user_spec.rb 191 KB
Newer Older
1 2
# frozen_string_literal: true

gitlabhq's avatar
gitlabhq committed
3 4
require 'spec_helper'

5
RSpec.describe User do
6
  include ProjectForksHelper
7
  include TermsHelper
8
  include ExclusiveLeaseHelpers
9

Shinya Maeda's avatar
Shinya Maeda committed
10
  it_behaves_like 'having unique enum values'
Shinya Maeda's avatar
Shinya Maeda committed
11

12 13 14 15 16 17 18
  describe 'modules' do
    subject { described_class }

    it { is_expected.to include_module(Gitlab::ConfigHelper) }
    it { is_expected.to include_module(Referable) }
    it { is_expected.to include_module(Sortable) }
    it { is_expected.to include_module(TokenAuthenticatable) }
19
    it { is_expected.to include_module(BlocksJsonSerialization) }
20
    it { is_expected.to include_module(AsyncDeviseEmail) }
21 22
  end

23 24
  describe 'constants' do
    it { expect(described_class::COUNT_CACHE_VALIDITY_PERIOD).to be_a(Integer) }
25 26
    it { expect(described_class::MAX_USERNAME_LENGTH).to be_a(Integer) }
    it { expect(described_class::MIN_USERNAME_LENGTH).to be_a(Integer) }
27 28
  end

29 30
  describe 'delegations' do
    it { is_expected.to delegate_method(:path).to(:namespace).with_prefix }
31

32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
    it { is_expected.to delegate_method(:notes_filter_for).to(:user_preference) }
    it { is_expected.to delegate_method(:set_notes_filter).to(:user_preference) }

    it { is_expected.to delegate_method(:first_day_of_week).to(:user_preference) }
    it { is_expected.to delegate_method(:first_day_of_week=).to(:user_preference).with_arguments(:args) }

    it { is_expected.to delegate_method(:timezone).to(:user_preference) }
    it { is_expected.to delegate_method(:timezone=).to(:user_preference).with_arguments(:args) }

    it { is_expected.to delegate_method(:time_display_relative).to(:user_preference) }
    it { is_expected.to delegate_method(:time_display_relative=).to(:user_preference).with_arguments(:args) }

    it { is_expected.to delegate_method(:time_format_in_24h).to(:user_preference) }
    it { is_expected.to delegate_method(:time_format_in_24h=).to(:user_preference).with_arguments(:args) }

    it { is_expected.to delegate_method(:show_whitespace_in_diffs).to(:user_preference) }
    it { is_expected.to delegate_method(:show_whitespace_in_diffs=).to(:user_preference).with_arguments(:args) }

50 51 52
    it { is_expected.to delegate_method(:view_diffs_file_by_file).to(:user_preference) }
    it { is_expected.to delegate_method(:view_diffs_file_by_file=).to(:user_preference).with_arguments(:args) }

53
    it { is_expected.to delegate_method(:tab_width).to(:user_preference) }
54 55 56 57 58
    it { is_expected.to delegate_method(:tab_width=).to(:user_preference).with_arguments(:args) }

    it { is_expected.to delegate_method(:sourcegraph_enabled).to(:user_preference) }
    it { is_expected.to delegate_method(:sourcegraph_enabled=).to(:user_preference).with_arguments(:args) }

59 60 61
    it { is_expected.to delegate_method(:gitpod_enabled).to(:user_preference) }
    it { is_expected.to delegate_method(:gitpod_enabled=).to(:user_preference).with_arguments(:args) }

62 63 64 65 66 67
    it { is_expected.to delegate_method(:setup_for_company).to(:user_preference) }
    it { is_expected.to delegate_method(:setup_for_company=).to(:user_preference).with_arguments(:args) }

    it { is_expected.to delegate_method(:render_whitespace_in_code).to(:user_preference) }
    it { is_expected.to delegate_method(:render_whitespace_in_code=).to(:user_preference).with_arguments(:args) }

68 69 70
    it { is_expected.to delegate_method(:experience_level).to(:user_preference) }
    it { is_expected.to delegate_method(:experience_level=).to(:user_preference).with_arguments(:args) }

71 72 73
    it { is_expected.to delegate_method(:markdown_surround_selection).to(:user_preference) }
    it { is_expected.to delegate_method(:markdown_surround_selection=).to(:user_preference).with_arguments(:args) }

74 75
    it { is_expected.to delegate_method(:job_title).to(:user_detail).allow_nil }
    it { is_expected.to delegate_method(:job_title=).to(:user_detail).with_arguments(:args).allow_nil }
76

77 78 79
    it { is_expected.to delegate_method(:pronouns).to(:user_detail).allow_nil }
    it { is_expected.to delegate_method(:pronouns=).to(:user_detail).with_arguments(:args).allow_nil }

80 81 82
    it { is_expected.to delegate_method(:pronunciation).to(:user_detail).allow_nil }
    it { is_expected.to delegate_method(:pronunciation=).to(:user_detail).with_arguments(:args).allow_nil }

83 84 85
    it { is_expected.to delegate_method(:bio).to(:user_detail).allow_nil }
    it { is_expected.to delegate_method(:bio=).to(:user_detail).with_arguments(:args).allow_nil }
    it { is_expected.to delegate_method(:bio_html).to(:user_detail).allow_nil }
86 87
  end

88
  describe 'associations' do
89
    it { is_expected.to have_one(:namespace) }
90
    it { is_expected.to have_one(:status) }
91
    it { is_expected.to have_one(:user_detail) }
92
    it { is_expected.to have_one(:atlassian_identity) }
93
    it { is_expected.to have_one(:user_highest_role) }
94
    it { is_expected.to have_one(:credit_card_validation) }
Serena Fang's avatar
Serena Fang committed
95
    it { is_expected.to have_one(:banned_user) }
96
    it { is_expected.to have_many(:snippets).dependent(:destroy) }
97 98 99
    it { is_expected.to have_many(:members) }
    it { is_expected.to have_many(:project_members) }
    it { is_expected.to have_many(:group_members) }
100 101
    it { is_expected.to have_many(:groups) }
    it { is_expected.to have_many(:keys).dependent(:destroy) }
102
    it { is_expected.to have_many(:expired_and_unnotified_keys) }
103
    it { is_expected.to have_many(:deploy_keys).dependent(:nullify) }
104
    it { is_expected.to have_many(:group_deploy_keys) }
105
    it { is_expected.to have_many(:events).dependent(:delete_all) }
106
    it { is_expected.to have_many(:issues).dependent(:destroy) }
107 108 109
    it { is_expected.to have_many(:notes).dependent(:destroy) }
    it { is_expected.to have_many(:merge_requests).dependent(:destroy) }
    it { is_expected.to have_many(:identities).dependent(:destroy) }
110
    it { is_expected.to have_many(:spam_logs).dependent(:destroy) }
111
    it { is_expected.to have_many(:todos) }
112
    it { is_expected.to have_many(:award_emoji).dependent(:destroy) }
113
    it { is_expected.to have_many(:triggers).dependent(:destroy) }
114 115
    it { is_expected.to have_many(:builds).dependent(:nullify) }
    it { is_expected.to have_many(:pipelines).dependent(:nullify) }
116
    it { is_expected.to have_many(:chat_names).dependent(:destroy) }
Jan Provaznik's avatar
Jan Provaznik committed
117
    it { is_expected.to have_many(:uploads) }
118
    it { is_expected.to have_many(:reported_abuse_reports).dependent(:destroy).class_name('AbuseReport') }
119
    it { is_expected.to have_many(:custom_attributes).class_name('UserCustomAttribute') }
120
    it { is_expected.to have_many(:releases).dependent(:nullify) }
121
    it { is_expected.to have_many(:metrics_users_starred_dashboards).inverse_of(:user) }
Patrick Bajao's avatar
Patrick Bajao committed
122
    it { is_expected.to have_many(:reviews).inverse_of(:author) }
123 124
    it { is_expected.to have_many(:merge_request_assignees).inverse_of(:assignee) }
    it { is_expected.to have_many(:merge_request_reviewers).inverse_of(:reviewer) }
125
    it { is_expected.to have_many(:created_custom_emoji).inverse_of(:creator) }
126
    it { is_expected.to have_many(:in_product_marketing_emails) }
127
    it { is_expected.to have_many(:timelogs) }
128

129 130 131
    describe "#user_detail" do
      it 'does not persist `user_detail` by default' do
        expect(create(:user).user_detail).not_to be_persisted
132 133
      end

134 135
      it 'creates `user_detail` when `bio` is given' do
        user = create(:user, bio: 'my bio')
136

137 138
        expect(user.user_detail).to be_persisted
        expect(user.user_detail.bio).to eq('my bio')
139 140
      end

141 142
      it 'delegates `bio` to `user_detail`' do
        user = create(:user, bio: 'my bio')
143 144 145 146

        expect(user.bio).to eq(user.user_detail.bio)
      end

147 148 149 150 151 152
      it 'delegates `pronouns` to `user_detail`' do
        user = create(:user, pronouns: 'they/them')

        expect(user.pronouns).to eq(user.user_detail.pronouns)
      end

153 154 155 156 157 158
      it 'delegates `pronunciation` to `user_detail`' do
        user = create(:user, name: 'Example', pronunciation: 'uhg-zaam-pl')

        expect(user.pronunciation).to eq(user.user_detail.pronunciation)
      end

159 160
      it 'creates `user_detail` when `bio` is first updated' do
        user = create(:user)
161

162
        expect { user.update!(bio: 'my bio') }.to change { user.user_detail.persisted? }.from(false).to(true)
163 164 165
      end
    end

166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191
    describe "#abuse_report" do
      let(:current_user) { create(:user) }
      let(:other_user) { create(:user) }

      it { is_expected.to have_one(:abuse_report) }

      it "refers to the abuse report whose user_id is the current user" do
        abuse_report = create(:abuse_report, reporter: other_user, user: current_user)

        expect(current_user.abuse_report).to eq(abuse_report)
      end

      it "does not refer to the abuse report whose reporter_id is the current user" do
        create(:abuse_report, reporter: current_user, user: other_user)

        expect(current_user.abuse_report).to be_nil
      end

      it "does not update the user_id of an abuse report when the user is updated" do
        abuse_report = create(:abuse_report, reporter: current_user, user: other_user)

        current_user.block

        expect(abuse_report.reload.user).to eq(other_user)
      end
    end
192 193 194 195

    describe '#group_members' do
      it 'does not include group memberships for which user is a requester' do
        user = create(:user)
196
        group = create(:group, :public)
197 198 199 200 201 202 203 204 205
        group.request_access(user)

        expect(user.group_members).to be_empty
      end
    end

    describe '#project_members' do
      it 'does not include project memberships for which user is a requester' do
        user = create(:user)
206
        project = create(:project, :public)
207 208 209 210 211
        project.request_access(user)

        expect(user.project_members).to be_empty
      end
    end
212 213
  end

214 215 216 217 218 219 220 221 222 223
  describe 'Devise emails' do
    let!(:user) { create(:user) }

    describe 'behaviour' do
      it 'sends emails asynchronously' do
        expect do
          user.update!(email: 'hello@hello.com')
        end.to have_enqueued_job.on_queue('mailers').exactly(:twice)
      end
    end
224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275

    context 'emails sent on changing password' do
      context 'when password is updated' do
        context 'default behaviour' do
          it 'enqueues the `password changed` email' do
            user.password = User.random_password

            expect { user.save! }.to have_enqueued_mail(DeviseMailer, :password_change)
          end

          it 'does not enqueue the `admin changed your password` email' do
            user.password = User.random_password

            expect { user.save! }.not_to have_enqueued_mail(DeviseMailer, :password_change_by_admin)
          end
        end

        context '`admin changed your password` email' do
          it 'is enqueued only when explicitly allowed' do
            user.password = User.random_password
            user.send_only_admin_changed_your_password_notification!

            expect { user.save! }.to have_enqueued_mail(DeviseMailer, :password_change_by_admin)
          end

          it '`password changed` email is not enqueued if it is explicitly allowed' do
            user.password = User.random_password
            user.send_only_admin_changed_your_password_notification!

            expect { user.save! }.not_to have_enqueued_mail(DeviseMailer, :password_changed)
          end

          it 'is not enqueued if sending notifications on password updates is turned off as per Devise config' do
            user.password = User.random_password
            user.send_only_admin_changed_your_password_notification!

            allow(Devise).to receive(:send_password_change_notification).and_return(false)

            expect { user.save! }.not_to have_enqueued_mail(DeviseMailer, :password_change_by_admin)
          end
        end
      end

      context 'when password is not updated' do
        it 'does not enqueue the `admin changed your password` email even if explicitly allowed' do
          user.name = 'John'
          user.send_only_admin_changed_your_password_notification!

          expect { user.save! }.not_to have_enqueued_mail(DeviseMailer, :password_change_by_admin)
        end
      end
    end
276 277
  end

278
  describe 'validations' do
279
    describe 'password' do
280
      let!(:user) { build_stubbed(:user) }
281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325

      before do
        allow(Devise).to receive(:password_length).and_return(8..128)
        allow(described_class).to receive(:password_length).and_return(10..130)
      end

      context 'length' do
        it { is_expected.to validate_length_of(:password).is_at_least(10).is_at_most(130) }
      end

      context 'length validator' do
        context 'for a short password' do
          before do
            user.password = user.password_confirmation = 'abc'
          end

          it 'does not run the default Devise password length validation' do
            expect(user).to be_invalid
            expect(user.errors.full_messages.join).not_to include('is too short (minimum is 8 characters)')
          end

          it 'runs the custom password length validator' do
            expect(user).to be_invalid
            expect(user.errors.full_messages.join).to include('is too short (minimum is 10 characters)')
          end
        end

        context 'for a long password' do
          before do
            user.password = user.password_confirmation = 'a' * 140
          end

          it 'does not run the default Devise password length validation' do
            expect(user).to be_invalid
            expect(user.errors.full_messages.join).not_to include('is too long (maximum is 128 characters)')
          end

          it 'runs the custom password length validator' do
            expect(user).to be_invalid
            expect(user.errors.full_messages.join).to include('is too long (maximum is 130 characters)')
          end
        end
      end
    end

326 327
    describe 'name' do
      it { is_expected.to validate_presence_of(:name) }
nicolasdular's avatar
nicolasdular committed
328
      it { is_expected.to validate_length_of(:name).is_at_most(255) }
329 330
    end

331
    describe 'first name' do
nicolasdular's avatar
nicolasdular committed
332
      it { is_expected.to validate_length_of(:first_name).is_at_most(127) }
333 334 335
    end

    describe 'last name' do
nicolasdular's avatar
nicolasdular committed
336
      it { is_expected.to validate_length_of(:last_name).is_at_most(127) }
337 338
    end

339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354
    describe 'preferred_language' do
      context 'when its value is nil in the database' do
        let(:user) { build(:user, preferred_language: nil) }

        it 'falls back to I18n.default_locale when empty in the database' do
          expect(user.preferred_language).to eq I18n.default_locale.to_s
        end

        it 'falls back to english when I18n.default_locale is not an available language' do
          I18n.default_locale = :kl

          expect(user.preferred_language).to eq 'en'
        end
      end
    end

355 356 357 358 359
    describe 'username' do
      it 'validates presence' do
        expect(subject).to validate_presence_of(:username)
      end

360
      it 'rejects denied names' do
361 362 363
        user = build(:user, username: 'dashboard')

        expect(user).not_to be_valid
364
        expect(user.errors.messages[:username]).to eq ['dashboard is a reserved name']
365 366
      end

367 368 369 370 371 372 373 374 375 376 377 378
      it 'allows child names' do
        user = build(:user, username: 'avatar')

        expect(user).to be_valid
      end

      it 'allows wildcard names' do
        user = build(:user, username: 'blob')

        expect(user).to be_valid
      end

379 380 381 382 383 384 385
      context 'when username is changed' do
        let(:user) { build_stubbed(:user, username: 'old_path', namespace: build_stubbed(:namespace)) }

        it 'validates move_dir is allowed for the namespace' do
          expect(user.namespace).to receive(:any_project_has_container_registry_tags?).and_return(true)
          user.username = 'new_path'
          expect(user).to be_invalid
386
          expect(user.errors.messages[:username].first).to eq(_('cannot be changed if a personal project has container registry tags.'))
387 388
        end
      end
389

390 391 392 393 394 395 396 397 398
      context 'when the username is in use by another user' do
        let(:username) { 'foo' }
        let!(:other_user) { create(:user, username: username) }

        it 'is invalid' do
          user = build(:user, username: username)

          expect(user).not_to be_valid
          expect(user.errors.full_messages).to eq(['Username has already been taken'])
399 400
        end
      end
401 402 403 404 405 406 407

      it 'validates format' do
        Mime::EXTENSION_LOOKUP.keys.each do |type|
          user = build(:user, username: "test.#{type}")

          expect(user).not_to be_valid
          expect(user.errors.full_messages).to include('Username ending with MIME type format is not allowed.')
408
          expect(build(:user, username: "test#{type}")).to be_valid
409 410 411 412 413 414
        end
      end

      it 'validates format on updated record' do
        expect(create(:user).update(username: 'profile.html')).to be_falsey
      end
415 416
    end

417 418 419 420 421 422 423 424 425 426
    it 'has a DB-level NOT NULL constraint on projects_limit' do
      user = create(:user)

      expect(user.persisted?).to eq(true)

      expect do
        user.update_columns(projects_limit: nil)
      end.to raise_error(ActiveRecord::StatementInvalid)
    end

427 428 429 430
    it { is_expected.to validate_presence_of(:projects_limit) }
    it { is_expected.to validate_numericality_of(:projects_limit) }
    it { is_expected.to allow_value(0).for(:projects_limit) }
    it { is_expected.not_to allow_value(-1).for(:projects_limit) }
431
    it { is_expected.not_to allow_value(Gitlab::Database::MAX_INT_VALUE + 1).for(:projects_limit) }
432

433
    it_behaves_like 'an object with email-formatted attributes', :email do
434 435
      subject { build(:user) }
    end
436

437
    it_behaves_like 'an object with RFC3696 compliant email-formatted attributes', :public_email, :notification_email do
438
      subject { create(:user).tap { |user| user.emails << build(:email, email: email_value, confirmed_at: Time.current) } }
439
    end
440

441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456
    describe '#commit_email' do
      subject(:user) { create(:user) }

      it 'defaults to the primary email' do
        expect(user.email).to be_present
        expect(user.commit_email).to eq(user.email)
      end

      it 'defaults to the primary email when the column in the database is null' do
        user.update_column(:commit_email, nil)

        found_user = described_class.find_by(id: user.id)

        expect(found_user.commit_email).to eq(user.email)
      end

457 458 459 460 461 462
      it 'returns the private commit email when commit_email has _private' do
        user.update_column(:commit_email, Gitlab::PrivateCommitEmail::TOKEN)

        expect(user.commit_email).to eq(user.private_commit_email)
      end

463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495
      it 'can be set to a confirmed email' do
        confirmed = create(:email, :confirmed, user: user)
        user.commit_email = confirmed.email

        expect(user).to be_valid
        expect(user.commit_email).to eq(confirmed.email)
      end

      it 'can not be set to an unconfirmed email' do
        unconfirmed = create(:email, user: user)
        user.commit_email = unconfirmed.email

        # This should set the commit_email attribute to the primary email
        expect(user).to be_valid
        expect(user.commit_email).to eq(user.email)
      end

      it 'can not be set to a non-existent email' do
        user.commit_email = 'non-existent-email@nonexistent.nonexistent'

        # This should set the commit_email attribute to the primary email
        expect(user).to be_valid
        expect(user.commit_email).to eq(user.email)
      end

      it 'can not be set to an invalid email, even if confirmed' do
        confirmed = create(:email, :confirmed, :skip_validate, user: user, email: 'invalid')
        user.commit_email = confirmed.email

        expect(user).not_to be_valid
      end
    end

496
    describe 'email' do
497
      context 'when no signup domains allowed' do
498
        before do
499
          stub_application_setting(domain_allowlist: [])
500
        end
501

502 503 504 505 506 507
        it 'accepts any email' do
          user = build(:user, email: "info@example.com")
          expect(user).to be_valid
        end
      end

508 509
      context 'bad regex' do
        before do
510
          stub_application_setting(domain_allowlist: ['([a-zA-Z0-9]+)+\.com'])
511 512 513 514 515 516 517 518 519 520 521
        end

        it 'does not hang on evil input' do
          user = build(:user, email: 'user@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!.com')

          expect do
            Timeout.timeout(2.seconds) { user.valid? }
          end.not_to raise_error
        end
      end

522
      context 'when a signup domain is allowed and subdomains are allowed' do
523
        before do
524
          stub_application_setting(domain_allowlist: ['example.com', '*.example.com'])
525
        end
526

527 528 529 530 531 532 533 534 535 536 537 538 539
        it 'accepts info@example.com' do
          user = build(:user, email: "info@example.com")
          expect(user).to be_valid
        end

        it 'accepts info@test.example.com' do
          user = build(:user, email: "info@test.example.com")
          expect(user).to be_valid
        end

        it 'rejects example@test.com' do
          user = build(:user, email: "example@test.com")
          expect(user).to be_invalid
540
          expect(user.errors.messages[:email].first).to eq(_('domain is not authorized for sign-up.'))
541 542 543
        end
      end

544
      context 'when a signup domain is allowed and subdomains are not allowed' do
545
        before do
546
          stub_application_setting(domain_allowlist: ['example.com'])
547
        end
548 549 550 551 552 553 554 555 556

        it 'accepts info@example.com' do
          user = build(:user, email: "info@example.com")
          expect(user).to be_valid
        end

        it 'rejects info@test.example.com' do
          user = build(:user, email: "info@test.example.com")
          expect(user).to be_invalid
557
          expect(user.errors.messages[:email].first).to eq(_('domain is not authorized for sign-up.'))
558 559 560 561 562
        end

        it 'rejects example@test.com' do
          user = build(:user, email: "example@test.com")
          expect(user).to be_invalid
563
          expect(user.errors.messages[:email].first).to eq(_('domain is not authorized for sign-up.'))
564
        end
565 566 567 568 569

        it 'accepts example@test.com when added by another user' do
          user = build(:user, email: "example@test.com", created_by_id: 1)
          expect(user).to be_valid
        end
570
      end
571

572
      context 'domain denylist' do
573
        before do
574 575
          stub_application_setting(domain_denylist_enabled: true)
          stub_application_setting(domain_denylist: ['example.com'])
576 577
        end

578 579
        context 'bad regex' do
          before do
580
            stub_application_setting(domain_denylist: ['([a-zA-Z0-9]+)+\.com'])
581 582 583 584 585 586 587 588 589 590 591
          end

          it 'does not hang on evil input' do
            user = build(:user, email: 'user@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!.com')

            expect do
              Timeout.timeout(2.seconds) { user.valid? }
            end.not_to raise_error
          end
        end

592
        context 'when a signup domain is denied' do
593 594 595 596 597 598 599 600
          it 'accepts info@test.com' do
            user = build(:user, email: 'info@test.com')
            expect(user).to be_valid
          end

          it 'rejects info@example.com' do
            user = build(:user, email: 'info@example.com')
            expect(user).not_to be_valid
601
            expect(user.errors.messages[:email].first).to eq(_('is not from an allowed domain.'))
602
          end
603 604 605 606 607

          it 'accepts info@example.com when added by another user' do
            user = build(:user, email: 'info@example.com', created_by_id: 1)
            expect(user).to be_valid
          end
608 609
        end

610
        context 'when a signup domain is denied but a wildcard subdomain is allowed' do
611
          before do
612 613
            stub_application_setting(domain_denylist: ['test.example.com'])
            stub_application_setting(domain_allowlist: ['*.example.com'])
614 615
          end

616
          it 'gives priority to allowlist and allow info@test.example.com' do
617 618 619 620 621 622 623
            user = build(:user, email: 'info@test.example.com')
            expect(user).to be_valid
          end
        end

        context 'with both lists containing a domain' do
          before do
624
            stub_application_setting(domain_allowlist: ['test.com'])
625 626 627 628 629 630 631 632 633 634
          end

          it 'accepts info@test.com' do
            user = build(:user, email: 'info@test.com')
            expect(user).to be_valid
          end

          it 'rejects info@example.com' do
            user = build(:user, email: 'info@example.com')
            expect(user).not_to be_valid
635
            expect(user.errors.messages[:email].first).to eq(_('domain is not authorized for sign-up.'))
636 637 638 639
          end
        end
      end

