespace)
1375 1376 1377 1378 1379 1380 1381 1382 1383 1384

      project.team << [user2, Gitlab::Access::DEVELOPER]
      expect(user2.authorized_projects).to include(project)

      project.destroy
      expect(user2.authorized_projects).not_to include(project)
    end

    it "does not include projects of destroyed groups user had access to" do
      group   = create(:group)
1385
      project = create(:empty_project, namespace: group)
1386 1387 1388 1389 1390 1391 1392 1393
      user    = create(:user)

      group.add_developer(user)
      expect(user.authorized_projects).to include(project)

      group.destroy
      expect(user.authorized_projects).not_to include(project)
    end
1394
  end
1395

1396 1397 1398 1399
  describe '#projects_where_can_admin_issues' do
    let(:user) { create(:user) }

    it 'includes projects for which the user access level is above or equal to reporter' do
1400 1401 1402
      reporter_project  = create(:empty_project) { |p| p.add_reporter(user) }
      developer_project = create(:empty_project) { |p| p.add_developer(user) }
      master_project    = create(:empty_project) { |p| p.add_master(user) }
1403 1404 1405 1406 1407 1408 1409 1410

      expect(user.projects_where_can_admin_issues.to_a).to eq([master_project, developer_project, reporter_project])
      expect(user.can?(:admin_issue, master_project)).to eq(true)
      expect(user.can?(:admin_issue, developer_project)).to eq(true)
      expect(user.can?(:admin_issue, reporter_project)).to eq(true)
    end

    it 'does not include for which the user access level is below reporter' do
1411 1412
      project = create(:empty_project)
      guest_project = create(:empty_project) { |p| p.add_guest(user) }
1413 1414 1415 1416 1417 1418 1419

      expect(user.projects_where_can_admin_issues.to_a).to be_empty
      expect(user.can?(:admin_issue, guest_project)).to eq(false)
      expect(user.can?(:admin_issue, project)).to eq(false)
    end

    it 'does not include archived projects' do
1420
      project = create(:empty_project, :archived)
1421 1422 1423 1424 1425 1426

      expect(user.projects_where_can_admin_issues.to_a).to be_empty
      expect(user.can?(:admin_issue, project)).to eq(false)
    end

    it 'does not include projects for which issues are disabled' do
1427
      project = create(:empty_project, :issues_disabled)
1428 1429 1430 1431 1432 1433

      expect(user.projects_where_can_admin_issues.to_a).to be_empty
      expect(user.can?(:admin_issue, project)).to eq(false)
    end
  end

1434 1435 1436 1437
  describe '#ci_authorized_runners' do
    let(:user) { create(:user) }
    let(:runner) { create(:ci_runner) }

1438 1439 1440
    before do
      project.runners << runner
    end
1441 1442

    context 'without any projects' do
1443
      let(:project) { create(:empty_project) }
1444 1445

      it 'does not load' do
1446
        expect(user.ci_authorized_runners).to be_empty
1447 1448 1449 1450 1451
      end
    end

    context 'with personal projects runners' do
      let(:namespace) { create(:namespace, owner: user) }
1452
      let(:project) { create(:empty_project, namespace: namespace) }
1453 1454

      it 'loads' do
1455
        expect(user.ci_authorized_runners).to contain_exactly(runner)
1456 1457 1458 1459
      end
    end

    shared_examples :member do
1460
      context 'when the user is a master' do
1461 1462 1463
        before do
          add_user(Gitlab::Access::MASTER)
        end
1464

1465 1466 1467
        it 'loads' do
          expect(user.ci_authorized_runners).to contain_exactly(runner)
        end
1468 1469
      end

1470
      context 'when the user is a developer' do
1471 1472 1473
        before do
          add_user(Gitlab::Access::DEVELOPER)
        end
1474

1475 1476 1477
        it 'does not load' do
          expect(user.ci_authorized_runners).to be_empty
        end
1478 1479 1480 1481 1482
      end
    end

    context 'with groups projects runners' do
      let(:group) { create(:group) }
1483
      let(:project) { create(:empty_project, group: group) }
1484

Lin Jen-Shin's avatar
Lin Jen-Shin committed
1485
      def add_user(access)
1486 1487 1488 1489 1490 1491 1492
        group.add_user(user, access)
      end

      it_behaves_like :member
    end

    context 'with other projects runners' do
1493
      let(:project) { create(:empty_project) }
1494

