users_spec.rb 11.1 KB
Newer Older
Robert Schilling's avatar
Robert Schilling committed
1 2
require 'spec_helper'

3
describe API::V3::Users do
Robert Schilling's avatar
Robert Schilling committed
4 5 6 7
  let(:user)  { create(:user) }
  let(:admin) { create(:admin) }
  let(:key)   { create(:key, user: user) }
  let(:email)   { create(:email, user: user) }
8
  let(:ldap_blocked_user) { create(:omniauth_user, provider: 'ldapmain', state: 'ldap_blocked') }
Robert Schilling's avatar
Robert Schilling committed
9

10 11 12 13 14
  describe 'GET /users' do
    context 'when authenticated' do
      it 'returns an array of users' do
        get v3_api('/users', user)

15
        expect(response).to have_gitlab_http_status(200)
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
        expect(response).to include_pagination_headers
        expect(json_response).to be_an Array
        username = user.username
        expect(json_response.detect do |user|
          user['username'] == username
        end['username']).to eq(username)
      end
    end

    context 'when authenticated as user' do
      it 'does not reveal the `is_admin` flag of the user' do
        get v3_api('/users', user)

        expect(json_response.first.keys).not_to include 'is_admin'
      end
    end

    context 'when authenticated as admin' do
      it 'reveals the `is_admin` flag of the user' do
        get v3_api('/users', admin)

        expect(json_response.first.keys).to include 'is_admin'
      end
    end
  end

Robert Schilling's avatar
Robert Schilling committed
42 43 44 45 46 47
  describe 'GET /user/:id/keys' do
    before { admin }

    context 'when unauthenticated' do
      it 'returns authentication error' do
        get v3_api("/users/#{user.id}/keys")
48
        expect(response).to have_gitlab_http_status(401)
Robert Schilling's avatar
Robert Schilling committed
49 50 51 52 53 54
      end
    end

    context 'when authenticated' do
      it 'returns 404 for non-existing user' do
        get v3_api('/users/999999/keys', admin)
55
        expect(response).to have_gitlab_http_status(404)
Robert Schilling's avatar
Robert Schilling committed
56 57 58 59 60 61 62 63 64
        expect(json_response['message']).to eq('404 User Not Found')
      end

      it 'returns array of ssh keys' do
        user.keys << key
        user.save

        get v3_api("/users/#{user.id}/keys", admin)

65
        expect(response).to have_gitlab_http_status(200)
Robert Schilling's avatar
Robert Schilling committed
66 67 68 69
        expect(json_response).to be_an Array
        expect(json_response.first['title']).to eq(key.title)
      end
    end
70 71 72 73 74 75 76 77 78 79 80 81 82

    context "scopes" do
      let(:user) { admin }
      let(:path) { "/users/#{user.id}/keys" }
      let(:api_call) { method(:v3_api) }

      before do
        user.keys << key
        user.save
      end

      include_examples 'allows the "read_user" scope'
    end
Robert Schilling's avatar
Robert Schilling committed
83 84 85 86 87 88 89 90
  end

  describe 'GET /user/:id/emails' do
    before { admin }

    context 'when unauthenticated' do
      it 'returns authentication error' do
        get v3_api("/users/#{user.id}/emails")
91
        expect(response).to have_gitlab_http_status(401)
Robert Schilling's avatar
Robert Schilling committed
92 93 94 95 96 97
      end
    end

    context 'when authenticated' do
      it 'returns 404 for non-existing user' do
        get v3_api('/users/999999/emails', admin)
98
        expect(response).to have_gitlab_http_status(404)
Robert Schilling's avatar
Robert Schilling committed
99 100 101 102 103 104 105 106 107
        expect(json_response['message']).to eq('404 User Not Found')
      end

      it 'returns array of emails' do
        user.emails << email
        user.save

        get v3_api("/users/#{user.id}/emails", admin)

108
        expect(response).to have_gitlab_http_status(200)
Robert Schilling's avatar
Robert Schilling committed
109 110 111 112 113 114 115
        expect(json_response).to be_an Array
        expect(json_response.first['email']).to eq(email.email)
      end

      it "returns a 404 for invalid ID" do
        put v3_api("/users/ASDF/emails", admin)