640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675
      context 'email restrictions' do
        context 'when email restriction is disabled' do
          before do
            stub_application_setting(email_restrictions_enabled: false)
            stub_application_setting(email_restrictions: '\+')
          end

          it 'does accept email address' do
            user = build(:user, email: 'info+1@test.com')

            expect(user).to be_valid
          end
        end

        context 'when email restrictions is enabled' do
          before do
            stub_application_setting(email_restrictions_enabled: true)
            stub_application_setting(email_restrictions: '([\+]|\b(\w*gitlab.com\w*)\b)')
          end

          it 'does not accept email address with + characters' do
            user = build(:user, email: 'info+1@test.com')

            expect(user).not_to be_valid
          end

          it 'does not accept email with a gitlab domain' do
            user = build(:user, email: 'info@gitlab.com')

            expect(user).not_to be_valid
          end

          it 'adds an error message when email is not accepted' do
            user = build(:user, email: 'info@gitlab.com')

            expect(user).not_to be_valid
676
            expect(user.errors.messages[:email].first).to eq(_('is not allowed. Try again with a different email address, or contact your GitLab admin.'))
677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694
          end

          it 'does accept a valid email address' do
            user = build(:user, email: 'info@test.com')

            expect(user).to be_valid
          end

          context 'when created_by_id is set' do
            it 'does accept the email address' do
              user = build(:user, email: 'info+1@test.com', created_by_id: 1)

              expect(user).to be_valid
            end
          end
        end
      end

695 696 697 698 699
      context 'owns_notification_email' do
        it 'accepts temp_oauth_email emails' do
          user = build(:user, email: "temp-email-for-oauth@example.com")
          expect(user).to be_valid
        end
700 701 702 703

        it 'does not accept not verified emails' do
          email = create(:email)
          user = email.user
704
          user.notification_email = email.email
705 706

          expect(user).to be_invalid
707
          expect(user.errors[:notification_email]).to include('is not an email you own')
708 709 710 711 712 713 714
        end
      end

      context 'owns_public_email' do
        it 'accepts verified emails' do
          email = create(:email, :confirmed, email: 'test@test.com')
          user = email.user
715
          user.notification_email = email.email
716 717 718 719 720 721 722

          expect(user).to be_valid
        end

        it 'does not accept not verified emails' do
          email = create(:email)
          user = email.user
723
          user.public_email = email.email
724 725

          expect(user).to be_invalid
726
          expect(user.errors[:public_email]).to include('is not an email you own')
727
        end
728
      end
729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762

      context 'set_commit_email' do
        it 'keeps commit email when private commit email is being used' do
          user = create(:user, commit_email: Gitlab::PrivateCommitEmail::TOKEN)

          expect(user.read_attribute(:commit_email)).to eq(Gitlab::PrivateCommitEmail::TOKEN)
        end

        it 'keeps the commit email when nil' do
          user = create(:user, commit_email: nil)

          expect(user.read_attribute(:commit_email)).to be_nil
        end

        it 'reverts to nil when email is not verified' do
          user = create(:user, commit_email: "foo@bar.com")

          expect(user.read_attribute(:commit_email)).to be_nil
        end
      end

      context 'owns_commit_email' do
        it 'accepts private commit email' do
          user = build(:user, commit_email: Gitlab::PrivateCommitEmail::TOKEN)

          expect(user).to be_valid
        end

        it 'accepts nil commit email' do
          user = build(:user, commit_email: nil)

          expect(user).to be_valid
        end
      end
763
    end
764 765 766
  end

  describe "scopes" do
767 768 769 770 771
    context 'blocked users' do
      let_it_be(:active_user) { create(:user) }
      let_it_be(:blocked_user) { create(:user, :blocked) }
      let_it_be(:ldap_blocked_user) { create(:omniauth_user, :ldap_blocked) }
      let_it_be(:blocked_pending_approval_user) { create(:user, :blocked_pending_approval) }
Serena Fang's avatar
Serena Fang committed
772
      let_it_be(:banned_user) { create(:user, :banned) }
773 774 775 776 777 778 779 780 781

      describe '.blocked' do
        subject { described_class.blocked }

        it 'returns only blocked users' do
          expect(subject).to include(
            blocked_user,
            ldap_blocked_user
          )
782

783
          expect(subject).not_to include(active_user, blocked_pending_approval_user, banned_user)
784 785
        end
      end
786

787 788
      describe '.blocked_pending_approval' do
        subject { described_class.blocked_pending_approval }
789

790 791 792
        it 'returns only pending approval users' do
          expect(subject).to contain_exactly(blocked_pending_approval_user)
        end
793
      end
Serena Fang's avatar
Serena Fang committed
794 795 796 797 798 799 800 801

      describe '.banned' do
        subject { described_class.banned }

        it 'returns only banned users' do
          expect(subject).to contain_exactly(banned_user)
        end
      end
802 803
    end

804 805 806 807
    describe ".with_two_factor" do
      it "returns users with 2fa enabled via OTP" do
        user_with_2fa = create(:user, :two_factor_via_otp)
        user_without_2fa = create(:user)
808
        users_with_two_factor = described_class.with_two_factor.pluck(:id)
809 810 811 812 813

        expect(users_with_two_factor).to include(user_with_2fa.id)
        expect(users_with_two_factor).not_to include(user_without_2fa.id)
      end

814 815 816 817 818
      shared_examples "returns the right users" do |trait|
        it "returns users with 2fa enabled via hardware token" do
          user_with_2fa = create(:user, trait)
          user_without_2fa = create(:user)
          users_with_two_factor = described_class.with_two_factor.pluck(:id)
819

820 821 822
          expect(users_with_two_factor).to include(user_with_2fa.id)
          expect(users_with_two_factor).not_to include(user_without_2fa.id)
        end
823

824 825 826 827
        it "returns users with 2fa enabled via OTP and hardware token" do
          user_with_2fa = create(:user, :two_factor_via_otp, trait)
          user_without_2fa = create(:user)
          users_with_two_factor = described_class.with_two_factor.pluck(:id)
828

829 830 831 832 833 834 835 836 837 838 839
          expect(users_with_two_factor).to eq([user_with_2fa.id])
          expect(users_with_two_factor).not_to include(user_without_2fa.id)
        end

        it 'works with ORDER BY' do
          user_with_2fa = create(:user, :two_factor_via_otp, trait)

          expect(described_class
                     .with_two_factor
                     .reorder_by_name).to eq([user_with_2fa])
        end
840
      end
841

842 843 844
      describe "and U2F" do
        it_behaves_like "returns the right users", :two_factor_via_u2f
      end
845

846 847
      describe "and WebAuthn" do
        it_behaves_like "returns the right users", :two_factor_via_webauthn
848
      end
849 850 851 852 853 854
    end

    describe ".without_two_factor" do
      it "excludes users with 2fa enabled via OTP" do
        user_with_2fa = create(:user, :two_factor_via_otp)
        user_without_2fa = create(:user)
855
        users_without_two_factor = described_class.without_two_factor.pluck(:id)
856 857 858 859 860

        expect(users_without_two_factor).to include(user_without_2fa.id)
        expect(users_without_two_factor).not_to include(user_with_2fa.id)
      end

861 862 863 864 865
      describe "and u2f" do
        it "excludes users with 2fa enabled via U2F" do
          user_with_2fa = create(:user, :two_factor_via_u2f)
          user_without_2fa = create(:user)
          users_without_two_factor = described_class.without_two_factor.pluck(:id)
866

867 868 869 870 871 872 873 874 875 876 877 878
          expect(users_without_two_factor).to include(user_without_2fa.id)
          expect(users_without_two_factor).not_to include(user_with_2fa.id)
        end

        it "excludes users with 2fa enabled via OTP and U2F" do
          user_with_2fa = create(:user, :two_factor_via_otp, :two_factor_via_u2f)
          user_without_2fa = create(:user)
          users_without_two_factor = described_class.without_two_factor.pluck(:id)

          expect(users_without_two_factor).to include(user_without_2fa.id)
          expect(users_without_two_factor).not_to include(user_with_2fa.id)
        end
879 880
      end

881 882 883 884 885
      describe "and webauthn" do
        it "excludes users with 2fa enabled via WebAuthn" do
          user_with_2fa = create(:user, :two_factor_via_webauthn)
          user_without_2fa = create(:user)
          users_without_two_factor = described_class.without_two_factor.pluck(:id)
886

887 888 889 890 891 892 893 894 895 896 897 898
          expect(users_without_two_factor).to include(user_without_2fa.id)
          expect(users_without_two_factor).not_to include(user_with_2fa.id)
        end

        it "excludes users with 2fa enabled via OTP and WebAuthn" do
          user_with_2fa = create(:user, :two_factor_via_otp, :two_factor_via_webauthn)
          user_without_2fa = create(:user)
          users_without_two_factor = described_class.without_two_factor.pluck(:id)

          expect(users_without_two_factor).to include(user_without_2fa.id)
          expect(users_without_two_factor).not_to include(user_with_2fa.id)
        end
899 900
      end
    end
901

902 903 904 905 906 907 908 909 910 911 912 913 914 915
    describe '.random_password' do
      let(:random_password) { described_class.random_password }

      before do
        expect(User).to receive(:password_length).and_return(88..128)
      end

      context 'length' do
        it 'conforms to the current password length settings' do
          expect(random_password.length).to eq(128)
        end
      end
    end

916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943
    describe '.password_length' do
      let(:password_length) { described_class.password_length }

      it 'is expected to be a Range' do
        expect(password_length).to be_a(Range)
      end

      context 'minimum value' do
        before do
          stub_application_setting(minimum_password_length: 101)
        end

        it 'is determined by the current value of `minimum_password_length` attribute of application_setting' do
          expect(password_length.min).to eq(101)
        end
      end

      context 'maximum value' do
        before do
          allow(Devise.password_length).to receive(:max).and_return(201)
        end

        it 'is determined by the current value of `Devise.password_length.max`' do
          expect(password_length.max).to eq(201)
        end
      end
    end

944 945 946 947
    describe '.limit_to_todo_authors' do
      context 'when filtering by todo authors' do
        let(:user1) { create(:user) }
        let(:user2) { create(:user) }
948

949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992
        before do
          create(:todo, user: user1, author: user1, state: :done)
          create(:todo, user: user2, author: user2, state: :pending)
        end

        it 'only returns users that have authored todos' do
          users = described_class.limit_to_todo_authors(
            user: user2,
            with_todos: true,
            todo_state: :pending
          )

          expect(users).to eq([user2])
        end

        it 'ignores users that do not have a todo in the matching state' do
          users = described_class.limit_to_todo_authors(
            user: user1,
            with_todos: true,
            todo_state: :pending
          )

          expect(users).to be_empty
        end
      end

      context 'when not filtering by todo authors' do
        it 'returns the input relation' do
          user1 = create(:user)
          user2 = create(:user)
          rel = described_class.limit_to_todo_authors(user: user1)

          expect(rel).to include(user1, user2)
        end
      end

      context 'when no user is provided' do
        it 'returns the input relation' do
          user1 = create(:user)
          user2 = create(:user)
          rel = described_class.limit_to_todo_authors

          expect(rel).to include(user1, user2)
        end
993 994
      end
    end
995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011

    describe '.by_username' do
      it 'finds users regardless of the case passed' do
        user = create(:user, username: 'CaMeLcAsEd')
        user2 = create(:user, username: 'UPPERCASE')

        expect(described_class.by_username(%w(CAMELCASED uppercase)))
          .to contain_exactly(user, user2)
      end

      it 'finds a single user regardless of the case passed' do
        user = create(:user, username: 'CaMeLcAsEd')

        expect(described_class.by_username('CAMELCASED'))
          .to contain_exactly(user)
      end
    end
1012 1013 1014 1015 1016 1017 1018 1019

    describe '.with_expiring_and_not_notified_personal_access_tokens' do
      let_it_be(:user1) { create(:user) }
      let_it_be(:user2) { create(:user) }
      let_it_be(:user3) { create(:user) }

      let_it_be(:expired_token) { create(:personal_access_token, user: user1, expires_at: 2.days.ago) }
      let_it_be(:revoked_token) { create(:personal_access_token, user: user1, revoked: true) }
1020
      let_it_be(:impersonation_token) { create(:personal_access_token, :impersonation, user: user1, expires_at: 2.days.from_now) }
1021 1022 1023
      let_it_be(:valid_token_and_notified) { create(:personal_access_token, user: user2, expires_at: 2.days.from_now, expire_notification_delivered: true) }
      let_it_be(:valid_token1) { create(:personal_access_token, user: user2, expires_at: 2.days.from_now) }
      let_it_be(:valid_token2) { create(:personal_access_token, user: user2, expires_at: 2.days.from_now) }
1024

1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042
      let(:users) { described_class.with_expiring_and_not_notified_personal_access_tokens(from) }

      context 'in one day' do
        let(:from) { 1.day.from_now }

        it "doesn't include an user" do
          expect(users).to be_empty
        end
      end

      context 'in three days' do
        let(:from) { 3.days.from_now }

        it 'only includes user2' do
          expect(users).to contain_exactly(user2)
        end
      end
    end
1043

1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058
    describe '.with_personal_access_tokens_expired_today' do
      let_it_be(:user1) { create(:user) }
      let_it_be(:expired_today) { create(:personal_access_token, user: user1, expires_at: Date.current) }

      let_it_be(:user2) { create(:user) }
      let_it_be(:revoked_token) { create(:personal_access_token, user: user2, expires_at: Date.current, revoked: true) }

      let_it_be(:user3) { create(:user) }
      let_it_be(:impersonated_token) { create(:personal_access_token, user: user3, expires_at: Date.current, impersonation: true) }

      let_it_be(:user4) { create(:user) }
      let_it_be(:already_notified) { create(:personal_access_token, user: user4, expires_at: Date.current, after_expiry_notification_delivered: true) }

      it 'returns users whose token has expired today' do
        expect(described_class.with_personal_access_tokens_expired_today).to contain_exactly(user1)
1059 1060 1061
      end
    end

1062
    context 'SSH key expiration scopes' do
1063 1064
      let_it_be(:user1) { create(:user) }
      let_it_be(:user2) { create(:user) }
1065
      let_it_be(:expired_today_not_notified) { create(:key, expires_at: Time.current, user: user1) }
1066
      let_it_be(:expired_today_already_notified) { create(:key, expires_at: Time.current, user: user2, expiry_notification_delivered_at: Time.current) }
1067 1068
      let_it_be(:expiring_soon_not_notified) { create(:key, expires_at: 2.days.from_now, user: user2) }
      let_it_be(:expiring_soon_notified) { create(:key, expires_at: 2.days.from_now, user: user1, before_expiry_notification_delivered_at: Time.current) }
1069

1070 1071 1072 1073
      describe '.with_ssh_key_expiring_soon' do
        it 'returns users whose keys will expire soon' do
          expect(described_class.with_ssh_key_expiring_soon).to contain_exactly(user2)
        end
1074 1075 1076
      end
    end

1077 1078 1079
    describe '.active_without_ghosts' do
      let_it_be(:user1) { create(:user, :external) }
      let_it_be(:user2) { create(:user, state: 'blocked') }
1080
      let_it_be(:user3) { create(:user, :ghost) }
1081 1082 1083 1084 1085 1086 1087 1088 1089 1090
      let_it_be(:user4) { create(:user) }

      it 'returns all active users but ghost users' do
        expect(described_class.active_without_ghosts).to match_array([user1, user4])
      end
    end

    describe '.without_ghosts' do
      let_it_be(:user1) { create(:user, :external) }
      let_it_be(:user2) { create(:user, state: 'blocked') }
1091
      let_it_be(:user3) { create(:user, :ghost) }
1092 1093 1094 1095 1096

      it 'returns users without ghosts users' do
        expect(described_class.without_ghosts).to match_array([user1, user2])
      end
    end
1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110

    describe '.by_id_and_login' do
      let_it_be(:user) { create(:user) }

      it 'finds a user regardless of case' do
        expect(described_class.by_id_and_login(user.id, user.username.upcase))
          .to contain_exactly(user)
      end

      it 'finds a user when login is an email address regardless of case' do
        expect(described_class.by_id_and_login(user.id, user.email.upcase))
          .to contain_exactly(user)
      end
    end
1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125

    describe '.for_todos' do
      let_it_be(:user1) { create(:user) }
      let_it_be(:user2) { create(:user) }
      let_it_be(:issue) { create(:issue) }

      let_it_be(:todo1) { create(:todo, target: issue, author: user1, user: user1) }
      let_it_be(:todo2) { create(:todo, target: issue, author: user1, user: user1) }
      let_it_be(:todo3) { create(:todo, target: issue, author: user2, user: user2) }

      it 'returns users for the given todos' do
        expect(described_class.for_todos(issue.todos))
          .to contain_exactly(user1, user2)
      end
    end
gitlabhq's avatar
gitlabhq committed
1126 1127 1128
  end

  describe "Respond to" do
1129
    it { is_expected.to respond_to(:admin?) }
1130
    it { is_expected.to respond_to(:name) }
Zeger-Jan van de Weg's avatar
Zeger-Jan van de Weg committed
1131 1132 1133 1134
    it { is_expected.to respond_to(:external?) }
  end

  describe 'before save hook' do
Ryan Cobb's avatar
Ryan Cobb committed
1135
    describe '#default_private_profile_to_false' do
1136 1137 1138 1139 1140 1141 1142 1143 1144 1145
      let(:user) { create(:user, private_profile: true) }

      it 'converts nil to false' do
        user.private_profile = nil
        user.save!

        expect(user.private_profile).to eq false
      end
    end

Zeger-Jan van de Weg's avatar
Zeger-Jan van de Weg committed
1146 1147 1148 1149
    context 'when saving an external user' do
      let(:user)          { create(:user) }
      let(:external_user) { create(:user, external: true) }

1150
      it "sets other properties as well" do
Zeger-Jan van de Weg's avatar
Zeger-Jan van de Weg committed
1151 1152 1153 1154 1155
        expect(external_user.can_create_team).to be_falsey
        expect(external_user.can_create_group).to be_falsey
        expect(external_user.projects_limit).to be 0
      end
    end
1156

1157 1158
    describe '#check_for_verified_email' do
      let(:user)      { create(:user) }
1159 1160
      let(:secondary) { create(:email, :confirmed, email: 'secondary@example.com', user: user) }

1161
      it 'allows a verified secondary email to be used as the primary without needing reconfirmation' do
Lin Jen-Shin's avatar
Lin Jen-Shin committed
1162
        user.update!(email: secondary.email)
1163 1164 1165 1166 1167 1168
        user.reload
        expect(user.email).to eq secondary.email
        expect(user.unconfirmed_email).to eq nil
        expect(user.confirmed?).to be_truthy
      end
    end
gitlabhq's avatar
gitlabhq committed
1169 1170
  end

1171
  describe 'after commit hook' do
1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182
    describe '#update_emails_with_primary_email' do
      before do
        @user = create(:user, email: 'primary@example.com').tap do |user|
          user.skip_reconfirmation!
        end
        @secondary = create :email, email: 'secondary@example.com', user: @user
        @user.reload
      end

      it 'gets called when email updated' do
        expect(@user).to receive(:update_emails_with_primary_email)
1183

Lin Jen-Shin's avatar
Lin Jen-Shin committed
1184
        @user.update!(email: 'new_primary@example.com')
1185 1186
      end

1187
      it 'adds old primary to secondary emails when secondary is a new email' do
Lin Jen-Shin's avatar
Lin Jen-Shin committed
1188
        @user.update!(email: 'new_primary@example.com')
1189
        @user.reload
1190

1191 1192
        expect(@user.emails.count).to eq 2
        expect(@user.emails.pluck(:email)).to match_array([@secondary.email, 'primary@example.com'])
1193 1194 1195
      end

      it 'adds old primary to secondary emails if secondary is becoming a primary' do
Lin Jen-Shin's avatar
Lin Jen-Shin committed
1196
        @user.update!(email: @secondary.email)
1197
        @user.reload
1198

1199 1200 1201 1202 1203
        expect(@user.emails.count).to eq 1
        expect(@user.emails.first.email).to eq 'primary@example.com'
      end

      it 'transfers old confirmation values into new secondary' do
Lin Jen-Shin's avatar
Lin Jen-Shin committed
1204
        @user.update!(email: @secondary.email)
1205
        @user.reload
1206

1207 1208 1209
        expect(@user.emails.count).to eq 1
        expect(@user.emails.first.confirmed_at).not_to eq nil
      end
Adam Hegyi's avatar
Adam Hegyi committed
1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311

      context 'when the first email was unconfirmed and the second email gets confirmed' do
        let(:user) { create(:user, :unconfirmed, email: 'should-be-unconfirmed@test.com') }

        before do
          user.update!(email: 'should-be-confirmed@test.com')
          user.confirm
        end

        it 'updates user.email' do
          expect(user.email).to eq('should-be-confirmed@test.com')
        end

        it 'confirms user.email' do
          expect(user).to be_confirmed
        end

        it 'keeps the unconfirmed email unconfirmed' do
          email = user.emails.first

          expect(email.email).to eq('should-be-unconfirmed@test.com')
          expect(email).not_to be_confirmed
        end

        it 'has only one email association' do
          expect(user.emails.size).to eq(1)
        end
      end
    end

    context 'when an existing email record is set as primary' do
      let(:user) { create(:user, email: 'confirmed@test.com') }

      context 'when it is unconfirmed' do
        let(:originally_unconfirmed_email) { 'should-stay-unconfirmed@test.com' }

        before do
          user.emails << create(:email, email: originally_unconfirmed_email, confirmed_at: nil)

          user.update!(email: originally_unconfirmed_email)
        end

        it 'keeps the user confirmed' do
          expect(user).to be_confirmed
        end

        it 'keeps the original email' do
          expect(user.email).to eq('confirmed@test.com')
        end

        context 'when the email gets confirmed' do
          before do
            user.confirm
          end

          it 'keeps the user confirmed' do
            expect(user).to be_confirmed
          end

          it 'updates the email' do
            expect(user.email).to eq(originally_unconfirmed_email)
          end
        end
      end

      context 'when it is confirmed' do
        let!(:old_confirmed_email) { user.email }
        let(:confirmed_email) { 'already-confirmed@test.com' }

        before do
          user.emails << create(:email, :confirmed, email: confirmed_email)

          user.update!(email: confirmed_email)
        end

        it 'keeps the user confirmed' do
          expect(user).to be_confirmed
        end

        it 'updates the email' do
          expect(user.email).to eq(confirmed_email)
        end

        it 'moves the old email' do
          email = user.reload.emails.first

          expect(email.email).to eq(old_confirmed_email)
          expect(email).to be_confirmed
        end
      end
    end

    context 'when unconfirmed user deletes a confirmed additional email' do
      let(:user) { create(:user, :unconfirmed) }

      before do
        user.emails << create(:email, :confirmed)
      end

      it 'does not affect the confirmed status' do
        expect { user.emails.confirmed.destroy_all }.not_to change { user.confirmed? } # rubocop: disable Cop/DestroyAll
      end
1312
    end
1313 1314

    describe '#update_notification_email' do
1315
      # Regression: https://gitlab.com/gitlab-org/gitlab-foss/issues/22846
1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343
      context 'when changing :email' do
        let(:user) { create(:user) }
        let(:new_email) { 'new-email@example.com' }

        it 'sets :unconfirmed_email' do
          expect do
            user.tap { |u| u.update!(email: new_email) }.reload
          end.to change(user, :unconfirmed_email).to(new_email)
        end
        it 'does not change :notification_email' do
          expect do
            user.tap { |u| u.update!(email: new_email) }.reload
          end.not_to change(user, :notification_email)
        end

        it 'updates :notification_email to the new email once confirmed' do
          user.update!(email: new_email)

          expect do
            user.tap(&:confirm).reload
          end.to change(user, :notification_email).to eq(new_email)
        end

        context 'and :notification_email is set to a secondary email' do
          let!(:email_attrs) { attributes_for(:email, :confirmed, user: user) }
          let(:secondary) { create(:email, :confirmed, email: 'secondary@example.com', user: user) }

          before do
1344
            user.emails.create!(email_attrs)
1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373
            user.tap { |u| u.update!(notification_email: email_attrs[:email]) }.reload
          end

          it 'does not change :notification_email to :email' do
            expect do
              user.tap { |u| u.update!(email: new_email) }.reload
            end.not_to change(user, :notification_email)
          end

          it 'does not change :notification_email to :email once confirmed' do
            user.update!(email: new_email)

            expect do
              user.tap(&:confirm).reload
            end.not_to change(user, :notification_email)
          end
        end
      end
    end

    describe '#update_invalid_gpg_signatures' do
      let(:user) do
        create(:user, email: 'tula.torphy@abshire.ca').tap do |user|
          user.skip_reconfirmation!
        end
      end

      it 'does nothing when the name is updated' do
        expect(user).not_to receive(:update_invalid_gpg_signatures)
Lin Jen-Shin's avatar
Lin Jen-Shin committed
1374
        user.update!(name: 'Bette')
1375 1376 1377 1378
      end

      it 'synchronizes the gpg keys when the email is updated' do
        expect(user).to receive(:update_invalid_gpg_signatures).at_most(:twice)
Lin Jen-Shin's avatar
Lin Jen-Shin committed
1379
        user.update!(email: 'shawnee.ritchie@denesik.com')
1380 1381
      end
    end
1382 1383
  end

1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395
  describe 'name getters' do
    let(:user) { create(:user, name: 'Kane Martin William') }

    it 'derives first name from full name, if not present' do
      expect(user.first_name).to eq('Kane')
    end

    it 'derives last name from full name, if not present' do
      expect(user.last_name).to eq('Martin William')
    end
  end

1396
  describe '#highest_role' do
1397
    let_it_be(:user) { create(:user) }
1398

1399 1400 1401
    context 'when user_highest_role does not exist' do
      it 'returns NO_ACCESS' do
        expect(user.highest_role).to eq(Gitlab::Access::NO_ACCESS)
1402 1403 1404
      end
    end

1405 1406 1407 1408
    context 'when user_highest_role exists' do
      context 'stored highest access level is nil' do
        it 'returns Gitlab::Access::NO_ACCESS' do
          create(:user_highest_role, user: user)
1409

1410 1411
          expect(user.highest_role).to eq(Gitlab::Access::NO_ACCESS)
        end
1412 1413
      end

1414 1415 1416
      context 'stored highest access level present' do
        context 'with association :user_highest_role' do
          let(:another_user) { create(:user) }
1417

1418 1419 1420 1421
          before do
            create(:user_highest_role, :maintainer, user: user)
            create(:user_highest_role, :developer, user: another_user)
          end
1422

1423 1424
          it 'returns the correct highest role' do
            users = User.includes(:user_highest_role).where(id: [user.id, another_user.id])
1425

1426 1427 1428 1429 1430 1431
            expect(users.collect { |u| [u.id, u.highest_role] }).to contain_exactly(
              [user.id, Gitlab::Access::MAINTAINER],
              [another_user.id, Gitlab::Access::DEVELOPER]
            )
          end
        end
1432 1433 1434 1435
      end
    end
  end

1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455
  describe '#credit_card_validated_at' do
    let_it_be(:user) { create(:user) }

    context 'when credit_card_validation does not exist' do
      it 'returns nil' do
        expect(user.credit_card_validated_at).to be nil
      end
    end

    context 'when credit_card_validation exists' do
      it 'returns the credit card validated time' do
        credit_card_validated_time = Time.current - 1.day

        create(:credit_card_validation, credit_card_validated_at: credit_card_validated_time, user: user)

        expect(user.credit_card_validated_at).to eq(credit_card_validated_time)
      end
    end
  end

1456
  describe '#update_tracked_fields!', :clean_gitlab_redis_shared_state do
1457 1458 1459 1460 1461 1462 1463 1464 1465 1466 1467 1468 1469 1470
    let(:request) { OpenStruct.new(remote_ip: "127.0.0.1") }
    let(:user) { create(:user) }

    it 'writes trackable attributes' do
      expect do
        user.update_tracked_fields!(request)
      end.to change { user.reload.current_sign_in_at }
    end

    it 'does not write trackable attributes when called a second time within the hour' do
      user.update_tracked_fields!(request)

      expect do
        user.update_tracked_fields!(request)
1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481
      end.not_to change { user.reload.current_sign_in_at }
    end

    it 'writes trackable attributes for a different user' do
      user2 = create(:user)

      user.update_tracked_fields!(request)

      expect do
        user2.update_tracked_fields!(request)
      end.to change { user2.reload.current_sign_in_at }
1482
    end
1483 1484

    it 'does not write if the DB is in read-only mode' do
1485
      expect(Gitlab::Database).to receive(:read_only?).and_return(true)
1486 1487 1488 1489 1490

      expect do
        user.update_tracked_fields!(request)
      end.not_to change { user.reload.current_sign_in_at }
    end
1491 1492
  end