Lin Jen-Shin's avatar
Lin Jen-Shin committed
1495
      def add_user(access)
Lin Jen-Shin's avatar
Lin Jen-Shin committed
1496
        project.team << [user, access]
1497 1498 1499 1500 1501 1502
      end

      it_behaves_like :member
    end
  end

1503 1504
  describe '#viewable_starred_projects' do
    let(:user) { create(:user) }
Sean McGivern's avatar
Sean McGivern committed
1505 1506 1507
    let(:public_project) { create(:empty_project, :public) }
    let(:private_project) { create(:empty_project, :private) }
    let(:private_viewable_project) { create(:empty_project, :private) }
1508 1509 1510 1511

    before do
      private_viewable_project.team << [user, Gitlab::Access::MASTER]

Sean McGivern's avatar
Sean McGivern committed
1512 1513 1514
      [public_project, private_project, private_viewable_project].each do |project|
        user.toggle_star(project)
      end
1515 1516
    end

Sean McGivern's avatar
Sean McGivern committed
1517 1518
    it 'returns only starred projects the user can view' do
      expect(user.viewable_starred_projects).not_to include(private_project)
1519 1520
    end
  end
1521 1522

  describe '#projects_with_reporter_access_limited_to' do
1523 1524
    let(:project1) { create(:empty_project) }
    let(:project2) { create(:empty_project) }
1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544
    let(:user) { create(:user) }

    before do
      project1.team << [user, :reporter]
      project2.team << [user, :guest]
    end

    it 'returns the projects when using a single project ID' do
      projects = user.projects_with_reporter_access_limited_to(project1.id)

      expect(projects).to eq([project1])
    end

    it 'returns the projects when using an Array of project IDs' do
      projects = user.projects_with_reporter_access_limited_to([project1.id])

      expect(projects).to eq([project1])
    end

    it 'returns the projects when using an ActiveRecord relation' do
1545 1546
      projects = user.
        projects_with_reporter_access_limited_to(Project.select(:id))
1547 1548 1549 1550 1551 1552 1553 1554 1555 1556

      expect(projects).to eq([project1])
    end

    it 'does not return projects you do not have reporter access to' do
      projects = user.projects_with_reporter_access_limited_to(project2.id)

      expect(projects).to be_empty
    end
  end
1557

1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572
  describe '#nested_groups' do
    let!(:user) { create(:user) }
    let!(:group) { create(:group) }
    let!(:nested_group) { create(:group, parent: group) }

    before do
      group.add_owner(user)

      # Add more data to ensure method does not include wrong groups
      create(:group).add_owner(create(:user))
    end

    it { expect(user.nested_groups).to eq([nested_group]) }
  end

1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583
  describe '#all_expanded_groups' do
    let!(:user) { create(:user) }
    let!(:group) { create(:group) }
    let!(:nested_group_1) { create(:group, parent: group) }
    let!(:nested_group_2) { create(:group, parent: group) }

    before { nested_group_1.add_owner(user) }

    it { expect(user.all_expanded_groups).to match_array [group, nested_group_1] }
  end

1584
  describe '#nested_groups_projects' do
1585 1586 1587
    let!(:user) { create(:user) }
    let!(:group) { create(:group) }
    let!(:nested_group) { create(:group, parent: group) }
1588 1589
    let!(:project) { create(:empty_project, namespace: group) }
    let!(:nested_project) { create(:empty_project, namespace: nested_group) }
1590 1591 1592 1593 1594

    before do
      group.add_owner(user)

      # Add more data to ensure method does not include wrong projects
1595
      other_project = create(:empty_project, namespace: create(:group, :nested))
1596 1597 1598
      other_project.add_developer(create(:user))
    end

1599
    it { expect(user.nested_groups_projects).to eq([nested_project]) }
1600 1601
  end

1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617 1618 1619 1620 1621 1622 1623 1624 1625 1626 1627
  describe '#refresh_authorized_projects', redis: true do
    let(:project1) { create(:empty_project) }
    let(:project2) { create(:empty_project) }
    let(:user) { create(:user) }

    before do
      project1.team << [user, :reporter]
      project2.team << [user, :guest]

      user.project_authorizations.delete_all
      user.refresh_authorized_projects
    end

    it 'refreshes the list of authorized projects' do
      expect(user.project_authorizations.count).to eq(2)
    end

    it 'sets the authorized_projects_populated column' do
      expect(user.authorized_projects_populated).to eq(true)
    end

    it 'stores the correct access levels' do
      expect(user.project_authorizations.where(access_level: Gitlab::Access::GUEST).exists?).to eq(true)
      expect(user.project_authorizations.where(access_level: Gitlab::Access::REPORTER).exists?).to eq(true)
    end
  end
1628