116
        expect(response).to have_gitlab_http_status(404)
Robert Schilling's avatar
Robert Schilling committed
117 118 119 120 121 122 123 124
      end
    end
  end

  describe "GET /user/keys" do
    context "when unauthenticated" do
      it "returns authentication error" do
        get v3_api("/user/keys")
125
        expect(response).to have_gitlab_http_status(401)
Robert Schilling's avatar
Robert Schilling committed
126 127 128 129 130 131 132 133 134 135
      end
    end

    context "when authenticated" do
      it "returns array of ssh keys" do
        user.keys << key
        user.save

        get v3_api("/user/keys", user)

136
        expect(response).to have_gitlab_http_status(200)
Robert Schilling's avatar
Robert Schilling committed
137 138 139 140 141 142 143 144 145 146
        expect(json_response).to be_an Array
        expect(json_response.first["title"]).to eq(key.title)
      end
    end
  end

  describe "GET /user/emails" do
    context "when unauthenticated" do
      it "returns authentication error" do
        get v3_api("/user/emails")
147
        expect(response).to have_gitlab_http_status(401)
Robert Schilling's avatar
Robert Schilling committed
148 149 150 151 152 153 154 155 156 157
      end
    end

    context "when authenticated" do
      it "returns array of emails" do
        user.emails << email
        user.save

        get v3_api("/user/emails", user)

158
        expect(response).to have_gitlab_http_status(200)
Robert Schilling's avatar
Robert Schilling committed
159 160 161 162 163
        expect(json_response).to be_an Array
        expect(json_response.first["email"]).to eq(email.email)
      end
    end
  end
164 165 166 167 168

  describe 'PUT /users/:id/block' do
    before { admin }
    it 'blocks existing user' do
      put v3_api("/users/#{user.id}/block", admin)
169
      expect(response).to have_gitlab_http_status(200)
170 171 172 173 174
      expect(user.reload.state).to eq('blocked')
    end

    it 'does not re-block ldap blocked users' do
      put v3_api("/users/#{ldap_blocked_user.id}/block", admin)
175
      expect(response).to have_gitlab_http_status(403)
176 177 178 179 180
      expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
    end

    it 'does not be available for non admin users' do
      put v3_api("/users/#{user.id}/block", user)
181
      expect(response).to have_gitlab_http_status(403)
182 183 184 185 186
      expect(user.reload.state).to eq('active')
    end

    it 'returns a 404 error if user id not found' do
      put v3_api('/users/9999/block', admin)
187
      expect(response).to have_gitlab_http_status(404)
188 189 190 191 192 193 194 195 196 197
      expect(json_response['message']).to eq('404 User Not Found')
    end
  end

  describe 'PUT /users/:id/unblock' do
    let(:blocked_user)  { create(:user, state: 'blocked') }
    before { admin }

    it 'unblocks existing user' do
      put v3_api("/users/#{user.id}/unblock", admin)
198
      expect(response).to have_gitlab_http_status(200)
199 200 201 202 203
      expect(user.reload.state).to eq('active')
    end

    it 'unblocks a blocked user' do
      put v3_api("/users/#{blocked_user.id}/unblock", admin)
204
      expect(response).to have_gitlab_http_status(200)
205 206 207 208 209
      expect(blocked_user.reload.state).to eq('active')
    end

    it 'does not unblock ldap blocked users' do
      put v3_api("/users/#{ldap_blocked_user.id}/unblock", admin)
210
      expect(response).to have_gitlab_http_status(403)
211 212 213 214 215
      expect(ldap_blocked_user.reload.state).to eq('ldap_blocked')
    end

    it 'does not be available for non admin users' do
      put v3_api("/users/#{user.id}/unblock", user)
216
      expect(response).to have_gitlab_http_status(403)
217 218 219 220 221
      expect(user.reload.state).to eq('active')
    end

    it 'returns a 404 error if user id not found' do
      put v3_api('/users/9999/block', admin)
222
      expect(response).to have_gitlab_http_status(404)
223 224 225 226 227 228
      expect(json_response['message']).to eq('404 User Not Found')
    end

    it "returns a 404 for invalid ID" do
      put v3_api("/users/ASDF/block", admin)