1493 1494 1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505 1506 1507 1508 1509
  shared_context 'user keys' do
    let(:user) { create(:user) }
    let!(:key) { create(:key, user: user) }
    let!(:deploy_key) { create(:deploy_key, user: user) }
  end

  describe '#keys' do
    include_context 'user keys'

    context 'with key and deploy key stored' do
      it 'returns stored key, but not deploy_key' do
        expect(user.keys).to include key
        expect(user.keys).not_to include deploy_key
      end
    end
  end

1510 1511 1512 1513 1514 1515 1516 1517
  describe '#accessible_deploy_keys' do
    let(:user) { create(:user) }
    let(:project) { create(:project) }
    let!(:private_deploy_keys_project) { create(:deploy_keys_project) }
    let!(:public_deploy_keys_project) { create(:deploy_keys_project) }
    let!(:accessible_deploy_keys_project) { create(:deploy_keys_project, project: project) }

    before do
1518
      public_deploy_keys_project.deploy_key.update!(public: true)
1519 1520 1521 1522 1523 1524 1525 1526 1527
      project.add_developer(user)
    end

    it 'user can only see deploy keys accessible to right projects' do
      expect(user.accessible_deploy_keys).to match_array([public_deploy_keys_project.deploy_key,
                                                          accessible_deploy_keys_project.deploy_key])
    end
  end

1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538
  describe '#deploy_keys' do
    include_context 'user keys'

    context 'with key and deploy key stored' do
      it 'returns stored deploy key, but not normal key' do
        expect(user.deploy_keys).to include deploy_key
        expect(user.deploy_keys).not_to include key
      end
    end
  end

1539
  describe '#confirm' do
1540 1541 1542
    before do
      allow_any_instance_of(ApplicationSetting).to receive(:send_user_confirmation_email).and_return(true)
    end
1543

1544 1545 1546 1547 1548 1549 1550
    let(:user) { create(:user, confirmed_at: nil, unconfirmed_email: 'test@gitlab.com') }

    it 'returns unconfirmed' do
      expect(user.confirmed?).to be_falsey
    end

    it 'confirms a user' do
1551
      user.confirm
1552 1553 1554 1555
      expect(user.confirmed?).to be_truthy
    end
  end

1556 1557 1558 1559 1560 1561 1562 1563
  describe '#to_reference' do
    let(:user) { create(:user) }

    it 'returns a String reference to the object' do
      expect(user.to_reference).to eq "@#{user.username}"
    end
  end

1564
  describe '#generate_password' do
1565
    it "does not generate password by default" do
1566
      user = create(:user, password: 'abcdefghe')
1567

1568
      expect(user.password).to eq('abcdefghe')
1569
    end
1570 1571
  end

1572 1573 1574 1575 1576 1577 1578 1579 1580
  describe 'ensure user preference' do
    it 'has user preference upon user initialization' do
      user = build(:user)

      expect(user.user_preference).to be_present
      expect(user.user_preference).not_to be_persisted
    end
  end

1581 1582 1583
  describe 'ensure incoming email token' do
    it 'has incoming email token' do
      user = create(:user)
1584

1585 1586
      expect(user.incoming_email_token).not_to be_blank
    end
1587 1588

    it 'uses SecureRandom to generate the incoming email token' do
1589 1590 1591 1592
      allow_next_instance_of(User) do |user|
        allow(user).to receive(:update_highest_role)
      end

1593 1594 1595 1596 1597 1598
      expect(SecureRandom).to receive(:hex).and_return('3b8ca303')

      user = create(:user)

      expect(user.incoming_email_token).to eql('gitlab')
    end
1599 1600
  end

1601 1602 1603 1604 1605 1606 1607
  describe '#ensure_user_rights_and_limits' do
    describe 'with external user' do
      let(:user) { create(:user, external: true) }

      it 'receives callback when external changes' do
        expect(user).to receive(:ensure_user_rights_and_limits)

1608
        user.update!(external: false)
1609 1610 1611
      end

      it 'ensures correct rights and limits for user' do
1612 1613
        stub_config_setting(default_can_create_group: true)

1614
        expect { user.update!(external: false) }.to change { user.can_create_group }.to(true)
1615
          .and change { user.projects_limit }.to(Gitlab::CurrentSettings.default_projects_limit)
1616 1617 1618 1619 1620 1621 1622 1623 1624
      end
    end

    describe 'without external user' do
      let(:user) { create(:user, external: false) }

      it 'receives callback when external changes' do
        expect(user).to receive(:ensure_user_rights_and_limits)

1625
        user.update!(external: true)
1626 1627 1628
      end

      it 'ensures correct rights and limits for user' do
1629
        expect { user.update!(external: true) }.to change { user.can_create_group }.to(false)
1630 1631 1632 1633 1634
          .and change { user.projects_limit }.to(0)
      end
    end
  end

1635 1636 1637 1638
  describe 'feed token' do
    it 'ensures a feed token on read' do
      user = create(:user, feed_token: nil)
      feed_token = user.feed_token
1639

1640 1641
      expect(feed_token).not_to be_blank
      expect(user.reload.feed_token).to eq feed_token
1642
    end
1643 1644 1645 1646 1647 1648 1649 1650 1651 1652

    it 'ensures no feed token when disabled' do
      allow(Gitlab::CurrentSettings).to receive(:disable_feed_token).and_return(true)

      user = create(:user, feed_token: nil)
      feed_token = user.feed_token

      expect(feed_token).to be_blank
      expect(user.reload.feed_token).to be_blank
    end
1653 1654
  end

1655 1656 1657 1658 1659 1660 1661 1662 1663 1664
  describe 'static object token' do
    it 'ensures a static object token on read' do
      user = create(:user, static_object_token: nil)
      static_object_token = user.static_object_token

      expect(static_object_token).not_to be_blank
      expect(user.reload.static_object_token).to eq static_object_token
    end
  end

1665
  describe '#recently_sent_password_reset?' do
1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678
    it 'is false when reset_password_sent_at is nil' do
      user = build_stubbed(:user, reset_password_sent_at: nil)

      expect(user.recently_sent_password_reset?).to eq false
    end

    it 'is false when sent more than one minute ago' do
      user = build_stubbed(:user, reset_password_sent_at: 5.minutes.ago)

      expect(user.recently_sent_password_reset?).to eq false
    end

    it 'is true when sent less than one minute ago' do
1679
      user = build_stubbed(:user, reset_password_sent_at: Time.current)
1680 1681 1682 1683 1684

      expect(user.recently_sent_password_reset?).to eq true
    end
  end

1685 1686 1687 1688 1689 1690 1691
  describe '#disable_two_factor!' do
    it 'clears all 2FA-related fields' do
      user = create(:user, :two_factor)

      expect(user).to be_two_factor_enabled
      expect(user.encrypted_otp_secret).not_to be_nil
      expect(user.otp_backup_codes).not_to be_nil
1692
      expect(user.otp_grace_period_started_at).not_to be_nil
1693 1694 1695 1696 1697 1698 1699 1700

      user.disable_two_factor!

      expect(user).not_to be_two_factor_enabled
      expect(user.encrypted_otp_secret).to be_nil
      expect(user.encrypted_otp_secret_iv).to be_nil
      expect(user.encrypted_otp_secret_salt).to be_nil
      expect(user.otp_backup_codes).to be_nil
1701
      expect(user.otp_grace_period_started_at).to be_nil
1702 1703 1704
    end
  end

1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778
  describe '#two_factor_otp_enabled?' do
    let_it_be(:user) { create(:user) }

    context 'when 2FA is enabled by an MFA Device' do
      let(:user) { create(:user, :two_factor) }

      it { expect(user.two_factor_otp_enabled?).to eq(true) }
    end

    context 'FortiAuthenticator' do
      context 'when enabled via GitLab settings' do
        before do
          allow(::Gitlab.config.forti_authenticator).to receive(:enabled).and_return(true)
        end

        context 'when feature is disabled for the user' do
          before do
            stub_feature_flags(forti_authenticator: false)
          end

          it { expect(user.two_factor_otp_enabled?).to eq(false) }
        end

        context 'when feature is enabled for the user' do
          before do
            stub_feature_flags(forti_authenticator: user)
          end

          it { expect(user.two_factor_otp_enabled?).to eq(true) }
        end
      end

      context 'when disabled via GitLab settings' do
        before do
          allow(::Gitlab.config.forti_authenticator).to receive(:enabled).and_return(false)
        end

        it { expect(user.two_factor_otp_enabled?).to eq(false) }
      end
    end

    context 'FortiTokenCloud' do
      context 'when enabled via GitLab settings' do
        before do
          allow(::Gitlab.config.forti_token_cloud).to receive(:enabled).and_return(true)
        end

        context 'when feature is disabled for the user' do
          before do
            stub_feature_flags(forti_token_cloud: false)
          end

          it { expect(user.two_factor_otp_enabled?).to eq(false) }
        end

        context 'when feature is enabled for the user' do
          before do
            stub_feature_flags(forti_token_cloud: user)
          end

          it { expect(user.two_factor_otp_enabled?).to eq(true) }
        end
      end

      context 'when disabled via GitLab settings' do
        before do
          allow(::Gitlab.config.forti_token_cloud).to receive(:enabled).and_return(false)
        end

        it { expect(user.two_factor_otp_enabled?).to eq(false) }
      end
    end
  end

1779 1780
  describe 'projects' do
    before do
1781
      @user = create(:user)
1782

1783 1784
      @project = create(:project, namespace: @user.namespace)
      @project_2 = create(:project, group: create(:group)) do |project|
1785
        project.add_maintainer(@user)
1786
      end
1787
      @project_3 = create(:project, group: create(:group)) do |project|
1788 1789
        project.add_developer(@user)
      end
1790 1791
    end

1792 1793 1794 1795 1796 1797 1798 1799 1800
    it { expect(@user.authorized_projects).to include(@project) }
    it { expect(@user.authorized_projects).to include(@project_2) }
    it { expect(@user.authorized_projects).to include(@project_3) }
    it { expect(@user.owned_projects).to include(@project) }
    it { expect(@user.owned_projects).not_to include(@project_2) }
    it { expect(@user.owned_projects).not_to include(@project_3) }
    it { expect(@user.personal_projects).to include(@project) }
    it { expect(@user.personal_projects).not_to include(@project_2) }
    it { expect(@user.personal_projects).not_to include(@project_3) }
1801 1802 1803
  end

  describe 'groups' do
1804 1805 1806
    let(:user) { create(:user) }
    let(:group) { create(:group) }

1807
    before do
1808
      group.add_owner(user)
1809 1810
    end

1811 1812 1813 1814 1815 1816
    it { expect(user.several_namespaces?).to be_truthy }
    it { expect(user.authorized_groups).to eq([group]) }
    it { expect(user.owned_groups).to eq([group]) }
    it { expect(user.namespaces).to contain_exactly(user.namespace, group) }
    it { expect(user.manageable_namespaces).to contain_exactly(user.namespace, group) }

1817 1818 1819 1820 1821 1822 1823 1824 1825
    context 'with owned groups only' do
      before do
        other_group = create(:group)
        other_group.add_developer(user)
      end

      it { expect(user.namespaces(owned_only: true)).to contain_exactly(user.namespace, group) }
    end

1826
    context 'with child groups' do
1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845
      let!(:subgroup) { create(:group, parent: group) }

      describe '#manageable_namespaces' do
        it 'includes all the namespaces the user can manage' do
          expect(user.manageable_namespaces).to contain_exactly(user.namespace, group, subgroup)
        end
      end

      describe '#manageable_groups' do
        it 'includes all the namespaces the user can manage' do
          expect(user.manageable_groups).to contain_exactly(group, subgroup)
        end

        it 'does not include duplicates if a membership was added for the subgroup' do
          subgroup.add_owner(user)

          expect(user.manageable_groups).to contain_exactly(group, subgroup)
        end
      end
1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860

      describe '#manageable_groups_with_routes' do
        it 'eager loads routes from manageable groups' do
          control_count =
            ActiveRecord::QueryRecorder.new(skip_cached: false) do
              user.manageable_groups_with_routes.map(&:route)
            end.count

          create(:group, parent: subgroup)

          expect do
            user.manageable_groups_with_routes.map(&:route)
          end.not_to exceed_all_query_limit(control_count)
        end
      end
1861
    end
1862 1863
  end

1864 1865 1866 1867
  describe 'group multiple owners' do
    before do
      @user = create :user
      @user2 = create :user
1868 1869
      @group = create :group
      @group.add_owner(@user)
1870

1871
      @group.add_user(@user2, GroupMember::OWNER)
1872 1873
    end

1874
    it { expect(@user2.several_namespaces?).to be_truthy }
1875 1876
  end

1877 1878 1879
  describe 'namespaced' do
    before do
      @user = create :user
1880
      @project = create(:project, namespace: @user.namespace)
1881 1882
    end

1883
    it { expect(@user.several_namespaces?).to be_falsey }
1884
    it { expect(@user.namespaces).to eq([@user.namespace]) }
1885 1886 1887
  end

  describe 'blocking user' do
1888
    let_it_be_with_refind(:user) { create(:user, name: 'John Smith') }
1889

1890
    it 'blocks user' do
1891
      user.block
1892

1893
      expect(user.blocked?).to be_truthy
1894
    end
1895 1896 1897

    context 'when user has running CI pipelines' do
      let(:service) { double }
1898
      let(:pipelines) { build_list(:ci_pipeline, 3, :running) }
1899

1900 1901
      it 'aborts all running pipelines and related jobs' do
        expect(user).to receive(:pipelines).and_return(pipelines)
1902 1903
        expect(Ci::DropPipelineService).to receive(:new).and_return(service)
        expect(service).to receive(:execute_async_for_all).with(pipelines, :user_blocked, user)
1904

1905
        user.block
1906 1907
      end
    end
1908 1909 1910 1911 1912 1913 1914 1915

    context 'when user has active CI pipeline schedules' do
      let_it_be(:schedule) { create(:ci_pipeline_schedule, active: true, owner: user) }

      it 'disables any pipeline schedules' do
        expect { user.block }.to change { schedule.reload.active? }.to(false)
      end
    end
1916 1917
  end

1918 1919 1920 1921 1922 1923 1924 1925 1926
  describe 'deactivating a user' do
    let(:user) { create(:user, name: 'John Smith') }

    context "an active user" do
      it "can be deactivated" do
        user.deactivate

        expect(user.deactivated?).to be_truthy
      end
1927 1928 1929 1930 1931 1932 1933 1934

      it 'sends deactivated user an email' do
        expect_next_instance_of(NotificationService) do |notification|
          allow(notification).to receive(:user_deactivated).with(user.name, user.notification_email)
        end

        user.deactivate
      end
1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949
    end

    context "a user who is blocked" do
      before do
        user.block
      end

      it "cannot be deactivated" do
        user.deactivate

        expect(user.reload.deactivated?).to be_falsy
      end
    end
  end

1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967
  describe 'blocking a user pending approval' do
    let(:user) { create(:user) }

    before do
      user.block_pending_approval
    end

    context 'an active user' do
      it 'can be blocked pending approval' do
        expect(user.blocked_pending_approval?).to eq(true)
      end

      it 'behaves like a blocked user' do
        expect(user.blocked?).to eq(true)
      end
    end
  end

1968
  describe '.instance_access_request_approvers_to_be_notified' do
1969
    let_it_be(:admin_issue_board_list) { create_list(:user, 12, :admin, :with_sign_ins) }
1970 1971 1972 1973 1974 1975 1976 1977

    it 'returns up to the ten most recently active instance admins' do
      active_admins_in_recent_sign_in_desc_order = User.admins.active.order_recent_sign_in.limit(10)

      expect(User.instance_access_request_approvers_to_be_notified).to eq(active_admins_in_recent_sign_in_desc_order)
    end
  end

Serena Fang's avatar
Serena Fang committed
1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
  describe 'banning and unbanning a user', :aggregate_failures do
    let(:user) { create(:user) }

    context 'banning a user' do
      it 'bans and blocks the user' do
        user.ban

        expect(user.banned?).to eq(true)
        expect(user.blocked?).to eq(true)
      end

      it 'creates a BannedUser record' do
        expect { user.ban }.to change { Users::BannedUser.count }.by(1)
        expect(Users::BannedUser.last.user_id).to eq(user.id)
      end
    end

    context 'unbanning a user' do
      before do
        user.ban!
      end

      it 'activates the user' do
        user.activate

        expect(user.banned?).to eq(false)
        expect(user.active?).to eq(true)
      end

      it 'deletes the BannedUser record' do
        expect { user.activate }.to change { Users::BannedUser.count }.by(-1)
        expect(Users::BannedUser.where(user_id: user.id)).not_to exist
      end
    end
2012 2013
  end

2014
  describe '.filter_items' do
2015 2016 2017
    let(:user) { double }

    it 'filters by active users by default' do
2018
      expect(described_class).to receive(:active_without_ghosts).and_return([user])
2019

2020
      expect(described_class.filter_items(nil)).to include user
2021 2022
    end

2023
    it 'filters by admins' do
2024
      expect(described_class).to receive(:admins).and_return([user])
2025

2026
      expect(described_class.filter_items('admins')).to include user
2027 2028
    end

2029
    it 'filters by blocked' do
2030
      expect(described_class).to receive(:blocked).and_return([user])
2031

2032
      expect(described_class.filter_items('blocked')).to include user
2033 2034
    end

Serena Fang's avatar
Serena Fang committed
2035 2036 2037 2038 2039 2040
    it 'filters by banned' do
      expect(described_class).to receive(:banned).and_return([user])

      expect(described_class.filter_items('banned')).to include user
    end

2041 2042 2043 2044 2045 2046
    it 'filters by blocked pending approval' do
      expect(described_class).to receive(:blocked_pending_approval).and_return([user])

      expect(described_class.filter_items('blocked_pending_approval')).to include user
    end

2047 2048 2049 2050 2051 2052
    it 'filters by deactivated' do
      expect(described_class).to receive(:deactivated).and_return([user])

      expect(described_class.filter_items('deactivated')).to include user
    end

2053
    it 'filters by two_factor_disabled' do
2054
      expect(described_class).to receive(:without_two_factor).and_return([user])
2055

2056
      expect(described_class.filter_items('two_factor_disabled')).to include user
2057 2058 2059
    end

    it 'filters by two_factor_enabled' do
2060
      expect(described_class).to receive(:with_two_factor).and_return([user])
2061

2062
      expect(described_class.filter_items('two_factor_enabled')).to include user
2063 2064 2065
    end

    it 'filters by wop' do
2066
      expect(described_class).to receive(:without_projects).and_return([user])
2067

2068
      expect(described_class.filter_items('wop')).to include user
2069
    end
2070 2071
  end

2072
  describe '.without_projects' do
2073
    let!(:project) { create(:project, :public) }
2074 2075 2076 2077 2078 2079
    let!(:user) { create(:user) }
    let!(:user_without_project) { create(:user) }
    let!(:user_without_project2) { create(:user) }

    before do
      # add user to project
2080
      project.add_maintainer(user)
2081

2082
      # create invite to project
2083 2084 2085 2086 2087 2088
      create(:project_member, :developer, project: project, invite_token: '1234', invite_email: 'inviteduser1@example.com')

      # create request to join project
      project.request_access(user_without_project2)
    end

2089 2090 2091
    it { expect(described_class.without_projects).not_to include user }
    it { expect(described_class.without_projects).to include user_without_project }
    it { expect(described_class.without_projects).to include user_without_project2 }
2092 2093
  end

2094 2095 2096
  describe 'user creation' do
    describe 'normal user' do
      let(:user) { create(:user, name: 'John Smith') }
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
2097

2098
      it { expect(user.admin?).to be_falsey }
2099 2100 2101 2102
      it { expect(user.require_ssh_key?).to be_truthy }
      it { expect(user.can_create_group?).to be_truthy }
      it { expect(user.can_create_project?).to be_truthy }
      it { expect(user.first_name).to eq('John') }
2103
      it { expect(user.external).to be_falsey }
2104
    end
2105

Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
2106
    describe 'with defaults' do
2107
      let(:user) { described_class.new }
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
2108

2109
      it "applies defaults to user" do
2110 2111
        expect(user.projects_limit).to eq(Gitlab.config.gitlab.default_projects_limit)
        expect(user.can_create_group).to eq(Gitlab.config.gitlab.default_can_create_group)
2112
        expect(user.theme_id).to eq(Gitlab.config.gitlab.default_theme)
Zeger-Jan van de Weg's avatar
Zeger-Jan van de Weg committed
2113
        expect(user.external).to be_falsey
2114
        expect(user.private_profile).to eq(false)
2115 2116 2117
      end
    end

Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
2118
    describe 'with default overrides' do
2119
      let(:user) { described_class.new(projects_limit: 123, can_create_group: false, can_create_team: true) }
Dmitriy Zaporozhets's avatar
Dmitriy Zaporozhets committed
2120

2121
      it "applies defaults to user" do
2122 2123
        expect(user.projects_limit).to eq(123)
        expect(user.can_create_group).to be_falsey
2124
        expect(user.theme_id).to eq(1)
2125
      end
2126 2127 2128 2129 2130 2131 2132

      it 'does not undo projects_limit setting if it matches old DB default of 10' do
        # If the real default project limit is 10 then this test is worthless
        expect(Gitlab.config.gitlab.default_projects_limit).not_to eq(10)
        user = described_class.new(projects_limit: 10)
        expect(user.projects_limit).to eq(10)
      end
2133
    end
2134

2135
    context 'when Gitlab::CurrentSettings.user_default_external is true' do
2136 2137 2138 2139 2140
      before do
        stub_application_setting(user_default_external: true)
      end

      it "creates external user by default" do
2141
        user = create(:user)
2142 2143

        expect(user.external).to be_truthy
2144 2145
        expect(user.can_create_group).to be_falsey
        expect(user.projects_limit).to be 0
2146 2147 2148 2149
      end

      describe 'with default overrides' do
        it "creates a non-external user" do
2150
          user = create(:user, external: false)
2151 2152 2153 2154 2155

          expect(user.external).to be_falsey
        end
      end
    end
2156

2157
    describe '#require_ssh_key?', :use_clean_rails_memory_store_caching do
2158 2159 2160
      protocol_and_expectation = {
        'http' => false,
        'ssh' => true,
2161
        '' => true
2162 2163 2164 2165 2166 2167 2168 2169 2170
      }

      protocol_and_expectation.each do |protocol, expected|
        it "has correct require_ssh_key?" do
          stub_application_setting(enabled_git_access_protocol: protocol)
          user = build(:user)

          expect(user.require_ssh_key?).to eq(expected)
        end
2171
      end
2172 2173 2174 2175 2176 2177

      it 'returns false when the user has 1 or more SSH keys' do
        key = create(:personal_key)

        expect(key.user.require_ssh_key?).to eq(false)
      end
2178
    end
2179
  end
2180

2181 2182 2183 2184 2185 2186 2187 2188
  describe '.find_for_database_authentication' do
    it 'strips whitespace from login' do
      user = create(:user)

      expect(described_class.find_for_database_authentication({ login: " #{user.username} " })).to eq user
    end
  end

2189
  describe '.find_by_any_email' do
2190 2191 2192 2193 2194 2195 2196 2197
    it 'finds user through private commit email' do
      user = create(:user)
      private_email = user.private_commit_email

      expect(described_class.find_by_any_email(private_email)).to eq(user)
      expect(described_class.find_by_any_email(private_email, confirmed: true)).to eq(user)
    end

2198 2199 2200
    it 'finds by primary email' do
      user = create(:user, email: 'foo@example.com')

2201
      expect(described_class.find_by_any_email(user.email)).to eq user
2202
      expect(described_class.find_by_any_email(user.email, confirmed: true)).to eq user
2203 2204
    end

2205 2206 2207 2208 2209 2210 2211
    it 'finds by uppercased email' do
      user = create(:user, email: 'foo@example.com')

      expect(described_class.find_by_any_email(user.email.upcase)).to eq user
      expect(described_class.find_by_any_email(user.email.upcase, confirmed: true)).to eq user
    end

2212 2213
    context 'finds by secondary email' do
      let(:user) { email.user }
2214

2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243
      context 'primary email confirmed' do
        context 'secondary email confirmed' do
          let!(:email) { create(:email, :confirmed, email: 'foo@example.com') }

          it 'finds user respecting the confirmed flag' do
            expect(described_class.find_by_any_email(email.email)).to eq user
            expect(described_class.find_by_any_email(email.email, confirmed: true)).to eq user
          end
        end

        context 'secondary email not confirmed' do
          let!(:email) { create(:email, email: 'foo@example.com') }

          it 'finds user respecting the confirmed flag' do
            expect(described_class.find_by_any_email(email.email)).to eq user
            expect(described_class.find_by_any_email(email.email, confirmed: true)).to be_nil
          end
        end
      end

      context 'primary email not confirmed' do
        let(:user) { create(:user, confirmed_at: nil) }
        let!(:email) { create(:email, :confirmed, user: user, email: 'foo@example.com') }

        it 'finds user respecting the confirmed flag' do
          expect(described_class.find_by_any_email(email.email)).to eq user
          expect(described_class.find_by_any_email(email.email, confirmed: true)).to be_nil
        end
      end
2244 2245 2246
    end

    it 'returns nil when nothing found' do
2247
      expect(described_class.find_by_any_email('')).to be_nil
2248
    end
2249 2250 2251 2252 2253 2254 2255

    it 'returns nil when user is not confirmed' do
      user = create(:user, email: 'foo@example.com', confirmed_at: nil)

      expect(described_class.find_by_any_email(user.email, confirmed: false)).to eq(user)
      expect(described_class.find_by_any_email(user.email, confirmed: true)).to be_nil
    end
2256 2257
  end