Douwe Maan's avatar
Douwe Maan committed
1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705
  describe '#access_level=' do
    let(:user) { build(:user) }

    before do
      # `auditor?` returns true only when the user is an auditor _and_ the auditor license
      # add-on is present. We aren't testing this here, so we can assume that the add-on exists.
      allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
    end

    it 'does nothing for an invalid access level' do
      user.access_level = :invalid_access_level

      expect(user.access_level).to eq(:regular)
      expect(user.admin).to be false
      expect(user.auditor).to be false
    end

    it "assigns the 'admin' access level" do
      user.access_level = :admin

      expect(user.access_level).to eq(:admin)
      expect(user.admin).to be true
      expect(user.auditor).to be false
    end

    it "assigns the 'auditor' access level" do
      user.access_level = :auditor

      expect(user.access_level).to eq(:auditor)
      expect(user.admin).to be false
      expect(user.auditor).to be true
    end

    it "assigns the 'auditor' access level" do
      user.access_level = :regular

      expect(user.access_level).to eq(:regular)
      expect(user.admin).to be false
      expect(user.auditor).to be false
    end

    it "clears the 'admin' access level when a user is made an auditor" do
      user.access_level = :admin
      user.access_level = :auditor

      expect(user.access_level).to eq(:auditor)
      expect(user.admin).to be false
      expect(user.auditor).to be true
    end

    it "clears the 'auditor' access level when a user is made an admin" do
      user.access_level = :auditor
      user.access_level = :admin

      expect(user.access_level).to eq(:admin)
      expect(user.admin).to be true
      expect(user.auditor).to be false
    end

    it "doesn't clear existing access levels when an invalid access level is passed in" do
      user.access_level = :admin
      user.access_level = :invalid_access_level

      expect(user.access_level).to eq(:admin)
      expect(user.admin).to be true
      expect(user.auditor).to be false
    end

    it "accepts string values in addition to symbols" do
      user.access_level = 'admin'

      expect(user.access_level).to eq(:admin)
      expect(user.admin).to be true
      expect(user.auditor).to be false
    end
  end

1706
  describe 'the GitLab_Auditor_User add-on' do
Timothy Andrew's avatar
Timothy Andrew committed
1707 1708 1709 1710 1711 1712
    let(:license) { build(:license) }

    before do
      allow(::License).to receive(:current).and_return(license)
    end

1713 1714
    context 'creating an auditor user' do
      it "does not allow creating an auditor user if the addon isn't enabled" do
Timothy Andrew's avatar
Timothy Andrew committed
1715
        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726

        expect(build(:user, :auditor)).to be_invalid
      end

      it "does not allow creating an auditor user if no license is present" do
        allow(License).to receive(:current).and_return nil

        expect(build(:user, :auditor)).to be_invalid
      end

      it "allows creating an auditor user if the addon is enabled" do
Timothy Andrew's avatar
Timothy Andrew committed
1727
        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
1728 1729 1730

        expect(build(:user, :auditor)).to be_valid
      end
1731 1732

      it "allows creating a regular user if the addon isn't enabled" do
Timothy Andrew's avatar
Timothy Andrew committed
1733
        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
1734 1735 1736

        expect(build(:user)).to be_valid
      end
1737 1738 1739 1740
    end

    context '#auditor?' do
      it "returns true for an auditor user if the addon is enabled" do
Timothy Andrew's avatar
Timothy Andrew committed
1741
        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
1742 1743 1744 1745 1746

        expect(build(:user, :auditor)).to be_auditor
      end

      it "returns false for an auditor user if the addon is not enabled" do
Timothy Andrew's avatar
Timothy Andrew committed
1747
        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
1748 1749 1750 1751 1752

        expect(build(:user, :auditor)).not_to be_auditor
      end

      it "returns false for an auditor user if a license is not present" do
Timothy Andrew's avatar
Timothy Andrew committed
1753
        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { false }
1754 1755 1756 1757 1758

        expect(build(:user, :auditor)).not_to be_auditor
      end

      it "returns false for a non-auditor user even if the addon is present" do
Timothy Andrew's avatar
Timothy Andrew committed
1759
        allow_any_instance_of(License).to receive(:add_on?).with('GitLab_Auditor_User') { true }
1760 1761 1762 1763 1764

        expect(build(:user)).not_to be_auditor
      end
    end
  end
1765

1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799
  describe '.ghost' do
    it "creates a ghost user if one isn't already present" do
      ghost = User.ghost

      expect(ghost).to be_ghost
      expect(ghost).to be_persisted
    end

    it "does not create a second ghost user if one is already present" do
      expect do
        User.ghost
        User.ghost
      end.to change { User.count }.by(1)
      expect(User.ghost).to eq(User.ghost)
    end

    context "when a regular user exists with the username 'ghost'" do
      it "creates a ghost user with a non-conflicting username" do
        create(:user, username: 'ghost')
        ghost = User.ghost

        expect(ghost).to be_persisted
        expect(ghost.username).to eq('ghost1')
      end
    end

    context "when a regular user exists with the email 'ghost@example.com'" do
      it "creates a ghost user with a non-conflicting email" do
        create(:user, email: 'ghost@example.com')
        ghost = User.ghost

        expect(ghost).to be_persisted
        expect(ghost.email).to eq('ghost1@example.com')
      end
Douwe Maan's avatar
Douwe Maan committed
1800 1801
    end
  end
1802