229
      expect(response).to have_gitlab_http_status(404)
230 231
    end
  end
232 233 234

  describe 'GET /users/:id/events' do
    let(:user) { create(:user) }
235
    let(:project) { create(:project) }
236 237 238 239 240 241 242 243 244 245 246 247 248
    let(:note) { create(:note_on_issue, note: 'What an awesome day!', project: project) }

    before do
      project.add_user(user, :developer)
      EventCreateService.new.leave_note(note, user)
    end

    context "as a user than cannot see the event's project" do
      it 'returns no events' do
        other_user = create(:user)

        get api("/users/#{user.id}/events", other_user)

249
        expect(response).to have_gitlab_http_status(200)
250 251 252 253 254
        expect(json_response).to be_empty
      end
    end

    context "as a user than can see the event's project" do
255 256 257 258 259 260 261 262 263 264
      context 'when the list of events includes push events' do
        let(:event) { create(:push_event, author: user, project: project) }
        let!(:payload) { create(:push_event_payload, event: event) }
        let(:payload_hash) { json_response[0]['push_data'] }

        before do
          get api("/users/#{user.id}/events?action=pushed", user)
        end

        it 'responds with HTTP 200 OK' do
265
          expect(response).to have_gitlab_http_status(200)
266 267 268 269 270 271 272 273 274 275 276 277 278 279
        end

        it 'includes the push payload as a Hash' do
          expect(payload_hash).to be_an_instance_of(Hash)
        end

        it 'includes the push payload details' do
          expect(payload_hash['commit_count']).to eq(payload.commit_count)
          expect(payload_hash['action']).to eq(payload.action)
          expect(payload_hash['ref_type']).to eq(payload.ref_type)
          expect(payload_hash['commit_to']).to eq(payload.commit_to)
        end
      end

280 281 282 283
      context 'joined event' do
        it 'returns the "joined" event' do
          get v3_api("/users/#{user.id}/events", user)

284
          expect(response).to have_gitlab_http_status(200)
285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303
          expect(response).to include_pagination_headers
          expect(json_response).to be_an Array

          comment_event = json_response.find { |e| e['action_name'] == 'commented on' }

          expect(comment_event['project_id'].to_i).to eq(project.id)
          expect(comment_event['author_username']).to eq(user.username)
          expect(comment_event['note']['id']).to eq(note.id)
          expect(comment_event['note']['body']).to eq('What an awesome day!')

          joined_event = json_response.find { |e| e['action_name'] == 'joined' }

          expect(joined_event['project_id'].to_i).to eq(project.id)
          expect(joined_event['author_username']).to eq(user.username)
          expect(joined_event['author']['name']).to eq(user.name)
        end
      end

      context 'when there are multiple events from different projects' do
304
        let(:second_note) { create(:note_on_issue, project: create(:project)) }
305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327
        let(:third_note) { create(:note_on_issue, project: project) }

        before do
          second_note.project.add_user(user, :developer)

          [second_note, third_note].each do |note|
            EventCreateService.new.leave_note(note, user)
          end
        end

        it 'returns events in the correct order (from newest to oldest)' do
          get v3_api("/users/#{user.id}/events", user)

          comment_events = json_response.select { |e| e['action_name'] == 'commented on' }

          expect(comment_events[0]['target_id']).to eq(third_note.id)
          expect(comment_events[1]['target_id']).to eq(second_note.id)
          expect(comment_events[2]['target_id']).to eq(note.id)
        end
      end
    end

    it 'returns a 404 error if not found' do
328
      get v3_api('/users/420/events', user)
329

330
      expect(response).to have_gitlab_http_status(404)
331 332 333
      expect(json_response['message']).to eq('404 User Not Found')
    end
  end
334 335 336 337 338 339 340 341 342 343 344 345 346

  describe 'POST /users' do
    it 'creates confirmed user when confirm parameter is false' do
      optional_attributes = { confirm: false }
      attributes = attributes_for(:user).merge(optional_attributes)

      post v3_api('/users', admin), attributes

      user_id = json_response['id']
      new_user = User.find(user_id)

      expect(new_user).to be_confirmed
    end
347 348 349 350 351 352

    it 'does not reveal the `is_admin` flag of the user' do
      post v3_api('/users', admin), attributes_for(:user)

      expect(json_response['is_admin']).to be_nil
    end
353 354 355 356 357 358 359 360

    context "scopes" do
      let(:user) { admin }
      let(:path) { '/users' }
      let(:api_call) { method(:v3_api) }

      include_examples 'does not allow the "read_user" scope'
    end
361
  end
Robert Schilling's avatar
Robert Schilling committed
362
end