2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268
  describe '.by_any_email' do
    it 'returns an ActiveRecord::Relation' do
      expect(described_class.by_any_email('foo@example.com'))
        .to be_a_kind_of(ActiveRecord::Relation)
    end

    it 'returns a relation of users' do
      user = create(:user)

      expect(described_class.by_any_email(user.email)).to eq([user])
    end
2269 2270 2271 2272 2273 2274

    it 'returns a relation of users for confirmed users' do
      user = create(:user)

      expect(described_class.by_any_email(user.email, confirmed: true)).to eq([user])
    end
2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290

    it 'finds user through a private commit email' do
      user = create(:user)
      private_email = user.private_commit_email

      expect(described_class.by_any_email(private_email)).to eq([user])
      expect(described_class.by_any_email(private_email, confirmed: true)).to eq([user])
    end

    it 'finds user through a private commit email in an array' do
      user = create(:user)
      private_email = user.private_commit_email

      expect(described_class.by_any_email([private_email])).to eq([user])
      expect(described_class.by_any_email([private_email], confirmed: true)).to eq([user])
    end
2291 2292
  end

2293
  describe '.search' do
2294 2295 2296 2297
    let_it_be(:user) { create(:user, name: 'user', username: 'usern', email: 'email@example.com') }
    let_it_be(:user2) { create(:user, name: 'user name', username: 'username', email: 'someemail@example.com') }
    let_it_be(:user3) { create(:user, name: 'us', username: 'se', email: 'foo@example.com') }
    let_it_be(:email) { create(:email, user: user, email: 'alias@example.com') }
2298

2299 2300 2301 2302
    describe 'name matching' do
      it 'returns users with a matching name with exact match first' do
        expect(described_class.search(user.name)).to eq([user, user2])
      end
2303

2304
      it 'returns users with a partially matching name' do
2305
        expect(described_class.search(user.name[0..2])).to eq([user, user2])
2306
      end
2307

2308 2309 2310
      it 'returns users with a matching name regardless of the casing' do
        expect(described_class.search(user2.name.upcase)).to eq([user2])
      end
2311 2312 2313 2314 2315 2316 2317 2318

      it 'returns users with a exact matching name shorter than 3 chars' do
        expect(described_class.search(user3.name)).to eq([user3])
      end

      it 'returns users with a exact matching name shorter than 3 chars regardless of the casing' do
        expect(described_class.search(user3.name.upcase)).to eq([user3])
      end
2319 2320
    end

2321 2322
    describe 'email matching' do
      it 'returns users with a matching Email' do
2323
        expect(described_class.search(user.email)).to eq([user])
2324
      end
2325

2326
      it 'does not return users with a partially matching Email' do
2327
        expect(described_class.search(user.email[1...-1])).to be_empty
2328
      end
2329

2330 2331 2332
      it 'returns users with a matching Email regardless of the casing' do
        expect(described_class.search(user2.email.upcase)).to eq([user2])
      end
2333 2334
    end

2335
    describe 'secondary email matching' do
2336 2337
      it 'returns users with a matching secondary email' do
        expect(described_class.search(email.email)).to include(email.user)
2338 2339
      end

2340 2341 2342
      it 'does not return users with a matching part of secondary email' do
        expect(described_class.search(email.email[1...-1])).to be_empty
      end
2343

2344 2345
      it 'returns users with a matching secondary email regardless of the casing' do
        expect(described_class.search(email.email.upcase)).to include(email.user)
2346 2347 2348
      end
    end

2349 2350 2351 2352
    describe 'username matching' do
      it 'returns users with a matching username' do
        expect(described_class.search(user.username)).to eq([user, user2])
      end
2353

2354 2355 2356 2357
      it 'returns users with a matching username starting with a @' do
        expect(described_class.search("@#{user.username}")).to eq([user, user2])
      end

2358
      it 'returns users with a partially matching username' do
2359
        expect(described_class.search(user.username[0..2])).to eq([user, user2])
2360
      end
2361

2362 2363 2364 2365
      it 'returns users with a partially matching username starting with @' do
        expect(described_class.search("@#{user.username[0..2]}")).to eq([user, user2])
      end

2366 2367 2368
      it 'returns users with a matching username regardless of the casing' do
        expect(described_class.search(user2.username.upcase)).to eq([user2])
      end
2369 2370 2371 2372 2373 2374 2375 2376

      it 'returns users with a exact matching username shorter than 3 chars' do
        expect(described_class.search(user3.username)).to eq([user3])
      end

      it 'returns users with a exact matching username shorter than 3 chars regardless of the casing' do
        expect(described_class.search(user3.username.upcase)).to eq([user3])
      end
2377
    end
2378 2379 2380 2381 2382 2383 2384 2385

    it 'returns no matches for an empty string' do
      expect(described_class.search('')).to be_empty
    end

    it 'returns no matches for nil' do
      expect(described_class.search(nil)).to be_empty
    end
2386 2387
  end

2388
  describe '.search_without_secondary_emails' do
2389 2390
    let_it_be(:user) { create(:user, name: 'John Doe', username: 'john.doe', email: 'someone.1@example.com' ) }
    let_it_be(:another_user) { create(:user, name: 'Albert Smith', username: 'albert.smith', email: 'another.2@example.com' ) }
2391
    let_it_be(:email) { create(:email, user: another_user, email: 'alias@example.com') }
2392 2393

    it 'returns users with a matching name' do
2394
      expect(described_class.search_without_secondary_emails(user.name)).to eq([user])
2395 2396 2397
    end

    it 'returns users with a partially matching name' do
2398
      expect(described_class.search_without_secondary_emails(user.name[0..2])).to eq([user])
2399 2400 2401
    end

    it 'returns users with a matching name regardless of the casing' do
2402
      expect(described_class.search_without_secondary_emails(user.name.upcase)).to eq([user])
2403 2404 2405
    end

    it 'returns users with a matching email' do
2406
      expect(described_class.search_without_secondary_emails(user.email)).to eq([user])
2407 2408 2409
    end

    it 'does not return users with a partially matching email' do
2410
      expect(described_class.search_without_secondary_emails(user.email[1...-1])).to be_empty
2411 2412 2413
    end

    it 'returns users with a matching email regardless of the casing' do
2414
      expect(described_class.search_without_secondary_emails(user.email.upcase)).to eq([user])
2415 2416 2417
    end

    it 'returns users with a matching username' do
2418
      expect(described_class.search_without_secondary_emails(user.username)).to eq([user])
2419 2420 2421
    end

    it 'returns users with a partially matching username' do
2422
      expect(described_class.search_without_secondary_emails(user.username[0..2])).to eq([user])
2423 2424 2425
    end

    it 'returns users with a matching username regardless of the casing' do
2426
      expect(described_class.search_without_secondary_emails(user.username.upcase)).to eq([user])
2427 2428 2429
    end

    it 'does not return users with a matching whole secondary email' do
2430
      expect(described_class.search_without_secondary_emails(email.email)).not_to include(email.user)
2431 2432 2433
    end

    it 'does not return users with a matching part of secondary email' do
2434
      expect(described_class.search_without_secondary_emails(email.email[1...-1])).to be_empty
2435 2436 2437
    end

    it 'returns no matches for an empty string' do
2438
      expect(described_class.search_without_secondary_emails('')).to be_empty
2439 2440 2441
    end

    it 'returns no matches for nil' do
2442
      expect(described_class.search_without_secondary_emails(nil)).to be_empty
2443 2444 2445
    end
  end

2446
  describe '.search_with_secondary_emails' do
2447 2448
    let_it_be(:user) { create(:user, name: 'John Doe', username: 'john.doe', email: 'someone.1@example.com' ) }
    let_it_be(:another_user) { create(:user, name: 'Albert Smith', username: 'albert.smith', email: 'another.2@example.com' ) }
2449
    let_it_be(:email) { create(:email, user: another_user, email: 'alias@example.com') }
2450 2451

    it 'returns users with a matching name' do
2452
      expect(described_class.search_with_secondary_emails(user.name)).to eq([user])
2453 2454 2455
    end

    it 'returns users with a partially matching name' do
2456
      expect(described_class.search_with_secondary_emails(user.name[0..2])).to eq([user])
2457 2458 2459
    end

    it 'returns users with a matching name regardless of the casing' do
2460
      expect(described_class.search_with_secondary_emails(user.name.upcase)).to eq([user])
2461 2462 2463
    end

    it 'returns users with a matching email' do
2464
      expect(described_class.search_with_secondary_emails(user.email)).to eq([user])
2465 2466
    end

2467
    it 'does not return users with a partially matching email' do
2468
      expect(described_class.search_with_secondary_emails(user.email[1...-1])).to be_empty
2469 2470 2471
    end

    it 'returns users with a matching email regardless of the casing' do
2472
      expect(described_class.search_with_secondary_emails(user.email.upcase)).to eq([user])
2473 2474 2475
    end

    it 'returns users with a matching username' do
2476
      expect(described_class.search_with_secondary_emails(user.username)).to eq([user])
2477 2478 2479
    end

    it 'returns users with a partially matching username' do
2480
      expect(described_class.search_with_secondary_emails(user.username[0..2])).to eq([user])
2481 2482 2483
    end

    it 'returns users with a matching username regardless of the casing' do
2484
      expect(described_class.search_with_secondary_emails(user.username.upcase)).to eq([user])
2485 2486 2487
    end

    it 'returns users with a matching whole secondary email' do
2488
      expect(described_class.search_with_secondary_emails(email.email)).to eq([email.user])
2489 2490
    end

2491
    it 'does not return users with a matching part of secondary email' do
2492
      expect(described_class.search_with_secondary_emails(email.email[1...-1])).to be_empty
2493
    end
2494 2495

    it 'returns no matches for an empty string' do
2496
      expect(described_class.search_with_secondary_emails('')).to be_empty
2497 2498 2499
    end

    it 'returns no matches for nil' do
2500
      expect(described_class.search_with_secondary_emails(nil)).to be_empty
2501
    end
2502 2503
  end

2504
  describe '.find_by_ssh_key_id' do
2505 2506
    let_it_be(:user) { create(:user) }
    let_it_be(:key) { create(:key, user: user) }
2507

2508
    context 'using an existing SSH key ID' do
2509 2510 2511 2512 2513
      it 'returns the corresponding User' do
        expect(described_class.find_by_ssh_key_id(key.id)).to eq(user)
      end
    end

2514 2515 2516 2517 2518 2519 2520
    it 'only performs a single query' do
      key # Don't count the queries for creating the key and user

      expect { described_class.find_by_ssh_key_id(key.id) }
        .not_to exceed_query_limit(1)
    end

2521 2522 2523 2524 2525 2526 2527
    context 'using an invalid SSH key ID' do
      it 'returns nil' do
        expect(described_class.find_by_ssh_key_id(-1)).to be_nil
      end
    end
  end

2528 2529 2530 2531
  describe '.by_login' do
    let(:username) { 'John' }
    let!(:user) { create(:user, username: username) }

2532
    it 'gets the correct user' do
2533 2534 2535 2536 2537 2538
      expect(described_class.by_login(user.email.upcase)).to eq user
      expect(described_class.by_login(user.email)).to eq user
      expect(described_class.by_login(username.downcase)).to eq user
      expect(described_class.by_login(username)).to eq user
      expect(described_class.by_login(nil)).to be_nil
      expect(described_class.by_login('')).to be_nil
2539 2540 2541
    end
  end

2542 2543 2544 2545 2546 2547 2548
  describe '.find_by_username' do
    it 'returns nil if not found' do
      expect(described_class.find_by_username('JohnDoe')).to be_nil
    end

    it 'is case-insensitive' do
      user = create(:user, username: 'JohnDoe')
2549

2550 2551 2552 2553
      expect(described_class.find_by_username('JOHNDOE')).to eq user
    end
  end

2554 2555
  describe '.find_by_username!' do
    it 'raises RecordNotFound' do
2556 2557
      expect { described_class.find_by_username!('JohnDoe') }
        .to raise_error(ActiveRecord::RecordNotFound)
2558 2559 2560 2561
    end

    it 'is case-insensitive' do
      user = create(:user, username: 'JohnDoe')
2562

2563 2564 2565 2566
      expect(described_class.find_by_username!('JOHNDOE')).to eq user
    end
  end

2567 2568 2569 2570 2571 2572 2573
  describe '.find_by_full_path' do
    let!(:user) { create(:user) }

    context 'with a route matching the given path' do
      let!(:route) { user.namespace.route }

      it 'returns the user' do
2574
        expect(described_class.find_by_full_path(route.path)).to eq(user)
2575 2576 2577
      end

      it 'is case-insensitive' do
2578 2579
        expect(described_class.find_by_full_path(route.path.upcase)).to eq(user)
        expect(described_class.find_by_full_path(route.path.downcase)).to eq(user)
2580 2581 2582 2583
      end
    end

    context 'with a redirect route matching the given path' do
2584
      let!(:redirect_route) { user.namespace.redirect_routes.create!(path: 'foo') }
2585 2586 2587

      context 'without the follow_redirects option' do
        it 'returns nil' do
2588
          expect(described_class.find_by_full_path(redirect_route.path)).to eq(nil)
2589 2590 2591 2592 2593
        end
      end

      context 'with the follow_redirects option set to true' do
        it 'returns the user' do
2594
          expect(described_class.find_by_full_path(redirect_route.path, follow_redirects: true)).to eq(user)
2595 2596 2597
        end

        it 'is case-insensitive' do
2598 2599
          expect(described_class.find_by_full_path(redirect_route.path.upcase, follow_redirects: true)).to eq(user)
          expect(described_class.find_by_full_path(redirect_route.path.downcase, follow_redirects: true)).to eq(user)
2600 2601 2602 2603 2604 2605 2606
        end
      end
    end

    context 'without a route or a redirect route matching the given path' do
      context 'without the follow_redirects option' do
        it 'returns nil' do
2607
          expect(described_class.find_by_full_path('unknown')).to eq(nil)
2608 2609 2610 2611
        end
      end
      context 'with the follow_redirects option set to true' do
        it 'returns nil' do
2612
          expect(described_class.find_by_full_path('unknown', follow_redirects: true)).to eq(nil)
2613 2614 2615 2616 2617
        end
      end
    end

    context 'with a group route matching the given path' do
2618 2619
      let!(:group) { create(:group, path: 'group_path') }

Michael Kozono's avatar
Michael Kozono committed
2620
      context 'when the group namespace has an owner_id (legacy data)' do
2621 2622 2623
        before do
          group.update!(owner_id: user.id)
        end
2624

Michael Kozono's avatar
Michael Kozono committed
2625
        it 'returns nil' do
2626
          expect(described_class.find_by_full_path('group_path')).to eq(nil)
Michael Kozono's avatar
Michael Kozono committed
2627 2628 2629 2630 2631
        end
      end

      context 'when the group namespace does not have an owner_id' do
        it 'returns nil' do
2632
          expect(described_class.find_by_full_path('group_path')).to eq(nil)
Michael Kozono's avatar
Michael Kozono committed
2633
        end
2634 2635 2636 2637
      end
    end
  end

2638
  describe 'all_ssh_keys' do
2639
    it { is_expected.to have_many(:keys).dependent(:destroy) }
2640

2641
    it "has all ssh keys" do
2642 2643 2644
      user = create :user
      key = create :key, key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD33bWLBxu48Sev9Fert1yzEO4WGcWglWF7K/AwblIUFselOt/QdOL9DSjpQGxLagO1s9wl53STIO8qGS4Ms0EJZyIXOEFMjFJ5xmjSy+S37By4sG7SsltQEHMxtbtFOaW5LV2wCrX+rUsRNqLMamZjgjcPO0/EgGCXIGMAYW4O7cwGZdXWYIhQ1Vwy+CsVMDdPkPgBXqK7nR/ey8KMs8ho5fMNgB5hBw/AL9fNGhRw3QTD6Q12Nkhl4VZES2EsZqlpNnJttnPdp847DUsT6yuLRlfiQfz5Cn9ysHFdXObMN5VYIiPFwHeYCZp1X2S4fDZooRE8uOLTfxWHPXwrhqSH", user_id: user.id

2645
      expect(user.all_ssh_keys).to include(a_string_starting_with(key.key))
2646
    end
2647
  end
2648

2649
  describe '#avatar_type' do
2650 2651
    let(:user) { create(:user) }

2652
    it 'is true if avatar is image' do
2653
      user.update_attribute(:avatar, 'uploads/avatar.png')
2654

2655
      expect(user.avatar_type).to be_truthy
2656 2657
    end

2658
    it 'is false if avatar is html page' do
2659
      user.update_attribute(:avatar, 'uploads/avatar.html')
2660
      user.avatar_type
2661

2662
      expect(user.errors.added?(:avatar, "file format is not supported. Please try one of the following supported formats: png, jpg, jpeg, gif, bmp, tiff, ico, webp")).to be true
2663 2664
    end
  end
Jerome Dalbert's avatar
Jerome Dalbert committed
2665

2666 2667 2668 2669
  describe '#avatar_url' do
    let(:user) { create(:user, :with_avatar) }

    context 'when avatar file is uploaded' do
2670
      it 'shows correct avatar url' do
2671 2672
        expect(user.avatar_url).to eq(user.avatar.url)
        expect(user.avatar_url(only_path: false)).to eq([Gitlab.config.gitlab.url, user.avatar.url].join)
2673
      end
2674 2675 2676
    end
  end

2677 2678 2679
  describe "#clear_avatar_caches" do
    let(:user) { create(:user) }

Robert May's avatar
Robert May committed
2680 2681
    it "clears the avatar cache when saving" do
      allow(user).to receive(:avatar_changed?).and_return(true)
2682

Robert May's avatar
Robert May committed
2683
      expect(Gitlab::AvatarCache).to receive(:delete_by_email).with(*user.verified_emails)
2684

2685
      user.update!(avatar: fixture_file_upload('spec/fixtures/dk.png'))
2686 2687 2688
    end
  end

2689 2690 2691 2692 2693 2694 2695 2696 2697 2698 2699 2700 2701 2702 2703 2704 2705 2706
  describe '#accept_pending_invitations!' do
    let(:user) { create(:user, email: 'user@email.com') }
    let!(:project_member_invite) { create(:project_member, :invited, invite_email: user.email) }
    let!(:group_member_invite) { create(:group_member, :invited, invite_email: user.email) }
    let!(:external_project_member_invite) { create(:project_member, :invited, invite_email: 'external@email.com') }
    let!(:external_group_member_invite) { create(:group_member, :invited, invite_email: 'external@email.com') }

    it 'accepts all the user members pending invitations and returns the accepted_members' do
      accepted_members = user.accept_pending_invitations!

      expect(accepted_members).to match_array([project_member_invite, group_member_invite])
      expect(group_member_invite.reload).not_to be_invite
      expect(project_member_invite.reload).not_to be_invite
      expect(external_project_member_invite.reload).to be_invite
      expect(external_group_member_invite.reload).to be_invite
    end
  end

2707 2708
  describe '#all_emails' do
    let(:user) { create(:user) }
2709
    let!(:email_confirmed) { create :email, user: user, confirmed_at: Time.current }
2710 2711 2712 2713 2714 2715 2716 2717 2718 2719 2720 2721
    let!(:email_unconfirmed) { create :email, user: user }

    context 'when `include_private_email` is true' do
      it 'returns all emails' do
        expect(user.reload.all_emails).to contain_exactly(
          user.email,
          user.private_commit_email,
          email_unconfirmed.email,
          email_confirmed.email
        )
      end
    end
2722

2723 2724 2725 2726 2727 2728 2729 2730
    context 'when `include_private_email` is false' do
      it 'does not include the private commit email' do
        expect(user.reload.all_emails(include_private_email: false)).to contain_exactly(
          user.email,
          email_unconfirmed.email,
          email_confirmed.email
        )
      end
2731 2732 2733
    end
  end

2734
  describe '#verified_emails' do
2735 2736 2737
    let(:user) { create(:user) }

    it 'returns only confirmed emails' do
2738
      email_confirmed = create :email, user: user, confirmed_at: Time.current
Brett Walker's avatar
Brett Walker committed
2739
      create :email, user: user
2740

2741 2742 2743 2744 2745
      expect(user.verified_emails).to contain_exactly(
        user.email,
        user.private_commit_email,
        email_confirmed.email
      )
2746 2747 2748
    end
  end

2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773
  describe '#public_verified_emails' do
    let(:user) { create(:user) }

    it 'returns only confirmed public emails' do
      email_confirmed = create :email, user: user, confirmed_at: Time.current
      create :email, user: user

      expect(user.public_verified_emails).to contain_exactly(
        user.email,
        email_confirmed.email
      )
    end

    it 'returns confirmed public emails plus main user email when user is not confirmed' do
      user = create(:user, confirmed_at: nil)
      email_confirmed = create :email, user: user, confirmed_at: Time.current
      create :email, user: user

      expect(user.public_verified_emails).to contain_exactly(
        user.email,
        email_confirmed.email
      )
    end
  end

2774 2775 2776 2777
  describe '#verified_email?' do
    let(:user) { create(:user) }

    it 'returns true when the email is verified/confirmed' do
2778
      email_confirmed = create :email, user: user, confirmed_at: Time.current
Brett Walker's avatar
Brett Walker committed
2779
      create :email, user: user
2780 2781 2782
      user.reload

      expect(user.verified_email?(user.email)).to be_truthy
2783
      expect(user.verified_email?(email_confirmed.email.titlecase)).to be_truthy
2784 2785
    end

2786 2787 2788 2789
    it 'returns true when user is found through private commit email' do
      expect(user.verified_email?(user.private_commit_email)).to be_truthy
    end

2790 2791 2792 2793 2794 2795 2796 2797
    it 'returns true for an outdated private commit email' do
      old_email = user.private_commit_email

      user.update!(username: 'changed-username')

      expect(user.verified_email?(old_email)).to be_truthy
    end

2798 2799 2800 2801 2802 2803 2804 2805
    it 'returns false when the email is not verified/confirmed' do
      email_unconfirmed = create :email, user: user
      user.reload

      expect(user.verified_email?(email_unconfirmed.email)).to be_falsy
    end
  end

2806 2807 2808 2809 2810 2811 2812 2813 2814 2815 2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 2827
  context 'crowd synchronized user' do
    describe '#crowd_user?' do
      it 'is true if provider is crowd' do
        user = create(:omniauth_user, provider: 'crowd')

        expect(user.crowd_user?).to be_truthy
      end

      it 'is false for other providers' do
        user = create(:omniauth_user, provider: 'other-provider')

        expect(user.crowd_user?).to be_falsey
      end

      it 'is false if no extern_uid is provided' do
        user = create(:omniauth_user, extern_uid: nil)

        expect(user.crowd_user?).to be_falsey
      end
    end
  end

2828
  describe '#requires_ldap_check?' do
2829
    let(:user) { described_class.new }
2830

2831 2832
    it 'is false when LDAP is disabled' do
      # Create a condition which would otherwise cause 'true' to be returned
2833
      allow(user).to receive(:ldap_user?).and_return(true)
2834
      user.last_credential_check_at = nil
2835

2836
      expect(user.requires_ldap_check?).to be_falsey
2837 2838
    end

2839
    context 'when LDAP is enabled' do
2840 2841 2842
      before do
        allow(Gitlab.config.ldap).to receive(:enabled).and_return(true)
      end
2843

2844
      it 'is false for non-LDAP users' do
2845
        allow(user).to receive(:ldap_user?).and_return(false)
2846

2847
        expect(user.requires_ldap_check?).to be_falsey
2848 2849
      end

2850
      context 'and when the user is an LDAP user' do
2851 2852 2853
        before do
          allow(user).to receive(:ldap_user?).and_return(true)
        end
2854 2855 2856

        it 'is true when the user has never had an LDAP check before' do
          user.last_credential_check_at = nil
2857

2858
          expect(user.requires_ldap_check?).to be_truthy
2859 2860 2861 2862
        end

        it 'is true when the last LDAP check happened over 1 hour ago' do
          user.last_credential_check_at = 2.hours.ago
2863

2864
          expect(user.requires_ldap_check?).to be_truthy
2865
        end
2866 2867 2868 2869
      end
    end
  end

2870
  context 'ldap synchronized user' do
2871
    describe '#ldap_user?' do
2872 2873
      it 'is true if provider name starts with ldap' do
        user = create(:omniauth_user, provider: 'ldapmain')
2874

2875 2876
        expect(user.ldap_user?).to be_truthy
      end
2877

2878 2879
      it 'is false for other providers' do
        user = create(:omniauth_user, provider: 'other-provider')
2880

2881 2882 2883 2884 2885
        expect(user.ldap_user?).to be_falsey
      end

      it 'is false if no extern_uid is provided' do
        user = create(:omniauth_user, extern_uid: nil)
2886

2887 2888
        expect(user.ldap_user?).to be_falsey
      end
2889 2890
    end

2891
    describe '#ldap_identity' do
2892 2893
      it 'returns ldap identity' do
        user = create :omniauth_user
2894

2895 2896
        expect(user.ldap_identity.provider).not_to be_empty
      end
2897 2898
    end

2899 2900 2901 2902 2903 2904 2905 2906
    describe '#matches_identity?' do
      it 'finds the identity when the DN is formatted differently' do
        user = create(:omniauth_user, provider: 'ldapmain', extern_uid: 'uid=john smith,ou=people,dc=example,dc=com')

        expect(user.matches_identity?('ldapmain', 'uid=John Smith, ou=People, dc=example, dc=com')).to eq(true)
      end
    end

2907 2908 2909 2910 2911
    describe '#ldap_block' do
      let(:user) { create(:omniauth_user, provider: 'ldapmain', name: 'John Smith') }

      it 'blocks user flaging the action caming from ldap' do
        user.ldap_block
2912

2913 2914 2915
        expect(user.blocked?).to be_truthy
        expect(user.ldap_blocked?).to be_truthy
      end
2916 2917 2918

      context 'on a read-only instance' do
        before do
2919
          allow(Gitlab::Database).to receive(:read_only?).and_return(true)
2920 2921 2922 2923 2924 2925 2926 2927 2928
        end

        it 'does not block user' do
          user.ldap_block

          expect(user.blocked?).to be_falsey
          expect(user.ldap_blocked?).to be_falsey
        end
      end
2929 2930 2931
    end
  end

Jerome Dalbert's avatar
Jerome Dalbert committed
2932 2933 2934 2935 2936 2937 2938 2939 2940 2941 2942 2943 2944 2945 2946 2947 2948 2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967 2968 2969 2970
  describe '#full_website_url' do
    let(:user) { create(:user) }

    it 'begins with http if website url omits it' do
      user.website_url = 'test.com'

      expect(user.full_website_url).to eq 'http://test.com'
    end

    it 'begins with http if website url begins with http' do
      user.website_url = 'http://test.com'

      expect(user.full_website_url).to eq 'http://test.com'
    end

    it 'begins with https if website url begins with https' do
      user.website_url = 'https://test.com'

      expect(user.full_website_url).to eq 'https://test.com'
    end
  end

  describe '#short_website_url' do
    let(:user) { create(:user) }

    it 'does not begin with http if website url omits it' do
      user.website_url = 'test.com'

      expect(user.short_website_url).to eq 'test.com'
    end

    it 'does not begin with http if website url begins with http' do
      user.website_url = 'http://test.com'

      expect(user.short_website_url).to eq 'test.com'
    end

    it 'does not begin with https if website url begins with https' do
      user.website_url = 'https://test.com'
2971