1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824
  describe '.ghost' do
    it "creates a ghost user if one isn't already present" do
      ghost = User.ghost

      expect(ghost).to be_ghost
      expect(ghost).to be_persisted
    end

    it "does not create a second ghost user if one is already present" do
      expect do
        User.ghost
        User.ghost
      end.to change { User.count }.by(1)
      expect(User.ghost).to eq(User.ghost)
    end

    context "when a regular user exists with the username 'ghost'" do
      it "creates a ghost user with a non-conflicting username" do
        create(:user, username: 'ghost')
        ghost = User.ghost

        expect(ghost).to be_persisted
1825
        expect(ghost.username).to eq('ghost1')
1826 1827 1828 1829 1830 1831 1832 1833 1834
      end
    end

    context "when a regular user exists with the email 'ghost@example.com'" do
      it "creates a ghost user with a non-conflicting email" do
        create(:user, email: 'ghost@example.com')
        ghost = User.ghost

        expect(ghost).to be_persisted
1835
        expect(ghost.email).to eq('ghost1@example.com')
1836 1837
      end
    end
1838 1839 1840 1841 1842 1843 1844 1845 1846 1847

    context 'when a domain whitelist is in place' do
      before do
        stub_application_setting(domain_whitelist: ['gitlab.com'])
      end

      it 'creates a ghost user' do
        expect(User.ghost).to be_persisted
      end
    end
1848
  end
1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864

  describe '#update_two_factor_requirement' do
    let(:user) { create :user }

    context 'with 2FA requirement on groups' do
      let(:group1) { create :group, require_two_factor_authentication: true, two_factor_grace_period: 23 }
      let(:group2) { create :group, require_two_factor_authentication: true, two_factor_grace_period: 32 }

      before do
        group1.add_user(user, GroupMember::OWNER)
        group2.add_user(user, GroupMember::OWNER)

        user.update_two_factor_requirement
      end

      it 'requires 2FA' do
1865
        expect(user.require_two_factor_authentication_from_group).to be true
1866 1867 1868 1869 1870 1871 1872
      end

      it 'uses the shortest grace period' do
        expect(user.two_factor_grace_period).to be 23
      end
    end

1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883
    context 'with 2FA requirement on nested parent group' do
      let!(:group1) { create :group, require_two_factor_authentication: true }
      let!(:group1a) { create :group, require_two_factor_authentication: false, parent: group1 }

      before do
        group1a.add_user(user, GroupMember::OWNER)

        user.update_two_factor_requirement
      end

      it 'requires 2FA' do
1884
        expect(user.require_two_factor_authentication_from_group).to be true
1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898
      end
    end

    context 'with 2FA requirement on nested child group' do
      let!(:group1) { create :group, require_two_factor_authentication: false }
      let!(:group1a) { create :group, require_two_factor_authentication: true, parent: group1 }

      before do
        group1.add_user(user, GroupMember::OWNER)

        user.update_two_factor_requirement
      end

      it 'requires 2FA' do
1899
        expect(user.require_two_factor_authentication_from_group).to be true
1900 1901 1902
      end
    end

1903 1904 1905 1906 1907 1908 1909 1910 1911 1912
    context 'without 2FA requirement on groups' do
      let(:group) { create :group }

      before do
        group.add_user(user, GroupMember::OWNER)

        user.update_two_factor_requirement
      end

      it 'does not require 2FA' do
1913
        expect(user.require_two_factor_authentication_from_group).to be false
1914 1915 1916 1917 1918 1919 1920
      end

      it 'falls back to the default grace period' do
        expect(user.two_factor_grace_period).to be 48
      end
    end
  end
1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932

  context '.active' do
    before do
      User.ghost
      create(:user, name: 'user', state: 'active')
      create(:user, name: 'user', state: 'blocked')
    end

    it 'only counts active and non internal users' do
      expect(User.active.count).to eq(1)
    end
  end
gitlabhq's avatar
gitlabhq committed
1933
end