Jerome Dalbert's avatar
Jerome Dalbert committed
2972 2973
      expect(user.short_website_url).to eq 'test.com'
    end
2974
  end
Ciro Santilli's avatar
Ciro Santilli committed
2975

2976
  describe '#sanitize_attrs' do
2977
    let(:user) { build(:user, name: 'test <& user', skype: 'test&user') }
2978 2979 2980 2981 2982 2983 2984 2985

    it 'encodes HTML entities in the Skype attribute' do
      expect { user.sanitize_attrs }.to change { user.skype }.to('test&amp;user')
    end

    it 'does not encode HTML entities in the name attribute' do
      expect { user.sanitize_attrs }.not_to change { user.name }
    end
2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999 3000 3001 3002 3003 3004

    it 'sanitizes attr from html tags' do
      user = create(:user, name: '<a href="//example.com">Test<a>', twitter: '<a href="//evil.com">https://twitter.com<a>')

      expect(user.name).to eq('Test')
      expect(user.twitter).to eq('https://twitter.com')
    end

    it 'sanitizes attr from js scripts' do
      user = create(:user, name: '<script>alert("Test")</script>')

      expect(user.name).to eq("alert(\"Test\")")
    end

    it 'sanitizes attr from iframe scripts' do
      user = create(:user, name: 'User"><iframe src=javascript:alert()><iframe>')

      expect(user.name).to eq('User">')
    end
3005 3006
  end

3007 3008
  describe '#starred?' do
    it 'determines if user starred a project' do
3009
      user = create :user
3010 3011
      project1 = create(:project, :public)
      project2 = create(:project, :public)
3012

3013 3014
      expect(user.starred?(project1)).to be_falsey
      expect(user.starred?(project2)).to be_falsey
3015 3016

      star1 = UsersStarProject.create!(project: project1, user: user)
3017

3018 3019
      expect(user.starred?(project1)).to be_truthy
      expect(user.starred?(project2)).to be_falsey
3020 3021

      star2 = UsersStarProject.create!(project: project2, user: user)
3022

3023 3024
      expect(user.starred?(project1)).to be_truthy
      expect(user.starred?(project2)).to be_truthy
3025

3026
      star1.destroy!
3027

3028 3029
      expect(user.starred?(project1)).to be_falsey
      expect(user.starred?(project2)).to be_truthy
3030

3031
      star2.destroy!
3032

3033 3034
      expect(user.starred?(project1)).to be_falsey
      expect(user.starred?(project2)).to be_falsey
3035 3036 3037
    end
  end

3038 3039
  describe '#toggle_star' do
    it 'toggles stars' do
Ciro Santilli's avatar
Ciro Santilli committed
3040
      user = create :user
3041
      project = create(:project, :public)
Ciro Santilli's avatar
Ciro Santilli committed
3042

3043
      expect(user.starred?(project)).to be_falsey
3044

Ciro Santilli's avatar
Ciro Santilli committed
3045
      user.toggle_star(project)
3046

3047
      expect(user.starred?(project)).to be_truthy
3048

Ciro Santilli's avatar
Ciro Santilli committed
3049
      user.toggle_star(project)
3050

3051
      expect(user.starred?(project)).to be_falsey
Ciro Santilli's avatar
Ciro Santilli committed
3052 3053
    end
  end
Valery Sizov's avatar
Valery Sizov committed
3054

3055 3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083 3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 3127
  describe '#following?' do
    it 'check if following another user' do
      user = create :user
      followee1 = create :user

      expect(user.follow(followee1)).to be_truthy

      expect(user.following?(followee1)).to be_truthy

      expect(user.unfollow(followee1)).to be_truthy

      expect(user.following?(followee1)).to be_falsey
    end
  end

  describe '#follow' do
    it 'follow another user' do
      user = create :user
      followee1 = create :user
      followee2 = create :user

      expect(user.followees).to be_empty

      expect(user.follow(followee1)).to be_truthy
      expect(user.follow(followee1)).to be_falsey

      expect(user.followees).to contain_exactly(followee1)

      expect(user.follow(followee2)).to be_truthy
      expect(user.follow(followee2)).to be_falsey

      expect(user.followees).to contain_exactly(followee1, followee2)
    end

    it 'follow itself is not possible' do
      user = create :user

      expect(user.followees).to be_empty

      expect(user.follow(user)).to be_falsey

      expect(user.followees).to be_empty
    end
  end

  describe '#unfollow' do
    it 'unfollow another user' do
      user = create :user
      followee1 = create :user
      followee2 = create :user

      expect(user.followees).to be_empty

      expect(user.follow(followee1)).to be_truthy
      expect(user.follow(followee1)).to be_falsey

      expect(user.follow(followee2)).to be_truthy
      expect(user.follow(followee2)).to be_falsey

      expect(user.followees).to contain_exactly(followee1, followee2)

      expect(user.unfollow(followee1)).to be_truthy
      expect(user.unfollow(followee1)).to be_falsey

      expect(user.followees).to contain_exactly(followee2)

      expect(user.unfollow(followee2)).to be_truthy
      expect(user.unfollow(followee2)).to be_falsey

      expect(user.followees).to be_empty
    end
  end

3128 3129
  describe '.find_by_private_commit_email' do
    context 'with email' do
3130
      let_it_be(:user) { create(:user) }
3131 3132 3133 3134 3135 3136 3137 3138 3139 3140 3141 3142 3143 3144 3145

      it 'returns user through private commit email' do
        expect(described_class.find_by_private_commit_email(user.private_commit_email)).to eq(user)
      end

      it 'returns nil when email other than private_commit_email is used' do
        expect(described_class.find_by_private_commit_email(user.email)).to be_nil
      end
    end

    it 'returns nil when email is nil' do
      expect(described_class.find_by_private_commit_email(nil)).to be_nil
    end
  end

3146
  describe '#sort_by_attribute' do
Valery Sizov's avatar
Valery Sizov committed
3147
    before do
3148
      described_class.delete_all
3149 3150 3151
      @user = create :user, created_at: Date.today, current_sign_in_at: Date.today, name: 'Alpha'
      @user1 = create :user, created_at: Date.today - 1, current_sign_in_at: Date.today - 1, name: 'Omega'
      @user2 = create :user, created_at: Date.today - 2, name: 'Beta'
Valery Sizov's avatar
Valery Sizov committed
3152
    end
3153

3154
    context 'when sort by recent_sign_in' do
3155
      let(:users) { described_class.sort_by_attribute('recent_sign_in') }
3156 3157 3158 3159

      it 'sorts users by recent sign-in time' do
        expect(users.first).to eq(@user)
        expect(users.second).to eq(@user1)
3160 3161 3162
      end

      it 'pushes users who never signed in to the end' do
3163
        expect(users.third).to eq(@user2)
3164
      end
Valery Sizov's avatar
Valery Sizov committed
3165 3166
    end

3167
    context 'when sort by oldest_sign_in' do
3168
      let(:users) { described_class.sort_by_attribute('oldest_sign_in') }
3169

3170
      it 'sorts users by the oldest sign-in time' do
3171 3172
        expect(users.first).to eq(@user1)
        expect(users.second).to eq(@user)
3173 3174 3175
      end

      it 'pushes users who never signed in to the end' do
3176
        expect(users.third).to eq(@user2)
3177
      end
Valery Sizov's avatar
Valery Sizov committed
3178 3179
    end

3180
    it 'sorts users in descending order by their creation time' do
3181
      expect(described_class.sort_by_attribute('created_desc').first).to eq(@user)
Valery Sizov's avatar
Valery Sizov committed
3182 3183
    end

3184
    it 'sorts users in ascending order by their creation time' do
3185
      expect(described_class.sort_by_attribute('created_asc').first).to eq(@user2)
Valery Sizov's avatar
Valery Sizov committed
3186 3187
    end

3188
    it 'sorts users by id in descending order when nil is passed' do
3189
      expect(described_class.sort_by_attribute(nil).first).to eq(@user2)
Valery Sizov's avatar
Valery Sizov committed
3190 3191
    end
  end
3192

3193 3194 3195 3196 3197 3198 3199 3200 3201 3202 3203 3204 3205 3206 3207 3208 3209 3210 3211 3212 3213 3214 3215 3216 3217 3218 3219 3220 3221 3222 3223 3224 3225 3226 3227 3228 3229 3230 3231 3232 3233 3234 3235 3236 3237 3238 3239 3240 3241 3242 3243 3244 3245 3246 3247 3248 3249 3250 3251 3252 3253 3254 3255 3256 3257 3258 3259 3260 3261 3262 3263 3264 3265 3266 3267 3268 3269 3270 3271 3272 3273 3274 3275 3276 3277 3278 3279
  describe "#last_active_at" do
    let(:last_activity_on) { 5.days.ago.to_date }
    let(:current_sign_in_at) { 8.days.ago }

    context 'for a user that has `last_activity_on` set' do
      let(:user) { create(:user, last_activity_on: last_activity_on) }

      it 'returns `last_activity_on` with current time zone' do
        expect(user.last_active_at).to eq(last_activity_on.to_time.in_time_zone)
      end
    end

    context 'for a user that has `current_sign_in_at` set' do
      let(:user) { create(:user, current_sign_in_at: current_sign_in_at) }

      it 'returns `current_sign_in_at`' do
        expect(user.last_active_at).to eq(current_sign_in_at)
      end
    end

    context 'for a user that has both `current_sign_in_at` & ``last_activity_on`` set' do
      let(:user) { create(:user, current_sign_in_at: current_sign_in_at, last_activity_on: last_activity_on) }

      it 'returns the latest among `current_sign_in_at` & `last_activity_on`' do
        latest_event = [current_sign_in_at, last_activity_on.to_time.in_time_zone].max
        expect(user.last_active_at).to eq(latest_event)
      end
    end

    context 'for a user that does not have both `current_sign_in_at` & `last_activity_on` set' do
      let(:user) { create(:user, current_sign_in_at: nil, last_activity_on: nil) }

      it 'returns nil' do
        expect(user.last_active_at).to eq(nil)
      end
    end
  end

  describe "#can_be_deactivated?" do
    let(:activity) { {} }
    let(:user) { create(:user, name: 'John Smith', **activity) }
    let(:day_within_minium_inactive_days_threshold) { User::MINIMUM_INACTIVE_DAYS.pred.days.ago }
    let(:day_outside_minium_inactive_days_threshold) { User::MINIMUM_INACTIVE_DAYS.next.days.ago }

    shared_examples 'not eligible for deactivation' do
      it 'returns false' do
        expect(user.can_be_deactivated?).to be_falsey
      end
    end

    shared_examples 'eligible for deactivation' do
      it 'returns true' do
        expect(user.can_be_deactivated?).to be_truthy
      end
    end

    context "a user who is not active" do
      before do
        user.block
      end

      it_behaves_like 'not eligible for deactivation'
    end

    context 'a user who has activity within the specified minimum inactive days' do
      let(:activity) { { last_activity_on: day_within_minium_inactive_days_threshold } }

      it_behaves_like 'not eligible for deactivation'
    end

    context 'a user who has signed in within the specified minimum inactive days' do
      let(:activity) { { current_sign_in_at: day_within_minium_inactive_days_threshold } }

      it_behaves_like 'not eligible for deactivation'
    end

    context 'a user who has no activity within the specified minimum inactive days' do
      let(:activity) { { last_activity_on: day_outside_minium_inactive_days_threshold } }

      it_behaves_like 'eligible for deactivation'
    end

    context 'a user who has not signed in within the specified minimum inactive days' do
      let(:activity) { { current_sign_in_at: day_outside_minium_inactive_days_threshold } }

      it_behaves_like 'eligible for deactivation'
    end
3280 3281 3282 3283 3284 3285 3286 3287

    context 'a user who is internal' do
      it 'returns false' do
        internal_user = create(:user, :bot)

        expect(internal_user.can_be_deactivated?).to be_falsey
      end
    end
3288 3289
  end

3290
  describe "#contributed_projects" do
3291
    subject { create(:user) }
3292

3293
    let!(:project1) { create(:project) }
3294
    let!(:project2) { fork_project(project3) }
3295
    let!(:project3) { create(:project) }
3296
    let!(:merge_request) { create(:merge_request, source_project: project2, target_project: project3, author: subject) }
3297
    let!(:push_event) { create(:push_event, project: project1, author: subject) }
3298
    let!(:merge_event) { create(:event, :created, project: project3, target: merge_request, author: subject) }
3299 3300

    before do
3301 3302
      project1.add_maintainer(subject)
      project2.add_maintainer(subject)
3303 3304 3305
    end

    it "includes IDs for projects the user has pushed to" do
3306
      expect(subject.contributed_projects).to include(project1)
3307 3308 3309
    end

    it "includes IDs for projects the user has had merge requests merged into" do
3310
      expect(subject.contributed_projects).to include(project3)
3311 3312 3313
    end

    it "doesn't include IDs for unrelated projects" do
3314
      expect(subject.contributed_projects).not_to include(project2)
3315 3316
    end
  end
3317

3318 3319 3320 3321 3322 3323 3324 3325 3326 3327 3328 3329 3330 3331 3332 3333 3334
  describe '#fork_of' do
    let(:user) { create(:user) }

    it "returns a user's fork of a project" do
      project = create(:project, :public)
      user_fork = fork_project(project, user, namespace: user.namespace)

      expect(user.fork_of(project)).to eq(user_fork)
    end

    it 'returns nil if the project does not have a fork network' do
      project = create(:project)

      expect(user.fork_of(project)).to be_nil
    end
  end

3335
  describe '#can_be_removed?' do
3336 3337 3338 3339 3340 3341 3342 3343 3344 3345 3346 3347 3348 3349 3350
    subject { create(:user) }

    context 'no owned groups' do
      it { expect(subject.can_be_removed?).to be_truthy }
    end

    context 'has owned groups' do
      before do
        group = create(:group)
        group.add_owner(subject)
      end

      it { expect(subject.can_be_removed?).to be_falsey }
    end
  end
3351

3352
  describe '#solo_owned_groups' do
3353 3354 3355
    let_it_be_with_refind(:user) { create(:user) }

    subject(:solo_owned_groups) { user.solo_owned_groups }
3356 3357

    context 'no owned groups' do
3358
      it { is_expected.to be_empty }
3359 3360 3361 3362 3363 3364
    end

    context 'has owned groups' do
      let_it_be(:group) { create(:group) }

      before do
3365
        group.add_owner(user)
3366 3367 3368 3369 3370 3371 3372 3373 3374
      end

      context 'not solo owner' do
        let_it_be(:user2) { create(:user) }

        before do
          group.add_owner(user2)
        end

3375
        it { is_expected.to be_empty }
3376 3377 3378
      end

      context 'solo owner' do
3379
        it { is_expected.to include(group) }
3380 3381

        it 'avoids N+1 queries' do
3382
          fresh_user = User.find(user.id)
3383
          control_count = ActiveRecord::QueryRecorder.new do
3384
            fresh_user.solo_owned_groups
3385 3386
          end.count

3387
          create(:group).add_owner(user)
3388

3389
          expect { solo_owned_groups }.not_to exceed_query_limit(control_count)
3390 3391 3392 3393 3394
        end
      end
    end
  end

3395 3396 3397 3398 3399 3400 3401 3402
  describe '#can_remove_self?' do
    let(:user) { create(:user) }

    it 'returns true' do
      expect(user.can_remove_self?).to eq true
    end
  end

3403
  describe "#recent_push" do
3404 3405 3406
    let(:user) { build(:user) }
    let(:project) { build(:project) }
    let(:event) { build(:push_event) }
3407

3408 3409 3410 3411
    it 'returns the last push event for the user' do
      expect_any_instance_of(Users::LastPushEventService)
        .to receive(:last_event_for_user)
        .and_return(event)
3412

3413
      expect(user.recent_push).to eq(event)
3414 3415
    end

3416 3417 3418 3419
    it 'returns the last push event for a project when one is given' do
      expect_any_instance_of(Users::LastPushEventService)
        .to receive(:last_event_for_project)
        .and_return(event)
3420

3421
      expect(user.recent_push(project)).to eq(event)
3422
    end
3423
  end
3424 3425 3426 3427

  describe '#authorized_groups' do
    let!(:user) { create(:user) }
    let!(:private_group) { create(:group) }
3428 3429 3430 3431
    let!(:child_group) { create(:group, parent: private_group) }

    let!(:project_group) { create(:group) }
    let!(:project) { create(:project, group: project_group) }
3432 3433

    before do
3434 3435
      private_group.add_user(user, Gitlab::Access::MAINTAINER)
      project.add_maintainer(user)
3436 3437
    end

3438
    subject { user.authorized_groups }
3439

3440
    it { is_expected.to contain_exactly private_group, project_group }
3441 3442 3443 3444 3445 3446 3447 3448 3449 3450

    context 'with shared memberships' do
      let!(:shared_group) { create(:group) }
      let!(:other_group) { create(:group) }

      before do
        create(:group_group_link, shared_group: shared_group, shared_with_group: private_group)
        create(:group_group_link, shared_group: private_group, shared_with_group: other_group)
      end

3451 3452
      it { is_expected.to include shared_group }
      it { is_expected.not_to include other_group }
3453
    end
3454 3455 3456 3457 3458 3459 3460 3461
  end

  describe '#membership_groups' do
    let!(:user) { create(:user) }
    let!(:parent_group) { create(:group) }
    let!(:child_group) { create(:group, parent: parent_group) }

    before do
3462
      parent_group.add_user(user, Gitlab::Access::MAINTAINER)
3463 3464 3465 3466
    end

    subject { user.membership_groups }

3467
    it { is_expected.to contain_exactly parent_group, child_group }
3468 3469
  end

3470 3471
  describe '#authorizations_for_projects' do
    let!(:user) { create(:user) }
3472

3473 3474 3475 3476
    subject { Project.where("EXISTS (?)", user.authorizations_for_projects) }

    it 'includes projects that belong to a user, but no other projects' do
      owned = create(:project, :private, namespace: user.namespace)
3477
      member = create(:project, :private).tap { |p| p.add_maintainer(user) }
3478 3479 3480 3481 3482 3483 3484 3485 3486 3487 3488 3489 3490 3491 3492 3493 3494
      other = create(:project)

      expect(subject).to include(owned)
      expect(subject).to include(member)
      expect(subject).not_to include(other)
    end

    it 'includes projects a user has access to, but no other projects' do
      other_user = create(:user)
      accessible = create(:project, :private, namespace: other_user.namespace) do |project|
        project.add_developer(user)
      end
      other = create(:project)

      expect(subject).to include(accessible)
      expect(subject).not_to include(other)
    end
3495 3496 3497 3498 3499 3500 3501 3502 3503 3504 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3517 3518 3519 3520 3521

    context 'with min_access_level' do
      let!(:user) { create(:user) }
      let!(:project) { create(:project, :private, namespace: user.namespace) }

      before do
        project.add_developer(user)
      end

      subject { Project.where("EXISTS (?)", user.authorizations_for_projects(min_access_level: min_access_level)) }

      context 'when developer access' do
        let(:min_access_level) { Gitlab::Access::DEVELOPER }

        it 'includes projects a user has access to' do
          expect(subject).to include(project)
        end
      end

      context 'when owner access' do
        let(:min_access_level) { Gitlab::Access::OWNER }

        it 'does not include projects with higher access level' do
          expect(subject).not_to include(project)
        end
      end
    end
3522 3523
  end

3524
  describe '#authorized_projects', :delete do
3525 3526 3527
    context 'with a minimum access level' do
      it 'includes projects for which the user is an owner' do
        user = create(:user)
3528
        project = create(:project, :private, namespace: user.namespace)
3529

3530 3531
        expect(user.authorized_projects(Gitlab::Access::REPORTER))
          .to contain_exactly(project)
3532
      end
3533

3534
      it 'includes projects for which the user is a maintainer' do
3535
        user = create(:user)
3536
        project = create(:project, :private)
3537

3538
        project.add_maintainer(user)
3539

3540 3541
        expect(user.authorized_projects(Gitlab::Access::REPORTER))
          .to contain_exactly(project)
3542 3543
      end
    end
3544 3545 3546

    it "includes user's personal projects" do
      user    = create(:user)
3547
      project = create(:project, :private, namespace: user.namespace)
3548 3549 3550 3551 3552 3553 3554

      expect(user.authorized_projects).to include(project)
    end

    it "includes personal projects user has been given access to" do
      user1   = create(:user)
      user2   = create(:user)
3555
      project = create(:project, :private, namespace: user1.namespace)
3556

3557
      project.add_developer(user2)
3558 3559 3560 3561 3562 3563

      expect(user2.authorized_projects).to include(project)
    end

    it "includes projects of groups user has been added to" do
      group   = create(:group)
3564
      project = create(:project, group: group)
3565 3566 3567 3568 3569 3570 3571 3572 3573
      user    = create(:user)

      group.add_developer(user)

      expect(user.authorized_projects).to include(project)
    end

    it "does not include projects of groups user has been removed from" do
      group   = create(:group)
3574
      project = create(:project, group: group)
3575 3576 3577
      user    = create(:user)

      member = group.add_developer(user)
3578

3579 3580
      expect(user.authorized_projects).to include(project)

3581
      member.destroy!
3582

3583 3584 3585 3586 3587
      expect(user.authorized_projects).not_to include(project)
    end

    it "includes projects shared with user's group" do
      user    = create(:user)
3588
      project = create(:project, :private)
3589 3590 3591 3592
      group   = create(:group) do |group|
        group.add_reporter(user)
      end
      create(:project_group_link, group: group, project: project)
3593 3594 3595 3596 3597 3598 3599

      expect(user.authorized_projects).to include(project)
    end

    it "does not include destroyed projects user had access to" do
      user1   = create(:user)
      user2   = create(:user)
3600
      project = create(:project, :private, namespace: user1.namespace)
3601

3602
      project.add_developer(user2)
3603

3604 3605
      expect(user2.authorized_projects).to include(project)

3606
      project.destroy!
3607

3608 3609 3610 3611 3612
      expect(user2.authorized_projects).not_to include(project)
    end

    it "does not include projects of destroyed groups user had access to" do
      group   = create(:group)
3613
      project = create(:project, namespace: group)
3614 3615 3616
      user    = create(:user)

      group.add_developer(user)
3617

3618 3619
      expect(user.authorized_projects).to include(project)

3620
      group.destroy!
3621

3622 3623
      expect(user.authorized_projects).not_to include(project)
    end
3624
  end
3625

3626 3627 3628 3629
  describe '#projects_where_can_admin_issues' do
    let(:user) { create(:user) }

    it 'includes projects for which the user access level is above or equal to reporter' do
3630 3631
      reporter_project  = create(:project) { |p| p.add_reporter(user) }
      developer_project = create(:project) { |p| p.add_developer(user) }
3632
      maintainer_project = create(:project) { |p| p.add_maintainer(user) }
3633

3634 3635
      expect(user.projects_where_can_admin_issues.to_a).to match_array([maintainer_project, developer_project, reporter_project])
      expect(user.can?(:admin_issue, maintainer_project)).to eq(true)
3636 3637 3638 3639 3640
      expect(user.can?(:admin_issue, developer_project)).to eq(true)
      expect(user.can?(:admin_issue, reporter_project)).to eq(true)
    end

    it 'does not include for which the user access level is below reporter' do
3641 3642
      project = create(:project)
      guest_project = create(:project) { |p| p.add_guest(user) }
3643 3644 3645 3646 3647 3648 3649

      expect(user.projects_where_can_admin_issues.to_a).to be_empty
      expect(user.can?(:admin_issue, guest_project)).to eq(false)
      expect(user.can?(:admin_issue, project)).to eq(false)
    end

    it 'does not include archived projects' do
3650
      project = create(:project, :archived)
3651 3652 3653 3654 3655 3656

      expect(user.projects_where_can_admin_issues.to_a).to be_empty
      expect(user.can?(:admin_issue, project)).to eq(false)
    end

    it 'does not include projects for which issues are disabled' do
3657
      project = create(:project, :issues_disabled)
3658 3659 3660 3661 3662 3663

      expect(user.projects_where_can_admin_issues.to_a).to be_empty
      expect(user.can?(:admin_issue, project)).to eq(false)
    end
  end

3664
  describe '#ci_owned_runners' do
3665 3666
    let(:user) { create(:user) }

3667 3668 3669 3670 3671 3672 3673 3674 3675
    shared_examples :nested_groups_owner do
      context 'when the user is the owner of a multi-level group' do
        before do
          set_permissions_for_users
        end

        it 'loads all the runners in the tree of groups' do
          expect(user.ci_owned_runners).to contain_exactly(runner, group_runner)
        end
3676 3677 3678
      end
    end

3679 3680 3681 3682 3683
    shared_examples :group_owner do
      context 'when the user is the owner of a one level group' do
        before do
          group.add_owner(user)
        end
3684

3685 3686 3687
        it 'loads the runners in the group' do
          expect(user.ci_owned_runners).to contain_exactly(group_runner)
        end
3688 3689 3690
      end
    end

3691 3692 3693 3694
    shared_examples :project_owner do
      context 'when the user is the owner of a project' do
        it 'loads the runner belonging to the project' do
          expect(user.ci_owned_runners).to contain_exactly(runner)
3695 3696
        end
      end
3697
    end
3698

3699 3700 3701 3702 3703 3704 3705 3706 3707
    shared_examples :project_member do
      context 'when the user is a maintainer' do
        before do
          add_user(:maintainer)
        end

        it 'loads the runners of the project' do
          expect(user.ci_owned_runners).to contain_exactly(project_runner)
        end
3708 3709
      end

3710 3711 3712 3713
      context 'when the user is a developer' do
        before do
          add_user(:developer)
        end
3714

3715 3716
        it 'does not load any runner' do
          expect(user.ci_owned_runners).to be_empty
3717 3718 3719
        end
      end

3720 3721 3722 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 3733 3734 3735 3736 3737
      context 'when the user is a reporter' do
        before do
          add_user(:reporter)
        end

        it 'does not load any runner' do
          expect(user.ci_owned_runners).to be_empty
        end
      end

      context 'when the user is a guest' do
        before do
          add_user(:guest)
        end

        it 'does not load any runner' do
          expect(user.ci_owned_runners).to be_empty
        end
3738 3739 3740
      end
    end

3741
    shared_examples :group_member do
3742
      context 'when the user is a maintainer' do
3743
        before do
3744
          add_user(:maintainer)
3745
        end
3746

3747
        it 'does not load the runners of the group' do
3748
          expect(user.ci_owned_runners).to be_empty
3749
        end
3750 3751
      end

3752
      context 'when the user is a developer' do
3753
        before do
3754
          add_user(:developer)
3755
        end
3756

3757
        it 'does not load any runner' do
3758
          expect(user.ci_owned_runners).to be_empty
3759
        end
3760 3761
      end

3762
      context 'when the user is a reporter' do
3763
        before do
3764
          add_user(:reporter)
3765 3766
        end

3767 3768
        it 'does not load any runner' do
          expect(user.ci_owned_runners).to be_empty
3769 3770 3771
        end
      end

3772 3773 3774 3775 3776 3777 3778 3779 3780
      context 'when the user is a guest' do
        before do
          add_user(:guest)
        end

        it 'does not load any runner' do
          expect(user.ci_owned_runners).to be_empty
        end
      end
3781 3782
    end

3783 3784 3785 3786 3787 3788 3789 3790 3791 3792 3793 3794 3795 3796 3797 3798 3799
    context 'without any projects nor groups' do
      it 'does not load any runner' do
        expect(user.ci_owned_runners).to be_empty
      end
    end

    context 'with runner in a personal project' do
      let!(:namespace) { create(:namespace, owner: user) }
      let!(:project) { create(:project, namespace: namespace) }
      let!(:runner) { create(:ci_runner, :project, projects: [project]) }

      it_behaves_like :project_owner
    end

    context 'with group runner in a non owned group' do
      let!(:group) { create(:group) }
      let!(:runner) { create(:ci_runner, :group, groups: [group]) }
3800 3801 3802 3803 3804

      def add_user(access)
        group.add_user(user, access)
      end

3805
      it_behaves_like :group_member
3806 3807
    end

3808 3809 3810 3811 3812 3813 3814 3815 3816
    context 'with group runner in an owned group' do
      let!(:group) { create(:group) }
      let!(:group_runner) { create(:ci_runner, :group, groups: [group]) }

      it_behaves_like :group_owner
    end

    context 'with group runner in an owned group and group runner in a different owner subgroup' do
      let!(:group) { create(:group) }
3817
      let!(:runner) { create(:ci_runner, :group, groups: [group]) }
3818 3819 3820 3821 3822 3823 3824 3825 3826 3827 3828 3829 3830
      let!(:subgroup) { create(:group, parent: group) }
      let!(:group_runner) { create(:ci_runner, :group, groups: [subgroup]) }
      let!(:another_user) { create(:user) }

      def set_permissions_for_users
        group.add_owner(user)
        subgroup.add_owner(another_user)
      end

      it_behaves_like :nested_groups_owner
    end

    context 'with personal project runner in an an owned group and a group runner in that same group' do
3831
      let!(:group) { create(:group) }
3832 3833 3834
      let!(:group_runner) { create(:ci_runner, :group, groups: [group]) }
      let!(:project) { create(:project, group: group) }
      let!(:runner) { create(:ci_runner, :project, projects: [project]) }
3835

3836 3837
      def set_permissions_for_users
        group.add_owner(user)
3838 3839
      end

3840
      it_behaves_like :nested_groups_owner
3841 3842
    end

3843 3844 3845 3846 3847 3848 3849 3850 3851 3852 3853 3854 3855 3856 3857 3858 3859 3860 3861 3862 3863 3864 3865 3866 3867 3868 3869 3870 3871 3872 3873 3874 3875 3876 3877 3878 3879 3880 3881 3882 3883 3884 3885 3886 3887 3888 3889
    context 'with personal project runner in an owned group and a group runner in a subgroup' do
      let!(:group) { create(:group) }
      let!(:subgroup) { create(:group, parent: group) }
      let!(:group_runner) { create(:ci_runner, :group, groups: [subgroup]) }
      let!(:project) { create(:project, group: group) }
      let!(:runner) { create(:ci_runner, :project, projects: [project]) }

      def set_permissions_for_users
        group.add_owner(user)
      end

      it_behaves_like :nested_groups_owner
    end

    context 'with personal project runner in an owned group in an owned namespace and a group runner in that group' do
      let!(:namespace) { create(:namespace, owner: user) }
      let!(:group) { create(:group) }
      let!(:group_runner) { create(:ci_runner, :group, groups: [group]) }
      let!(:project) { create(:project, namespace: namespace, group: group) }
      let!(:runner) { create(:ci_runner, :project, projects: [project]) }

      def set_permissions_for_users
        group.add_owner(user)
      end

      it_behaves_like :nested_groups_owner
    end

    context 'with personal project runner in an owned namespace, an owned group, a subgroup and a group runner in that subgroup' do
      let!(:namespace) { create(:namespace, owner: user) }
      let!(:group) { create(:group) }
      let!(:subgroup) { create(:group, parent: group) }
      let!(:group_runner) { create(:ci_runner, :group, groups: [subgroup]) }
      let!(:project) { create(:project, namespace: namespace, group: group) }
      let!(:runner) { create(:ci_runner, :project, projects: [project]) }

      def set_permissions_for_users
        group.add_owner(user)
      end

      it_behaves_like :nested_groups_owner
    end

    context 'with a project runner that belong to projects that belong to a not owned group' do
      let!(:group) { create(:group) }
      let!(:project) { create(:project, group: group) }
      let!(:project_runner) { create(:ci_runner, :project, projects: [project]) }
3890

Lin Jen-Shin's avatar
Lin Jen-Shin committed
3891
      def add_user(access)
3892
        project.add_user(user, access)
3893 3894
      end

3895
      it_behaves_like :project_member
3896
    end
3897

3898 3899 3900 3901 3902 3903 3904 3905 3906 3907 3908 3909 3910 3911
    context 'with project runners that belong to projects that do not belong to any group' do
      let!(:project) { create(:project) }
      let!(:runner) { create(:ci_runner, :project, projects: [project]) }

      it 'does not load any runner' do
        expect(user.ci_owned_runners).to be_empty
      end
    end

    context 'with a group runner that belongs to a subgroup of a group owned by another user' do
      let!(:group) { create(:group) }
      let!(:subgroup) { create(:group, parent: group) }
      let!(:runner) { create(:ci_runner, :group, groups: [subgroup]) }
      let!(:another_user) { create(:user) }
3912 3913

      def add_user(access)
3914
        subgroup.add_user(user, access)
3915 3916 3917
        group.add_user(another_user, :owner)
      end

3918
      it_behaves_like :group_member
3919
    end
3920 3921
  end

3922
  describe '#projects_with_reporter_access_limited_to' do
3923 3924
    let(:project1) { create(:project) }
    let(:project2) { create(:project) }
3925 3926 3927
    let(:user) { create(:user) }

    before do
3928 3929
      project1.add_reporter(user)
      project2.add_guest(user)
3930 3931 3932 3933 3934 3935 3936 3937 3938 3939 3940 3941 3942 3943 3944
    end

    it 'returns the projects when using a single project ID' do
      projects = user.projects_with_reporter_access_limited_to(project1.id)

      expect(projects).to eq([project1])
    end

    it 'returns the projects when using an Array of project IDs' do
      projects = user.projects_with_reporter_access_limited_to([project1.id])

      expect(projects).to eq([project1])
    end

    it 'returns the projects when using an ActiveRecord relation' do
3945 3946
      projects = user
        .projects_with_reporter_access_limited_to(Project.select(:id))
3947 3948 3949 3950 3951 3952 3953 3954 3955 3956

      expect(projects).to eq([project1])
    end

    it 'does not return projects you do not have reporter access to' do
      projects = user.projects_with_reporter_access_limited_to(project2.id)

      expect(projects).to be_empty
    end
  end
3957

3958 3959
  describe '#all_expanded_groups' do
    # foo/bar would also match foo/barbaz instead of just foo/bar and foo/bar/baz
3960 3961
    let!(:user) { create(:user) }

3962 3963 3964 3965 3966 3967 3968 3969 3970 3971 3972 3973 3974 3975 3976 3977
    #                group
    #        _______ (foo) _______
    #       |                     |
    #       |                     |
    # nested_group_1        nested_group_2
    # (bar)                 (barbaz)
    #       |                     |
    #       |                     |
    # nested_group_1_1      nested_group_2_1
    # (baz)                 (baz)
    #
    let!(:group) { create :group }
    let!(:nested_group_1) { create :group, parent: group, name: 'bar' }
    let!(:nested_group_1_1) { create :group, parent: nested_group_1, name: 'baz' }
    let!(:nested_group_2) { create :group, parent: group, name: 'barbaz' }
    let!(:nested_group_2_1) { create :group, parent: nested_group_2, name: 'baz' }
3978

3979 3980 3981 3982 3983 3984
    subject { user.all_expanded_groups }

    context 'user is not a member of any group' do
      it 'returns an empty array' do
        is_expected.to eq([])
      end
3985 3986
    end

3987 3988
    context 'user is member of all groups' do
      before do
3989 3990 3991 3992 3993
        group.add_reporter(user)
        nested_group_1.add_developer(user)
        nested_group_1_1.add_maintainer(user)
        nested_group_2.add_developer(user)
        nested_group_2_1.add_maintainer(user)
3994
      end
3995

3996 3997 3998 3999 4000 4001 4002 4003
      it 'returns all groups' do
        is_expected.to match_array [
          group,
          nested_group_1, nested_group_1_1,
          nested_group_2, nested_group_2_1
        ]
      end
    end
4004

4005
    context 'user is member of the top group' do
4006 4007 4008
      before do
        group.add_owner(user)
      end
4009

4010 4011 4012 4013 4014 4015
      it 'returns all groups' do
        is_expected.to match_array [
          group,
          nested_group_1, nested_group_1_1,
          nested_group_2, nested_group_2_1
        ]
4016 4017
      end
    end
4018

4019
    context 'user is member of the first child (internal node), branch 1' do
4020 4021 4022
      before do
        nested_group_1.add_owner(user)
      end
4023

4024 4025 4026 4027 4028 4029 4030 4031
      it 'returns the groups in the hierarchy' do
        is_expected.to match_array [
          group,
          nested_group_1, nested_group_1_1
        ]
      end
    end

4032
    context 'user is member of the first child (internal node), branch 2' do
4033 4034 4035
      before do
        nested_group_2.add_owner(user)
      end
4036

4037 4038 4039 4040 4041 4042
      it 'returns the groups in the hierarchy' do
        is_expected.to match_array [
          group,
          nested_group_2, nested_group_2_1
        ]
      end
4043 4044
    end

4045
    context 'user is member of the last child (leaf node)' do
4046 4047 4048
      before do
        nested_group_1_1.add_owner(user)
      end
4049 4050 4051 4052 4053 4054 4055 4056

      it 'returns the groups in the hierarchy' do
        is_expected.to match_array [
          group,
          nested_group_1, nested_group_1_1
        ]
      end
    end
4057 4058 4059 4060 4061 4062 4063 4064

    context 'when the user is not saved' do
      let(:user) { build(:user) }

      it 'returns empty when there are no groups or ancestor groups for the user' do
        is_expected.to eq([])
      end
    end
4065 4066
  end

4067
  describe '#refresh_authorized_projects', :clean_gitlab_redis_shared_state do
4068 4069
    let(:project1) { create(:project) }
    let(:project2) { create(:project) }
4070 4071 4072
    let(:user) { create(:user) }

    before do
4073 4074
      project1.add_reporter(user)
      project2.add_guest(user)
4075 4076 4077 4078 4079 4080 4081 4082 4083 4084 4085 4086 4087 4088

      user.project_authorizations.delete_all
      user.refresh_authorized_projects
    end

    it 'refreshes the list of authorized projects' do
      expect(user.project_authorizations.count).to eq(2)
    end

    it 'stores the correct access levels' do
      expect(user.project_authorizations.where(access_level: Gitlab::Access::GUEST).exists?).to eq(true)
      expect(user.project_authorizations.where(access_level: Gitlab::Access::REPORTER).exists?).to eq(true)
    end
  end
Douwe Maan's avatar
Douwe Maan committed
4089 4090 4091 4092 4093 4094 4095 4096 4097 4098 4099 4100 4101 4102 4103 4104 4105 4106 4107 4108 4109 4110 4111 4112 4113 4114 4115 4116 4117 4118 4119 4120 4121

  describe '#access_level=' do
    let(:user) { build(:user) }

    it 'does nothing for an invalid access level' do
      user.access_level = :invalid_access_level

      expect(user.access_level).to eq(:regular)
      expect(user.admin).to be false
    end

    it "assigns the 'admin' access level" do
      user.access_level = :admin

      expect(user.access_level).to eq(:admin)
      expect(user.admin).to be true
    end

    it "doesn't clear existing access levels when an invalid access level is passed in" do
      user.access_level = :admin
      user.access_level = :invalid_access_level

      expect(user.access_level).to eq(:admin)
      expect(user.admin).to be true
    end

    it "accepts string values in addition to symbols" do
      user.access_level = 'admin'

      expect(user.access_level).to eq(:admin)
      expect(user.admin).to be true
    end
  end
4122

4123
  describe '#can_read_all_resources?', :request_store do
4124
    it 'returns false for regular user' do
4125
      user = build_stubbed(:user)
4126

4127
      expect(user.can_read_all_resources?).to be_falsy
4128 4129
    end

4130 4131
    context 'for admin user' do
      include_context 'custom session'
4132

4133
      let(:user) { build_stubbed(:user, :admin) }
4134 4135 4136

      context 'when admin mode is disabled' do
        it 'returns false' do
4137
          expect(user.can_read_all_resources?).to be_falsy
4138 4139 4140 4141 4142
        end
      end

      context 'when admin mode is enabled' do
        before do
4143
          Gitlab::Auth::CurrentUserMode.new(user).request_admin_mode!
4144 4145 4146 4147
          Gitlab::Auth::CurrentUserMode.new(user).enable_admin_mode!(password: user.password)
        end

        it 'returns true' do
4148
          expect(user.can_read_all_resources?).to be_truthy
4149 4150
        end
      end
4151 4152 4153
    end
  end

4154 4155 4156 4157 4158 4159 4160 4161 4162 4163 4164 4165 4166 4167 4168 4169 4170 4171 4172 4173 4174 4175 4176 4177 4178 4179 4180 4181 4182 4183 4184
  describe '#can_admin_all_resources?', :request_store do
    it 'returns false for regular user' do
      user = build_stubbed(:user)

      expect(user.can_admin_all_resources?).to be_falsy
    end

    context 'for admin user' do
      include_context 'custom session'

      let(:user) { build_stubbed(:user, :admin) }

      context 'when admin mode is disabled' do
        it 'returns false' do
          expect(user.can_admin_all_resources?).to be_falsy
        end
      end

      context 'when admin mode is enabled' do
        before do
          Gitlab::Auth::CurrentUserMode.new(user).request_admin_mode!
          Gitlab::Auth::CurrentUserMode.new(user).enable_admin_mode!(password: user.password)
        end

        it 'returns true' do
          expect(user.can_admin_all_resources?).to be_truthy
        end
      end
    end
  end

4185 4186
  describe '.ghost' do
    it "creates a ghost user if one isn't already present" do
4187
      ghost = described_class.ghost
4188 4189 4190

      expect(ghost).to be_ghost
      expect(ghost).to be_persisted
4191 4192
      expect(ghost.namespace).not_to be_nil
      expect(ghost.namespace).to be_persisted
4193
      expect(ghost.user_type).to eq 'ghost'
4194 4195 4196 4197
    end

    it "does not create a second ghost user if one is already present" do
      expect do
4198 4199 4200 4201
        described_class.ghost
        described_class.ghost
      end.to change { described_class.count }.by(1)
      expect(described_class.ghost).to eq(described_class.ghost)
4202 4203 4204 4205 4206
    end

    context "when a regular user exists with the username 'ghost'" do
      it "creates a ghost user with a non-conflicting username" do
        create(:user, username: 'ghost')
4207
        ghost = described_class.ghost
4208 4209

        expect(ghost).to be_persisted
4210
        expect(ghost.username).to eq('ghost1')
4211 4212 4213 4214 4215 4216
      end
    end

    context "when a regular user exists with the email 'ghost@example.com'" do
      it "creates a ghost user with a non-conflicting email" do
        create(:user, email: 'ghost@example.com')
4217
        ghost = described_class.ghost
4218 4219

        expect(ghost).to be_persisted
4220
        expect(ghost.email).to eq('ghost1@example.com')
4221 4222
      end
    end
4223

4224
    context 'when a domain allowlist is in place' do
4225
      before do
4226
        stub_application_setting(domain_allowlist: ['gitlab.com'])
4227 4228 4229
      end

      it 'creates a ghost user' do
4230
        expect(described_class.ghost).to be_persisted
4231 4232
      end
    end
4233
  end
4234 4235 4236 4237 4238 4239 4240 4241 4242 4243 4244 4245 4246 4247 4248 4249

  describe '#update_two_factor_requirement' do
    let(:user) { create :user }

    context 'with 2FA requirement on groups' do
      let(:group1) { create :group, require_two_factor_authentication: true, two_factor_grace_period: 23 }
      let(:group2) { create :group, require_two_factor_authentication: true, two_factor_grace_period: 32 }

      before do
        group1.add_user(user, GroupMember::OWNER)
        group2.add_user(user, GroupMember::OWNER)

        user.update_two_factor_requirement
      end

      it 'requires 2FA' do
4250
        expect(user.require_two_factor_authentication_from_group).to be true
4251 4252 4253 4254 4255 4256 4257
      end

      it 'uses the shortest grace period' do
        expect(user.two_factor_grace_period).to be 23
      end
    end

4258
    context 'with 2FA requirement from expanded groups' do
4259
      let!(:group1) { create :group, require_two_factor_authentication: true }
4260
      let!(:group1a) { create :group, parent: group1 }
4261 4262 4263 4264 4265 4266 4267 4268

      before do
        group1a.add_user(user, GroupMember::OWNER)

        user.update_two_factor_requirement
      end

      it 'requires 2FA' do
4269
        expect(user.require_two_factor_authentication_from_group).to be true
4270 4271 4272
      end
    end

4273
    context 'with 2FA requirement on nested child group' do
4274 4275 4276 4277 4278 4279 4280 4281 4282 4283
      let!(:group1) { create :group, require_two_factor_authentication: false }
      let!(:group1a) { create :group, require_two_factor_authentication: true, parent: group1 }

      before do
        group1.add_user(user, GroupMember::OWNER)

        user.update_two_factor_requirement
      end

      it 'requires 2FA' do
4284
        expect(user.require_two_factor_authentication_from_group).to be true
4285 4286 4287
      end
    end

4288 4289 4290 4291 4292 4293 4294 4295 4296 4297 4298 4299 4300 4301 4302 4303 4304 4305 4306 4307 4308
    context "with 2FA requirement from shared project's group" do
      let!(:group1) { create :group, require_two_factor_authentication: true }
      let!(:group2) { create :group }
      let(:shared_project) { create(:project, namespace: group1) }

      before do
        shared_project.project_group_links.create!(
          group: group2,
          group_access: ProjectGroupLink.default_access
        )

        group2.add_user(user, GroupMember::OWNER)
      end

      it 'does not require 2FA' do
        user.update_two_factor_requirement

        expect(user.require_two_factor_authentication_from_group).to be false
      end
    end

4309 4310 4311 4312 4313 4314 4315 4316 4317 4318
    context 'without 2FA requirement on groups' do
      let(:group) { create :group }

      before do
        group.add_user(user, GroupMember::OWNER)

        user.update_two_factor_requirement
      end

      it 'does not require 2FA' do
4319
        expect(user.require_two_factor_authentication_from_group).to be false
4320 4321 4322 4323 4324 4325
      end

      it 'falls back to the default grace period' do
        expect(user.two_factor_grace_period).to be 48
      end
    end
4326 4327 4328 4329 4330 4331 4332 4333

    context 'when the user is not saved' do
      let(:user) { build(:user) }

      it 'does not raise an ActiveRecord::StatementInvalid statement exception' do
        expect { user.update_two_factor_requirement }.not_to raise_error
      end
    end
4334
  end
James Lopez's avatar
James Lopez committed
4335

4336 4337
  describe '#source_groups_of_two_factor_authentication_requirement' do
    let_it_be(:group_not_requiring_2FA) { create :group }
4338

4339 4340 4341 4342 4343 4344 4345 4346 4347 4348 4349 4350 4351 4352 4353 4354 4355 4356 4357 4358 4359 4360 4361 4362 4363 4364 4365 4366 4367 4368 4369 4370 4371 4372
    let(:user) { create :user }

    before do
      group.add_user(user, GroupMember::OWNER)
      group_not_requiring_2FA.add_user(user, GroupMember::OWNER)
    end

    context 'when user is direct member of group requiring 2FA' do
      let_it_be(:group) { create :group, require_two_factor_authentication: true }

      it 'returns group requiring 2FA' do
        expect(user.source_groups_of_two_factor_authentication_requirement).to contain_exactly(group)
      end
    end

    context 'when user is member of group which parent requires 2FA' do
      let_it_be(:parent_group) { create :group, require_two_factor_authentication: true }
      let_it_be(:group) { create :group, parent: parent_group }

      it 'returns group requiring 2FA' do
        expect(user.source_groups_of_two_factor_authentication_requirement).to contain_exactly(group)
      end
    end

    context 'when user is member of group which child requires 2FA' do
      let_it_be(:group) { create :group }
      let_it_be(:child_group) { create :group, require_two_factor_authentication: true, parent: group }

      it 'returns group requiring 2FA' do
        expect(user.source_groups_of_two_factor_authentication_requirement).to contain_exactly(group)
      end
    end
  end

Ryan Cobb's avatar
Ryan Cobb committed
4373
  describe '.active' do
James Lopez's avatar
James Lopez committed
4374
    before do
4375
      described_class.ghost
James Lopez's avatar
James Lopez committed
4376 4377 4378 4379 4380
      create(:user, name: 'user', state: 'active')
      create(:user, name: 'user', state: 'blocked')
    end

    it 'only counts active and non internal users' do
4381
      expect(described_class.active.count).to eq(1)
James Lopez's avatar
James Lopez committed
4382 4383
    end
  end
4384 4385 4386 4387 4388 4389 4390 4391

  describe 'preferred language' do
    it 'is English by default' do
      user = create(:user)

      expect(user.preferred_language).to eq('en')
    end
  end
4392

Ryan Cobb's avatar
Ryan Cobb committed
4393
  describe '#invalidate_issue_cache_counts' do
4394
    let(:user) { build_stubbed(:user) }
4395

4396 4397
    it 'invalidates cache for issue counter' do
      cache_mock = double
4398

4399
      expect(cache_mock).to receive(:delete).with(['users', user.id, 'assigned_open_issues_count'])
4400

4401
      allow(Rails).to receive(:cache).and_return(cache_mock)
4402

4403
      user.invalidate_issue_cache_counts
4404 4405 4406
    end
  end

Ryan Cobb's avatar
Ryan Cobb committed
4407
  describe '#invalidate_merge_request_cache_counts' do
4408 4409 4410 4411 4412 4413
    let(:user) { build_stubbed(:user) }

    it 'invalidates cache for Merge Request counter' do
      cache_mock = double

      expect(cache_mock).to receive(:delete).with(['users', user.id, 'assigned_open_merge_requests_count'])
4414
      expect(cache_mock).to receive(:delete).with(['users', user.id, 'review_requested_open_merge_requests_count'])
4415 4416 4417 4418 4419 4420

      allow(Rails).to receive(:cache).and_return(cache_mock)

      user.invalidate_merge_request_cache_counts
    end
  end
4421

Ryan Cobb's avatar
Ryan Cobb committed
4422
  describe '#invalidate_personal_projects_count' do
4423 4424 4425 4426 4427 4428 4429 4430 4431 4432 4433 4434 4435
    let(:user) { build_stubbed(:user) }

    it 'invalidates cache for personal projects counter' do
      cache_mock = double

      expect(cache_mock).to receive(:delete).with(['users', user.id, 'personal_projects_count'])

      allow(Rails).to receive(:cache).and_return(cache_mock)

      user.invalidate_personal_projects_count
    end
  end

4436
  describe '#allow_password_authentication_for_web?' do
4437 4438 4439
    context 'regular user' do
      let(:user) { build(:user) }

4440 4441
      it 'returns true when password authentication is enabled for the web interface' do
        expect(user.allow_password_authentication_for_web?).to be_truthy
4442 4443
      end

4444 4445
      it 'returns false when password authentication is disabled for the web interface' do
        stub_application_setting(password_authentication_enabled_for_web: false)
4446

4447
        expect(user.allow_password_authentication_for_web?).to be_falsey
4448 4449 4450 4451 4452 4453
      end
    end

    it 'returns false for ldap user' do
      user = create(:omniauth_user, provider: 'ldapmain')

4454 4455 4456 4457 4458 4459 4460 4461 4462 4463 4464 4465 4466 4467 4468 4469 4470 4471 4472 4473 4474 4475 4476
      expect(user.allow_password_authentication_for_web?).to be_falsey
    end
  end

  describe '#allow_password_authentication_for_git?' do
    context 'regular user' do
      let(:user) { build(:user) }

      it 'returns true when password authentication is enabled for Git' do
        expect(user.allow_password_authentication_for_git?).to be_truthy
      end

      it 'returns false when password authentication is disabled Git' do
        stub_application_setting(password_authentication_enabled_for_git: false)

        expect(user.allow_password_authentication_for_git?).to be_falsey
      end
    end

    it 'returns false for ldap user' do
      user = create(:omniauth_user, provider: 'ldapmain')

      expect(user.allow_password_authentication_for_git?).to be_falsey
4477 4478
    end
  end
4479

4480 4481 4482 4483 4484 4485
  describe '#assigned_open_merge_requests_count' do
    it 'returns number of open merge requests from non-archived projects' do
      user    = create(:user)
      project = create(:project, :public)
      archived_project = create(:project, :public, :archived)

4486 4487 4488
      create(:merge_request, source_project: project, author: user, assignees: [user])
      create(:merge_request, :closed, source_project: project, author: user, assignees: [user])
      create(:merge_request, source_project: archived_project, author: user, assignees: [user])
4489 4490 4491 4492 4493

      expect(user.assigned_open_merge_requests_count(force: true)).to eq 1
    end
  end

4494 4495 4496 4497 4498 4499 4500 4501 4502 4503 4504 4505 4506 4507
  describe '#review_requested_open_merge_requests_count' do
    it 'returns number of open merge requests from non-archived projects' do
      user    = create(:user)
      project = create(:project, :public)
      archived_project = create(:project, :public, :archived)

      create(:merge_request, source_project: project, author: user, reviewers: [user])
      create(:merge_request, :closed, source_project: project, author: user, reviewers: [user])
      create(:merge_request, source_project: archived_project, author: user, reviewers: [user])

      expect(user.review_requested_open_merge_requests_count(force: true)).to eq 1
    end
  end

4508 4509 4510 4511 4512 4513 4514 4515 4516 4517 4518 4519 4520 4521
  describe '#assigned_open_issues_count' do
    it 'returns number of open issues from non-archived projects' do
      user    = create(:user)
      project = create(:project, :public)
      archived_project = create(:project, :public, :archived)

      create(:issue, project: project, author: user, assignees: [user])
      create(:issue, :closed, project: project, author: user, assignees: [user])
      create(:issue, project: archived_project, author: user, assignees: [user])

      expect(user.assigned_open_issues_count(force: true)).to eq 1
    end
  end

4522 4523 4524 4525 4526
  describe '#personal_projects_count' do
    it 'returns the number of personal projects using a single query' do
      user = build(:user)
      projects = double(:projects, count: 1)

4527
      expect(user).to receive(:personal_projects).and_return(projects)
4528

4529
      expect(user.personal_projects_count).to eq(1)
4530 4531 4532 4533 4534 4535 4536 4537 4538 4539 4540 4541 4542
    end
  end

  describe '#projects_limit_left' do
    it 'returns the number of projects that can be created by the user' do
      user = build(:user)

      allow(user).to receive(:projects_limit).and_return(10)
      allow(user).to receive(:personal_projects_count).and_return(5)

      expect(user.projects_limit_left).to eq(5)
    end
  end
4543 4544 4545 4546 4547 4548 4549

  describe '#ensure_namespace_correct' do
    context 'for a new user' do
      let(:user) { build(:user) }

      it 'creates the namespace' do
        expect(user.namespace).to be_nil
4550

4551
        user.save!
4552

4553 4554
        expect(user.namespace).not_to be_nil
      end
4555 4556 4557 4558 4559 4560

      it 'creates the namespace setting' do
        user.save!

        expect(user.namespace.namespace_settings).to be_persisted
      end
4561 4562 4563 4564 4565 4566 4567
    end

    context 'for an existing user' do
      let(:username) { 'foo' }
      let(:user) { create(:user, username: username) }

      context 'when the user is updated' do
4568
        context 'when the username or name is changed' do
4569 4570 4571 4572
          let(:new_username) { 'bar' }

          it 'changes the namespace (just to compare to when username is not changed)' do
            expect do
4573
              travel_to(1.second.from_now) do
4574
                user.update!(username: new_username)
4575
              end
4576 4577 4578
            end.to change { user.namespace.updated_at }
          end

4579
          it 'updates the namespace path when the username was changed' do
Lin Jen-Shin's avatar
Lin Jen-Shin committed
4580
            user.update!(username: new_username)
4581

4582
            expect(user.namespace.path).to eq(new_username)
4583 4584
          end

4585 4586
          it 'updates the namespace name if the name was changed' do
            user.update!(name: 'New name')
4587

4588 4589 4590 4591 4592 4593 4594 4595 4596
            expect(user.namespace.name).to eq('New name')
          end

          it 'updates nested routes for the namespace if the name was changed' do
            project = create(:project, namespace: user.namespace)

            user.update!(name: 'New name')

            expect(project.route.reload.name).to include('New name')
4597 4598 4599
          end

          context 'when there is a validation error (namespace name taken) while updating namespace' do
4600
            let!(:conflicting_namespace) { create(:group, path: new_username) }
4601

4602
            it 'causes the user save to fail' do
Lin Jen-Shin's avatar
Lin Jen-Shin committed
4603
              expect(user.update(username: new_username)).to be_falsey
4604
              expect(user.namespace.errors.messages[:path].first).to eq(_('has already been taken'))
4605
            end
4606 4607

            it 'adds the namespace errors to the user' do
4608
              user.username = new_username
4609

4610 4611
              expect(user).to be_invalid
              expect(user.errors[:base]).to include('A user, alias, or group already exists with that username.')
4612
            end
4613 4614 4615 4616 4617 4618
          end
        end

        context 'when the username is not changed' do
          it 'does not change the namespace' do
            expect do
Lin Jen-Shin's avatar
Lin Jen-Shin committed
4619
              user.update!(email: 'asdf@asdf.com')
4620 4621 4622 4623 4624 4625
            end.not_to change { user.namespace.updated_at }
          end
        end
      end
    end
  end
4626

4627 4628 4629 4630 4631 4632 4633 4634 4635 4636 4637 4638 4639 4640 4641 4642 4643 4644 4645 4646 4647 4648
  describe '#username_changed_hook' do
    context 'for a new user' do
      let(:user) { build(:user) }

      it 'does not trigger system hook' do
        expect(user).not_to receive(:system_hook_service)

        user.save!
      end
    end

    context 'for an existing user' do
      let(:user) { create(:user, username: 'old-username') }

      context 'when the username is changed' do
        let(:new_username) { 'very-new-name' }

        it 'triggers the rename system hook' do
          system_hook_service = SystemHooksService.new
          expect(system_hook_service).to receive(:execute_hooks_for).with(user, :rename)
          expect(user).to receive(:system_hook_service).and_return(system_hook_service)

Lin Jen-Shin's avatar
Lin Jen-Shin committed
4649
          user.update!(username: new_username)
4650 4651 4652 4653 4654 4655 4656
        end
      end

      context 'when the username is not changed' do
        it 'does not trigger system hook' do
          expect(user).not_to receive(:system_hook_service)

Lin Jen-Shin's avatar
Lin Jen-Shin committed
4657
          user.update!(email: 'asdf@asdf.com')
4658 4659 4660 4661 4662
        end
      end
    end
  end

4663 4664 4665 4666 4667 4668 4669 4670 4671 4672 4673 4674 4675 4676 4677 4678 4679 4680 4681 4682 4683 4684 4685 4686 4687 4688 4689 4690 4691 4692 4693 4694 4695 4696 4697 4698 4699 4700 4701 4702 4703
  describe '#will_save_change_to_login?' do
    let(:user) { create(:user, username: 'old-username', email: 'old-email@example.org') }
    let(:new_username) { 'new-name' }
    let(:new_email) { 'new-email@example.org' }

    subject { user.will_save_change_to_login? }

    context 'when the username is changed' do
      before do
        user.username = new_username
      end

      it { is_expected.to be true }
    end

    context 'when the email is changed' do
      before do
        user.email = new_email
      end

      it { is_expected.to be true }
    end

    context 'when both email and username are changed' do
      before do
        user.username = new_username
        user.email = new_email
      end

      it { is_expected.to be true }
    end

    context 'when email and username aren\'t changed' do
      before do
        user.name = 'new_name'
      end

      it { is_expected.to be_falsy }
    end
  end

4704 4705 4706 4707 4708 4709
  describe '#sync_attribute?' do
    let(:user) { described_class.new }

    context 'oauth user' do
      it 'returns true if name can be synced' do
        stub_omniauth_setting(sync_profile_attributes: %w(name location))
4710

4711 4712 4713 4714 4715
        expect(user.sync_attribute?(:name)).to be_truthy
      end

      it 'returns true if email can be synced' do
        stub_omniauth_setting(sync_profile_attributes: %w(name email))
4716

4717 4718 4719 4720 4721
        expect(user.sync_attribute?(:email)).to be_truthy
      end

      it 'returns true if location can be synced' do
        stub_omniauth_setting(sync_profile_attributes: %w(location email))
4722

4723 4724 4725 4726 4727
        expect(user.sync_attribute?(:email)).to be_truthy
      end

      it 'returns false if name can not be synced' do
        stub_omniauth_setting(sync_profile_attributes: %w(location email))
4728

4729 4730 4731 4732
        expect(user.sync_attribute?(:name)).to be_falsey
      end

      it 'returns false if email can not be synced' do
4733
        stub_omniauth_setting(sync_profile_attributes: %w(location name))
4734

4735
        expect(user.sync_attribute?(:email)).to be_falsey
4736 4737 4738
      end

      it 'returns false if location can not be synced' do
4739
        stub_omniauth_setting(sync_profile_attributes: %w(name email))
4740

4741
        expect(user.sync_attribute?(:location)).to be_falsey
4742 4743 4744 4745
      end

      it 'returns true for all syncable attributes if all syncable attributes can be synced' do
        stub_omniauth_setting(sync_profile_attributes: true)
4746

4747 4748 4749 4750 4751 4752 4753 4754 4755 4756 4757 4758 4759 4760 4761
        expect(user.sync_attribute?(:name)).to be_truthy
        expect(user.sync_attribute?(:email)).to be_truthy
        expect(user.sync_attribute?(:location)).to be_truthy
      end

      it 'returns false for all syncable attributes but email if no syncable attributes are declared' do
        expect(user.sync_attribute?(:name)).to be_falsey
        expect(user.sync_attribute?(:email)).to be_truthy
        expect(user.sync_attribute?(:location)).to be_falsey
      end
    end

    context 'ldap user' do
      it 'returns true for email if ldap user' do
        allow(user).to receive(:ldap_user?).and_return(true)
4762

4763 4764 4765 4766 4767 4768 4769 4770
        expect(user.sync_attribute?(:name)).to be_falsey
        expect(user.sync_attribute?(:email)).to be_truthy
        expect(user.sync_attribute?(:location)).to be_falsey
      end

      it 'returns true for email and location if ldap user and location declared as syncable' do
        allow(user).to receive(:ldap_user?).and_return(true)
        stub_omniauth_setting(sync_profile_attributes: %w(location))
4771

4772 4773 4774 4775 4776 4777
        expect(user.sync_attribute?(:name)).to be_falsey
        expect(user.sync_attribute?(:email)).to be_truthy
        expect(user.sync_attribute?(:location)).to be_truthy
      end
    end
  end
4778 4779 4780 4781 4782 4783 4784 4785 4786 4787 4788 4789 4790 4791 4792 4793

  describe '#confirm_deletion_with_password?' do
    where(
      password_automatically_set: [true, false],
      ldap_user: [true, false],
      password_authentication_disabled: [true, false]
    )

    with_them do
      let!(:user) { create(:user, password_automatically_set: password_automatically_set) }
      let!(:identity) { create(:identity, user: user) if ldap_user }

      # Only confirm deletion with password if all inputs are false
      let(:expected) { !(password_automatically_set || ldap_user || password_authentication_disabled) }

      before do
4794 4795
        stub_application_setting(password_authentication_enabled_for_web: !password_authentication_disabled)
        stub_application_setting(password_authentication_enabled_for_git: !password_authentication_disabled)
4796 4797 4798 4799 4800 4801 4802 4803 4804 4805 4806 4807 4808 4809 4810 4811 4812 4813 4814 4815 4816 4817 4818 4819 4820 4821 4822 4823
      end

      it 'returns false unless all inputs are true' do
        expect(user.confirm_deletion_with_password?).to eq(expected)
      end
    end
  end

  describe '#delete_async' do
    let(:user) { create(:user) }
    let(:deleted_by) { create(:user) }

    it 'blocks the user then schedules them for deletion if a hard delete is specified' do
      expect(DeleteUserWorker).to receive(:perform_async).with(deleted_by.id, user.id, hard_delete: true)

      user.delete_async(deleted_by: deleted_by, params: { hard_delete: true })

      expect(user).to be_blocked
    end

    it 'schedules user for deletion without blocking them' do
      expect(DeleteUserWorker).to receive(:perform_async).with(deleted_by.id, user.id, {})

      user.delete_async(deleted_by: deleted_by)

      expect(user).not_to be_blocked
    end
  end
4824 4825 4826 4827 4828 4829

  describe '#max_member_access_for_project_ids' do
    shared_examples 'max member access for projects' do
      let(:user) { create(:user) }
      let(:group) { create(:group) }
      let(:owner_project) { create(:project, group: group) }
4830
      let(:maintainer_project) { create(:project) }
4831 4832 4833 4834 4835 4836
      let(:reporter_project) { create(:project) }
      let(:developer_project) { create(:project) }
      let(:guest_project) { create(:project) }
      let(:no_access_project) { create(:project) }

      let(:projects) do
4837
        [owner_project, maintainer_project, reporter_project, developer_project, guest_project, no_access_project].map(&:id)
4838 4839 4840 4841 4842
      end

      let(:expected) do
        {
          owner_project.id => Gitlab::Access::OWNER,
4843
          maintainer_project.id => Gitlab::Access::MAINTAINER,
4844 4845 4846 4847 4848 4849 4850 4851 4852
          reporter_project.id => Gitlab::Access::REPORTER,
          developer_project.id => Gitlab::Access::DEVELOPER,
          guest_project.id => Gitlab::Access::GUEST,
          no_access_project.id => Gitlab::Access::NO_ACCESS
        }
      end

      before do
        create(:group_member, user: user, group: group)
4853
        maintainer_project.add_maintainer(user)
4854 4855 4856 4857 4858 4859 4860 4861 4862 4863 4864 4865 4866 4867 4868 4869 4870 4871 4872 4873 4874 4875 4876 4877 4878 4879
        reporter_project.add_reporter(user)
        developer_project.add_developer(user)
        guest_project.add_guest(user)
      end

      it 'returns correct roles for different projects' do
        expect(user.max_member_access_for_project_ids(projects)).to eq(expected)
      end
    end

    context 'with RequestStore enabled', :request_store do
      include_examples 'max member access for projects'

      def access_levels(projects)
        user.max_member_access_for_project_ids(projects)
      end

      it 'does not perform extra queries when asked for projects who have already been found' do
        access_levels(projects)

        expect { access_levels(projects) }.not_to exceed_query_limit(0)

        expect(access_levels(projects)).to eq(expected)
      end

      it 'only requests the extra projects when uncached projects are passed' do
4880
        second_maintainer_project = create(:project)
4881
        second_developer_project = create(:project)
4882
        second_maintainer_project.add_maintainer(user)
4883 4884
        second_developer_project.add_developer(user)

4885
        all_projects = projects + [second_maintainer_project.id, second_developer_project.id]
4886

4887
        expected_all = expected.merge(second_maintainer_project.id => Gitlab::Access::MAINTAINER,
4888 4889 4890 4891 4892 4893 4894
                                      second_developer_project.id => Gitlab::Access::DEVELOPER)

        access_levels(projects)

        queries = ActiveRecord::QueryRecorder.new { access_levels(all_projects) }

        expect(queries.count).to eq(1)
4895
        expect(queries.log_message).to match(/\W(#{second_maintainer_project.id}, #{second_developer_project.id})\W/)
4896 4897 4898 4899 4900 4901 4902 4903 4904 4905 4906 4907 4908
        expect(access_levels(all_projects)).to eq(expected_all)
      end
    end

    context 'with RequestStore disabled' do
      include_examples 'max member access for projects'
    end
  end

  describe '#max_member_access_for_group_ids' do
    shared_examples 'max member access for groups' do
      let(:user) { create(:user) }
      let(:owner_group) { create(:group) }
4909
      let(:maintainer_group) { create(:group) }
4910 4911 4912 4913 4914 4915
      let(:reporter_group) { create(:group) }
      let(:developer_group) { create(:group) }
      let(:guest_group) { create(:group) }
      let(:no_access_group) { create(:group) }

      let(:groups) do
4916
        [owner_group, maintainer_group, reporter_group, developer_group, guest_group, no_access_group].map(&:id)
4917 4918 4919 4920 4921
      end

      let(:expected) do
        {
          owner_group.id => Gitlab::Access::OWNER,
4922
          maintainer_group.id => Gitlab::Access::MAINTAINER,
4923 4924 4925 4926 4927 4928 4929 4930 4931
          reporter_group.id => Gitlab::Access::REPORTER,
          developer_group.id => Gitlab::Access::DEVELOPER,
          guest_group.id => Gitlab::Access::GUEST,
          no_access_group.id => Gitlab::Access::NO_ACCESS
        }
      end

      before do
        owner_group.add_owner(user)
4932
        maintainer_group.add_maintainer(user)
4933 4934 4935 4936 4937 4938 4939 4940 4941 4942 4943 4944 4945 4946 4947 4948 4949 4950 4951 4952 4953 4954 4955 4956 4957 4958
        reporter_group.add_reporter(user)
        developer_group.add_developer(user)
        guest_group.add_guest(user)
      end

      it 'returns correct roles for different groups' do
        expect(user.max_member_access_for_group_ids(groups)).to eq(expected)
      end
    end

    context 'with RequestStore enabled', :request_store do
      include_examples 'max member access for groups'

      def access_levels(groups)
        user.max_member_access_for_group_ids(groups)
      end

      it 'does not perform extra queries when asked for groups who have already been found' do
        access_levels(groups)

        expect { access_levels(groups) }.not_to exceed_query_limit(0)

        expect(access_levels(groups)).to eq(expected)
      end

      it 'only requests the extra groups when uncached groups are passed' do
4959
        second_maintainer_group = create(:group)
4960
        second_developer_group = create(:group)
4961
        second_maintainer_group.add_maintainer(user)
4962 4963
        second_developer_group.add_developer(user)

4964
        all_groups = groups + [second_maintainer_group.id, second_developer_group.id]
4965

4966
        expected_all = expected.merge(second_maintainer_group.id => Gitlab::Access::MAINTAINER,
4967 4968 4969 4970 4971 4972 4973
                                      second_developer_group.id => Gitlab::Access::DEVELOPER)

        access_levels(groups)

        queries = ActiveRecord::QueryRecorder.new { access_levels(all_groups) }

        expect(queries.count).to eq(1)
4974
        expect(queries.log_message).to match(/\W(#{second_maintainer_group.id}, #{second_developer_group.id})\W/)
4975 4976 4977 4978 4979 4980 4981 4982
        expect(access_levels(all_groups)).to eq(expected_all)
      end
    end

    context 'with RequestStore disabled' do
      include_examples 'max member access for groups'
    end
  end
4983

4984 4985
  context 'changing a username' do
    let(:user) { create(:user, username: 'foo') }
4986

4987 4988 4989
    it 'creates a redirect route' do
      expect { user.update!(username: 'bar') }
        .to change { RedirectRoute.where(path: 'foo').count }.by(1)
4990 4991
    end

4992 4993 4994 4995 4996
    it 'deletes the redirect when a user with the old username was created' do
      user.update!(username: 'bar')

      expect { create(:user, username: 'foo') }
        .to change { RedirectRoute.where(path: 'foo').count }.by(-1)
4997 4998
    end
  end
4999 5000 5001

  describe '#required_terms_not_accepted?' do
    let(:user) { build(:user) }
5002
    let(:project_bot) { create(:user, :project_bot) }
5003

5004 5005 5006
    subject { user.required_terms_not_accepted? }

    context "when terms are not enforced" do
sfang97's avatar
sfang97 committed
5007
      it { is_expected.to be_falsey }
5008 5009
    end

5010
    context "when terms are enforced" do
5011 5012 5013 5014
      before do
        enforce_terms
      end

sfang97's avatar
sfang97 committed
5015
      it "is not accepted by the user" do
sfang97's avatar
sfang97 committed
5016
        expect(subject).to be_truthy
sfang97's avatar
sfang97 committed
5017 5018
      end

sfang97's avatar
sfang97 committed
5019
      it "is accepted by the user" do
5020
        accept_terms(user)
5021

sfang97's avatar
sfang97 committed
5022
        expect(subject).to be_falsey
5023 5024 5025
      end

      it "auto accepts the term for project bots" do
sfang97's avatar
sfang97 committed
5026
        expect(project_bot.required_terms_not_accepted?).to be_falsey
5027
      end
5028 5029
    end
  end
5030 5031 5032 5033 5034 5035 5036 5037 5038

  describe '#increment_failed_attempts!' do
    subject(:user) { create(:user, failed_attempts: 0) }

    it 'logs failed sign-in attempts' do
      expect { user.increment_failed_attempts! }.to change(user, :failed_attempts).from(0).to(1)
    end

    it 'does not log failed sign-in attempts when in a GitLab read-only instance' do
5039
      allow(Gitlab::Database).to receive(:read_only?) { true }
5040 5041 5042 5043

      expect { user.increment_failed_attempts! }.not_to change(user, :failed_attempts)
    end
  end
Jan Provaznik's avatar
Jan Provaznik committed
5044

5045
  describe '#requires_usage_stats_consent?' do
5046
    let(:user) { create(:user, :admin, created_at: 8.days.ago) }
5047 5048 5049 5050 5051 5052 5053

    before do
      allow(user).to receive(:has_current_license?).and_return false
    end

    context 'in single-user environment' do
      it 'requires user consent after one week' do
5054
        create(:user, :ghost)
5055 5056 5057 5058 5059 5060 5061 5062 5063 5064 5065 5066 5067 5068 5069

        expect(user.requires_usage_stats_consent?).to be true
      end

      it 'requires user consent after one week if there is another ghost user' do
        expect(user.requires_usage_stats_consent?).to be true
      end

      it 'does not require consent in the first week' do
        user.created_at = 6.days.ago

        expect(user.requires_usage_stats_consent?).to be false
      end

      it 'does not require consent if usage stats were set by this user' do
5070
        create(:application_setting, usage_stats_set_by_user_id: user.id)
5071 5072 5073 5074 5075 5076 5077 5078 5079 5080 5081 5082 5083 5084 5085 5086

        expect(user.requires_usage_stats_consent?).to be false
      end
    end

    context 'in multi-user environment' do
      before do
        create(:user)
      end

      it 'does not require consent' do
        expect(user.requires_usage_stats_consent?).to be false
      end
    end
  end

Jan Provaznik's avatar
Jan Provaznik committed
5087
  context 'with uploads' do
5088
    it_behaves_like 'model with uploads', false do
Jan Provaznik's avatar
Jan Provaznik committed
5089 5090 5091 5092 5093
      let(:model_object) { create(:user, :with_avatar) }
      let(:upload_attribute) { :avatar }
      let(:uploader_class) { AttachmentUploader }
    end
  end
5094 5095 5096 5097 5098 5099 5100 5101 5102 5103 5104 5105 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5121 5122 5123 5124 5125 5126 5127 5128 5129 5130 5131 5132 5133 5134 5135 5136 5137 5138 5139 5140 5141 5142 5143 5144 5145 5146 5147 5148 5149 5150 5151 5152 5153 5154 5155 5156 5157 5158 5159 5160 5161 5162 5163 5164 5165 5166 5167 5168 5169 5170 5171 5172 5173 5174 5175

  describe '.union_with_user' do
    context 'when no user ID is provided' do
      it 'returns the input relation' do
        user = create(:user)

        expect(described_class.union_with_user).to eq([user])
      end
    end

    context 'when a user ID is provided' do
      it 'includes the user object in the returned relation' do
        user1 = create(:user)
        user2 = create(:user)
        users = described_class.where(id: user1.id).union_with_user(user2.id)

        expect(users).to include(user1)
        expect(users).to include(user2)
      end

      it 'does not re-apply any WHERE conditions on the outer query' do
        relation = described_class.where(id: 1).union_with_user(2)

        expect(relation.arel.where_sql).to be_nil
      end
    end
  end

  describe '.optionally_search' do
    context 'using nil as the argument' do
      it 'returns the current relation' do
        user = create(:user)

        expect(described_class.optionally_search).to eq([user])
      end
    end

    context 'using an empty String as the argument' do
      it 'returns the current relation' do
        user = create(:user)

        expect(described_class.optionally_search('')).to eq([user])
      end
    end

    context 'using a non-empty String' do
      it 'returns users matching the search query' do
        user1 = create(:user)
        create(:user)

        expect(described_class.optionally_search(user1.name)).to eq([user1])
      end
    end
  end

  describe '.where_not_in' do
    context 'without an argument' do
      it 'returns the current relation' do
        user = create(:user)

        expect(described_class.where_not_in).to eq([user])
      end
    end

    context 'using a list of user IDs' do
      it 'excludes the users from the returned relation' do
        user1 = create(:user)
        user2 = create(:user)

        expect(described_class.where_not_in([user2.id])).to eq([user1])
      end
    end
  end

  describe '.reorder_by_name' do
    it 'reorders the input relation' do
      user1 = create(:user, name: 'A')
      user2 = create(:user, name: 'B')

      expect(described_class.reorder_by_name).to eq([user1, user2])
    end
  end
5176

5177 5178 5179 5180 5181 5182 5183 5184 5185 5186 5187 5188 5189 5190 5191 5192 5193 5194 5195 5196 5197 5198 5199 5200 5201 5202 5203 5204 5205 5206 5207
  describe '#notification_settings_for' do
    let(:user) { create(:user) }
    let(:source) { nil }

    subject { user.notification_settings_for(source) }

    context 'when source is nil' do
      it 'returns a blank global notification settings object' do
        expect(subject.source).to eq(nil)
        expect(subject.notification_email).to eq(nil)
        expect(subject.level).to eq('global')
      end
    end

    context 'when source is a Group' do
      let(:group) { create(:group) }

      subject { user.notification_settings_for(group, inherit: true) }

      context 'when group has no existing notification settings' do
        context 'when group has no ancestors' do
          it 'will be a default Global notification setting' do
            expect(subject.notification_email).to eq(nil)
            expect(subject.level).to eq('global')
          end
        end

        context 'when group has ancestors' do
          context 'when an ancestor has a level other than Global' do
            let(:ancestor) { create(:group) }
            let(:group) { create(:group, parent: ancestor) }
5208
            let(:email) { create(:email, :confirmed, email: 'ancestor@example.com', user: user) }
5209 5210

            before do
5211
              create(:notification_setting, user: user, source: ancestor, level: 'participating', notification_email: email.email)
5212 5213 5214 5215 5216 5217 5218 5219 5220 5221 5222 5223 5224 5225 5226 5227 5228 5229 5230 5231 5232 5233 5234 5235
            end

            it 'has the same level set' do
              expect(subject.level).to eq('participating')
            end

            it 'has the same email set' do
              expect(subject.notification_email).to eq('ancestor@example.com')
            end

            context 'when inherit is false' do
              subject { user.notification_settings_for(group) }

              it 'does not inherit settings' do
                expect(subject.notification_email).to eq(nil)
                expect(subject.level).to eq('global')
              end
            end
          end

          context 'when an ancestor has a Global level but has an email set' do
            let(:grand_ancestor) { create(:group) }
            let(:ancestor) { create(:group, parent: grand_ancestor) }
            let(:group) { create(:group, parent: ancestor) }
5236 5237
            let(:ancestor_email) { create(:email, :confirmed, email: 'ancestor@example.com', user: user) }
            let(:grand_email) { create(:email, :confirmed, email: 'grand@example.com', user: user) }
5238 5239

            before do
5240 5241
              create(:notification_setting, user: user, source: grand_ancestor, level: 'participating', notification_email: grand_email.email)
              create(:notification_setting, user: user, source: ancestor, level: 'global', notification_email: ancestor_email.email)
5242 5243 5244 5245 5246 5247 5248 5249 5250 5251 5252 5253
            end

            it 'has the same email set' do
              expect(subject.level).to eq('global')
              expect(subject.notification_email).to eq('ancestor@example.com')
            end
          end
        end
      end
    end
  end

5254 5255 5256 5257 5258 5259 5260 5261 5262 5263 5264 5265 5266 5267 5268 5269 5270 5271 5272 5273 5274 5275 5276 5277 5278 5279 5280 5281 5282 5283 5284 5285 5286 5287 5288 5289 5290 5291
  describe '#notification_settings_for_groups' do
    let_it_be(:user) { create(:user) }
    let_it_be(:groups) { create_list(:group, 2) }

    subject { user.notification_settings_for_groups(arg) }

    before do
      groups.each do |group|
        group.add_maintainer(user)
      end
    end

    shared_examples_for 'notification_settings_for_groups method' do
      it 'returns NotificationSetting objects for provided groups', :aggregate_failures do
        expect(subject.count).to eq(groups.count)
        expect(subject.map(&:source_id)).to match_array(groups.map(&:id))
      end
    end

    context 'when given an ActiveRecord relationship' do
      let_it_be(:arg) { Group.where(id: groups.map(&:id)) }

      it_behaves_like 'notification_settings_for_groups method'

      it 'uses #select to maintain lazy querying behavior' do
        expect(arg).to receive(:select).and_call_original

        subject
      end
    end

    context 'when given an Array of Groups' do
      let_it_be(:arg) { groups }

      it_behaves_like 'notification_settings_for_groups method'
    end
  end

5292 5293 5294 5295 5296 5297 5298 5299 5300 5301 5302 5303 5304 5305 5306 5307 5308 5309 5310 5311 5312 5313 5314 5315 5316
  describe '#notification_email_for' do
    let(:user) { create(:user) }
    let(:group) { create(:group) }

    subject { user.notification_email_for(group) }

    context 'when group is nil' do
      let(:group) { nil }

      it 'returns global notification email' do
        is_expected.to eq(user.notification_email)
      end
    end

    context 'when group has no notification email set' do
      it 'returns global notification email' do
        create(:notification_setting, user: user, source: group, notification_email: '')

        is_expected.to eq(user.notification_email)
      end
    end

    context 'when group has notification email set' do
      it 'returns group notification email' do
        group_notification_email = 'user+group@example.com'
5317
        create(:email, :confirmed, user: user, email: group_notification_email)
5318 5319 5320 5321 5322 5323
        create(:notification_setting, user: user, source: group, notification_email: group_notification_email)

        is_expected.to eq(group_notification_email)
      end
    end
  end
5324 5325 5326 5327 5328 5329 5330 5331 5332 5333 5334 5335 5336 5337 5338 5339 5340 5341 5342 5343 5344 5345 5346 5347 5348 5349 5350 5351 5352 5353

  describe '#password_expired?' do
    let(:user) { build(:user, password_expires_at: password_expires_at) }

    subject { user.password_expired? }

    context 'when password_expires_at is not set' do
      let(:password_expires_at) {}

      it 'returns false' do
        is_expected.to be_falsey
      end
    end

    context 'when password_expires_at is in the past' do
      let(:password_expires_at) { 1.minute.ago }

      it 'returns true' do
        is_expected.to be_truthy
      end
    end

    context 'when password_expires_at is in the future' do
      let(:password_expires_at) { 1.minute.from_now }

      it 'returns false' do
        is_expected.to be_falsey
      end
    end
  end
5354

5355
  describe '#password_expired_if_applicable?' do
5356
    let(:user) { build(:user, password_expires_at: password_expires_at, password_automatically_set: set_automatically?) }
5357 5358 5359 5360

    subject { user.password_expired_if_applicable? }

    context 'when user is not ldap user' do
5361 5362 5363 5364 5365 5366 5367 5368 5369 5370 5371 5372 5373 5374 5375 5376 5377 5378 5379 5380 5381 5382 5383 5384 5385 5386 5387 5388 5389 5390 5391 5392
      context 'when user has password set automatically' do
        let(:set_automatically?) { true }

        context 'when password_expires_at is not set' do
          let(:password_expires_at) {}

          it 'returns false' do
            is_expected.to be_falsey
          end
        end

        context 'when password_expires_at is in the past' do
          let(:password_expires_at) { 1.minute.ago }

          it 'returns true' do
            is_expected.to be_truthy
          end
        end

        context 'when password_expires_at is in the future' do
          let(:password_expires_at) { 1.minute.from_now }

          it 'returns false' do
            is_expected.to be_falsey
          end
        end
      end
    end

    context 'when user has password not set automatically' do
      let(:set_automatically?) { false }

5393 5394 5395 5396 5397 5398 5399 5400 5401 5402 5403
      context 'when password_expires_at is not set' do
        let(:password_expires_at) {}

        it 'returns false' do
          is_expected.to be_falsey
        end
      end

      context 'when password_expires_at is in the past' do
        let(:password_expires_at) { 1.minute.ago }

5404 5405
        it 'returns false' do
          is_expected.to be_falsey
5406 5407 5408 5409 5410 5411 5412 5413 5414 5415 5416 5417 5418 5419 5420 5421 5422 5423 5424 5425 5426 5427 5428 5429 5430 5431 5432 5433 5434 5435 5436 5437 5438 5439 5440 5441 5442 5443 5444 5445 5446 5447 5448
        end
      end

      context 'when password_expires_at is in the future' do
        let(:password_expires_at) { 1.minute.from_now }

        it 'returns false' do
          is_expected.to be_falsey
        end
      end
    end

    context 'when user is ldap user' do
      let(:user) { build(:user, password_expires_at: password_expires_at) }

      before do
        allow(user).to receive(:ldap_user?).and_return(true)
      end

      context 'when password_expires_at is not set' do
        let(:password_expires_at) {}

        it 'returns false' do
          is_expected.to be_falsey
        end
      end

      context 'when password_expires_at is in the past' do
        let(:password_expires_at) { 1.minute.ago }

        it 'returns false' do
          is_expected.to be_falsey
        end
      end

      context 'when password_expires_at is in the future' do
        let(:password_expires_at) { 1.minute.from_now }

        it 'returns false' do
          is_expected.to be_falsey
        end
      end
    end
5449 5450 5451 5452 5453 5454 5455 5456 5457 5458 5459 5460

    context 'when user is a project bot' do
      let(:user) { build(:user, :project_bot, password_expires_at: password_expires_at) }

      context 'when password_expires_at is not set' do
        let(:password_expires_at) {}

        it 'returns false' do
          is_expected.to be_falsey
        end
      end

5461 5462 5463 5464 5465 5466 5467 5468 5469 5470 5471 5472 5473 5474 5475 5476 5477 5478
      context 'when password_expires_at is in the past' do
        let(:password_expires_at) { 1.minute.ago }

        it 'returns false' do
          is_expected.to be_falsey
        end
      end

      context 'when password_expires_at is in the future' do
        let(:password_expires_at) { 1.minute.from_now }

        it 'returns false' do
          is_expected.to be_falsey
        end
      end
    end
  end

5479 5480 5481 5482 5483 5484 5485 5486 5487 5488 5489
  describe '#read_only_attribute?' do
    context 'when synced attributes metadata is present' do
      it 'delegates to synced_attributes_metadata' do
        subject.build_user_synced_attributes_metadata

        expect(subject.build_user_synced_attributes_metadata)
          .to receive(:read_only?).with(:email).and_return('return-value')
        expect(subject.read_only_attribute?(:email)).to eq('return-value')
      end
    end

5490
    context 'when synced attributes metadata is not present' do
5491 5492 5493 5494 5495
      it 'is false for any attribute' do
        expect(subject.read_only_attribute?(:email)).to be_falsey
      end
    end
  end
5496

5497 5498 5499 5500 5501 5502
  describe '.active_without_ghosts' do
    let_it_be(:user1) { create(:user, :external) }
    let_it_be(:user2) { create(:user, state: 'blocked') }
    let_it_be(:user3) { create(:user, :ghost) }
    let_it_be(:user4) { create(:user, user_type: :support_bot) }
    let_it_be(:user5) { create(:user, state: 'blocked', user_type: :support_bot) }
5503
    let_it_be(:user6) { create(:user, user_type: :automation_bot) }
5504

5505
    it 'returns all active users including active bots but ghost users' do
5506
      expect(described_class.active_without_ghosts).to match_array([user1, user4, user6])
5507 5508 5509
    end
  end

5510 5511 5512
  describe '#dismissed_callout?' do
    subject(:user) { create(:user) }

5513
    let(:feature_name) { UserCallout.feature_names.each_key.first }
5514 5515 5516 5517 5518 5519 5520 5521 5522 5523 5524 5525 5526 5527 5528 5529 5530 5531 5532 5533 5534 5535 5536 5537 5538 5539 5540 5541 5542 5543

    context 'when no callout dismissal record exists' do
      it 'returns false when no ignore_dismissal_earlier_than provided' do
        expect(user.dismissed_callout?(feature_name: feature_name)).to eq false
      end

      it 'returns false when ignore_dismissal_earlier_than provided' do
        expect(user.dismissed_callout?(feature_name: feature_name, ignore_dismissal_earlier_than: 3.months.ago)).to eq false
      end
    end

    context 'when dismissed callout exists' do
      before do
        create(:user_callout, user: user, feature_name: feature_name, dismissed_at: 4.months.ago)
      end

      it 'returns true when no ignore_dismissal_earlier_than provided' do
        expect(user.dismissed_callout?(feature_name: feature_name)).to eq true
      end

      it 'returns true when ignore_dismissal_earlier_than is earlier than dismissed_at' do
        expect(user.dismissed_callout?(feature_name: feature_name, ignore_dismissal_earlier_than: 6.months.ago)).to eq true
      end

      it 'returns false when ignore_dismissal_earlier_than is later than dismissed_at' do
        expect(user.dismissed_callout?(feature_name: feature_name, ignore_dismissal_earlier_than: 3.months.ago)).to eq false
      end
    end
  end

5544
  describe '#hook_attrs' do
5545
    it 'includes id, name, username, avatar_url, and email' do
5546 5547
      user = create(:user)
      user_attributes = {
5548
        id: user.id,
5549 5550 5551 5552 5553 5554 5555 5556
        name: user.name,
        username: user.username,
        avatar_url: user.avatar_url(only_path: false),
        email: user.email
      }
      expect(user.hook_attrs).to eq(user_attributes)
    end
  end
5557

5558 5559 5560 5561 5562 5563 5564 5565 5566 5567 5568 5569 5570 5571 5572 5573 5574 5575 5576 5577
  describe 'user credit card validation' do
    context 'when user is initialized' do
      let(:user) { build(:user) }

      it { expect(user.credit_card_validation).not_to be_present }
    end

    context 'when create user without credit card validation' do
      let(:user) { create(:user) }

      it { expect(user.credit_card_validation).not_to be_present }
    end

    context 'when user credit card validation exists' do
      let(:user) { create(:user, :with_credit_card_validation) }

      it { expect(user.credit_card_validation).to be_persisted }
    end
  end

5578 5579 5580 5581 5582 5583 5584 5585 5586 5587 5588 5589 5590 5591
  describe 'user detail' do
    context 'when user is initialized' do
      let(:user) { build(:user) }

      it { expect(user.user_detail).to be_present }
      it { expect(user.user_detail).not_to be_persisted }
    end

    context 'when user detail exists' do
      let(:user) { create(:user, job_title: 'Engineer') }

      it { expect(user.user_detail).to be_persisted }
    end
  end
5592

5593 5594 5595 5596 5597 5598 5599 5600 5601 5602 5603 5604 5605 5606 5607 5608 5609 5610 5611
  describe '#current_highest_access_level' do
    let_it_be(:user) { create(:user) }

    context 'when no memberships exist' do
      it 'returns nil' do
        expect(user.current_highest_access_level).to be_nil
      end
    end

    context 'when memberships exist' do
      it 'returns the highest access level for non requested memberships' do
        create(:group_member, :reporter, user_id: user.id)
        create(:project_member, :guest, user_id: user.id)
        create(:project_member, :maintainer, user_id: user.id, requested_at: Time.current)

        expect(user.current_highest_access_level).to eq(Gitlab::Access::REPORTER)
      end
    end
  end
5612 5613 5614

  context 'when after_commit :update_highest_role' do
    describe 'create user' do
5615 5616 5617 5618 5619
      subject { create(:user) }

      it 'schedules a job in the future', :aggregate_failures, :clean_gitlab_redis_shared_state do
        allow_next_instance_of(Gitlab::ExclusiveLease) do |instance|
          allow(instance).to receive(:try_obtain).and_return('uuid')
5620 5621
        end

5622 5623 5624
        expect(UpdateHighestRoleWorker).to receive(:perform_in).and_call_original

        expect { subject }.to change(UpdateHighestRoleWorker.jobs, :size).by(1)
5625 5626 5627 5628 5629
      end
    end

    context 'when user already exists' do
      let!(:user) { create(:user) }
5630
      let(:user_id) { user.id }
5631 5632 5633 5634 5635 5636 5637

      describe 'update user' do
        using RSpec::Parameterized::TableSyntax

        where(:attributes) do
          [
            { state: 'blocked' },
5638
            { user_type: :ghost },
5639
            { user_type: :alert_bot },
Tetiana Chupryna's avatar
Tetiana Chupryna committed
5640
            { user_type: :support_bot },
5641 5642
            { user_type: :security_bot },
            { user_type: :automation_bot }
5643 5644 5645 5646 5647
          ]
        end

        with_them do
          context 'when state was changed' do
5648
            subject { user.update!(attributes) }
5649

5650
            include_examples 'update highest role with exclusive lease'
5651 5652 5653 5654
          end
        end

        context 'when state was not changed' do
5655
          subject { user.update!(email: 'newmail@example.com') }
5656

5657
          include_examples 'does not update the highest role'
5658 5659
        end
      end
5660 5661

      describe 'destroy user' do
5662
        subject { user.destroy! }
5663 5664 5665

        include_examples 'does not update the highest role'
      end
5666 5667
    end
  end
5668 5669 5670 5671 5672 5673 5674 5675 5676 5677 5678 5679 5680 5681 5682 5683

  describe '#active_for_authentication?' do
    subject { user.active_for_authentication? }

    let(:user) { create(:user) }

    context 'when user is blocked' do
      before do
        user.block
      end

      it { is_expected.to be false }
    end

    context 'when user is a ghost user' do
      before do
5684
        user.update!(user_type: :ghost)
5685 5686 5687 5688 5689 5690 5691 5692 5693 5694 5695
      end

      it { is_expected.to be false }
    end

    context 'based on user type' do
      using RSpec::Parameterized::TableSyntax

      where(:user_type, :expected_result) do
        'human'             | true
        'alert_bot'         | false
5696
        'support_bot'       | false
Tetiana Chupryna's avatar
Tetiana Chupryna committed
5697
        'security_bot'      | false
5698
        'automation_bot'    | false
5699 5700 5701 5702
      end

      with_them do
        before do
5703
          user.update!(user_type: user_type)
5704 5705 5706 5707 5708 5709 5710 5711 5712 5713 5714 5715 5716 5717 5718 5719 5720
        end

        it { is_expected.to be expected_result }
      end
    end
  end

  describe '#inactive_message' do
    subject { user.inactive_message }

    let(:user) { create(:user) }

    context 'when user is blocked' do
      before do
        user.block
      end

5721
      it { is_expected.to eq :blocked }
5722 5723 5724 5725
    end

    context 'when user is an internal user' do
      before do
5726
        user.update!(user_type: :ghost)
5727 5728
      end

5729
      it { is_expected.to be :forbidden }
5730 5731 5732 5733 5734 5735 5736 5737
    end

    context 'when user is locked' do
      before do
        user.lock_access!
      end

      it { is_expected.to be :locked }
5738 5739 5740 5741 5742 5743 5744 5745
    end

    context 'when user is blocked pending approval' do
      before do
        user.block_pending_approval!
      end

      it { is_expected.to be :blocked_pending_approval }
5746 5747
    end
  end
5748 5749 5750 5751 5752 5753 5754 5755 5756 5757 5758 5759

  describe '#password_required?' do
    let_it_be(:user) { create(:user) }

    shared_examples 'does not require password to be present' do
      it { expect(user).not_to validate_presence_of(:password) }

      it { expect(user).not_to validate_presence_of(:password_confirmation) }
    end

    context 'when user is an internal user' do
      before do
5760
        user.update!(user_type: 'alert_bot')
5761 5762 5763 5764 5765 5766 5767
      end

      it_behaves_like 'does not require password to be present'
    end

    context 'when user is a project bot user' do
      before do
5768
        user.update!(user_type: 'project_bot')
5769 5770 5771 5772 5773
      end

      it_behaves_like 'does not require password to be present'
    end
  end
5774

5775 5776 5777 5778 5779 5780 5781 5782 5783 5784 5785 5786 5787 5788 5789 5790 5791 5792 5793 5794 5795 5796 5797 5798 5799 5800 5801 5802 5803 5804 5805 5806 5807 5808
  describe 'can_trigger_notifications?' do
    context 'when user is not confirmed' do
      let_it_be(:user) { create(:user, :unconfirmed) }

      it 'returns false' do
        expect(user.can_trigger_notifications?).to be(false)
      end
    end

    context 'when user is blocked' do
      let_it_be(:user) { create(:user, :blocked) }

      it 'returns false' do
        expect(user.can_trigger_notifications?).to be(false)
      end
    end

    context 'when user is a ghost' do
      let_it_be(:user) { create(:user, :ghost) }

      it 'returns false' do
        expect(user.can_trigger_notifications?).to be(false)
      end
    end

    context 'when user is confirmed and neither blocked or a ghost' do
      let_it_be(:user) { create(:user) }

      it 'returns true' do
        expect(user.can_trigger_notifications?).to be(true)
      end
    end
  end

5809 5810 5811 5812 5813 5814 5815
  context 'bot users' do
    shared_examples 'bot users' do |bot_type|
      it 'creates the user if it does not exist' do
        expect do
          described_class.public_send(bot_type)
        end.to change { User.where(user_type: bot_type).count }.by(1)
      end
5816

5817 5818 5819 5820 5821 5822
      it 'creates a route for the namespace of the created user' do
        bot_user = described_class.public_send(bot_type)

        expect(bot_user.namespace.route).to be_present
      end

5823 5824
      it 'does not create a new user if it already exists' do
        described_class.public_send(bot_type)
5825

5826 5827 5828 5829
        expect do
          described_class.public_send(bot_type)
        end.not_to change { User.count }
      end
5830
    end
5831

5832 5833 5834 5835 5836 5837 5838 5839 5840
    shared_examples 'bot user avatars' do |bot_type, avatar_filename|
      it 'sets the custom avatar for the created bot' do
        bot_user = described_class.public_send(bot_type)

        expect(bot_user.avatar.url).to be_present
        expect(bot_user.avatar.filename).to eq(avatar_filename)
      end
    end

5841 5842 5843
    it_behaves_like 'bot users', :alert_bot
    it_behaves_like 'bot users', :support_bot
    it_behaves_like 'bot users', :migration_bot
Tetiana Chupryna's avatar
Tetiana Chupryna committed
5844
    it_behaves_like 'bot users', :security_bot
5845
    it_behaves_like 'bot users', :ghost
5846
    it_behaves_like 'bot users', :automation_bot
5847 5848 5849

    it_behaves_like 'bot user avatars', :alert_bot, 'alert-bot.png'
    it_behaves_like 'bot user avatars', :support_bot, 'support-bot.png'
Tetiana Chupryna's avatar
Tetiana Chupryna committed
5850
    it_behaves_like 'bot user avatars', :security_bot, 'security-bot.png'
5851
    it_behaves_like 'bot user avatars', :automation_bot, 'support-bot.png'
5852 5853 5854 5855 5856 5857

    context 'when bot is the support_bot' do
      subject { described_class.support_bot }

      it { is_expected.to be_confirmed }
    end
5858
  end
5859 5860 5861 5862 5863 5864 5865 5866 5867 5868 5869 5870 5871 5872 5873 5874 5875 5876 5877 5878 5879 5880 5881 5882 5883 5884 5885 5886 5887 5888 5889 5890 5891 5892 5893 5894 5895 5896 5897 5898 5899 5900 5901 5902 5903 5904

  describe '#confirmation_required_on_sign_in?' do
    subject { user.confirmation_required_on_sign_in? }

    context 'when user is confirmed' do
      let(:user) { build_stubbed(:user) }

      it 'is falsey' do
        expect(user.confirmed?).to be_truthy
        expect(subject).to be_falsey
      end
    end

    context 'when user is not confirmed' do
      let_it_be(:user) { build_stubbed(:user, :unconfirmed, confirmation_sent_at: Time.current) }

      it 'is truthy when soft_email_confirmation feature is disabled' do
        stub_feature_flags(soft_email_confirmation: false)
        expect(subject).to be_truthy
      end

      context 'when soft_email_confirmation feature is enabled' do
        before do
          stub_feature_flags(soft_email_confirmation: true)
        end

        it 'is falsey when confirmation period is valid' do
          expect(subject).to be_falsey
        end

        it 'is truthy when confirmation period is expired' do
          travel_to(User.allow_unconfirmed_access_for.from_now + 1.day) do
            expect(subject).to be_truthy
          end
        end

        context 'when user has no confirmation email sent' do
          let(:user) { build(:user, :unconfirmed, confirmation_sent_at: nil) }

          it 'is truthy' do
            expect(subject).to be_truthy
          end
        end
      end
    end
  end
5905 5906 5907 5908 5909

  describe '#find_or_initialize_callout' do
    subject(:find_or_initialize_callout) { user.find_or_initialize_callout(feature_name) }

    let(:user) { create(:user) }
5910
    let(:feature_name) { UserCallout.feature_names.each_key.first }
5911 5912 5913 5914 5915 5916 5917 5918 5919 5920 5921 5922 5923 5924 5925 5926 5927 5928 5929 5930 5931 5932 5933 5934 5935 5936 5937 5938 5939 5940 5941 5942 5943

    context 'when callout exists' do
      let!(:callout) { create(:user_callout, user: user, feature_name: feature_name) }

      it 'returns existing callout' do
        expect(find_or_initialize_callout).to eq(callout)
      end
    end

    context 'when callout does not exist' do
      context 'when feature name is valid' do
        it 'initializes a new callout' do
          expect(find_or_initialize_callout).to be_a_new(UserCallout)
        end

        it 'is valid' do
          expect(find_or_initialize_callout).to be_valid
        end
      end

      context 'when feature name is not valid' do
        let(:feature_name) { 'notvalid' }

        it 'initializes a new callout' do
          expect(find_or_initialize_callout).to be_a_new(UserCallout)
        end

        it 'is not valid' do
          expect(find_or_initialize_callout).not_to be_valid
        end
      end
    end
  end
5944

5945 5946 5947 5948 5949 5950 5951 5952 5953 5954 5955 5956 5957 5958
  describe '#default_dashboard?' do
    it 'is the default dashboard' do
      user = build(:user)

      expect(user.default_dashboard?).to be true
    end

    it 'is not the default dashboard' do
      user = build(:user, dashboard: 'stars')

      expect(user.default_dashboard?).to be false
    end
  end

5959 5960 5961 5962 5963 5964 5965 5966 5967 5968 5969 5970 5971 5972 5973 5974 5975 5976 5977 5978 5979 5980 5981 5982 5983 5984 5985 5986 5987 5988 5989 5990 5991 5992 5993 5994 5995 5996 5997 5998 5999 6000
  describe '.dormant' do
    it 'returns dormant users' do
      freeze_time do
        not_that_long_ago = (described_class::MINIMUM_INACTIVE_DAYS - 1).days.ago.to_date
        too_long_ago = described_class::MINIMUM_INACTIVE_DAYS.days.ago.to_date

        create(:user, :deactivated, last_activity_on: too_long_ago)

        User::INTERNAL_USER_TYPES.map do |user_type|
          create(:user, state: :active, user_type: user_type, last_activity_on: too_long_ago)
        end

        create(:user, last_activity_on: not_that_long_ago)

        dormant_user = create(:user, last_activity_on: too_long_ago)

        expect(described_class.dormant).to contain_exactly(dormant_user)
      end
    end
  end

  describe '.with_no_activity' do
    it 'returns users with no activity' do
      freeze_time do
        not_that_long_ago = (described_class::MINIMUM_INACTIVE_DAYS - 1).days.ago.to_date
        too_long_ago = described_class::MINIMUM_INACTIVE_DAYS.days.ago.to_date

        create(:user, :deactivated, last_activity_on: nil)

        User::INTERNAL_USER_TYPES.map do |user_type|
          create(:user, state: :active, user_type: user_type, last_activity_on: nil)
        end

        create(:user, last_activity_on: not_that_long_ago)
        create(:user, last_activity_on: too_long_ago)

        user_with_no_activity = create(:user, last_activity_on: nil)

        expect(described_class.with_no_activity).to contain_exactly(user_with_no_activity)
      end
    end
  end
6001 6002 6003 6004 6005 6006 6007 6008 6009 6010 6011 6012 6013

  describe '.by_provider_and_extern_uid' do
    it 'calls Identity model scope to ensure case-insensitive query', :aggregate_failures do
      expected_user = create(:user)
      create(:identity, extern_uid: 'some-other-name-id', provider: :github)
      create(:identity, extern_uid: 'my_github_id', provider: :gitlab)
      create(:identity)
      create(:identity, user: expected_user, extern_uid: 'my_github_id', provider: :github)

      expect(Identity).to receive(:with_extern_uid).and_call_original
      expect(described_class.by_provider_and_extern_uid(:github, 'my_github_id')).to match_array([expected_user])
    end
  end
gitlabhq's avatar
gitlabhq committed
6014
end