Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec/requests/application_controller_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

1011 lines
32 KiB
Ruby
Raw Normal View History

DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
2019-04-29 20:27:42 -04:00
# frozen_string_literal: true
Add spec test for authComplete param carry-forward
2018-03-27 08:34:40 -04:00
require 'rails_helper'
RSpec.describe ApplicationController do
describe '#redirect_to_login_if_required' do
let(:admin) { Fabricate(:admin) }
before do
admin # to skip welcome wizard at home page `/`
SiteSetting.login_required = true
end
FIX: ensure we never cache login redirects by mistake
2018-11-08 19:14:35 -05:00
it "should never cache a login redirect" do
get "/"
expect(response.headers["Cache-Control"]).to eq("no-cache, no-store")
end
FEATURE: Automatically redirect to authenticator when there is only one This brings the behavior in line with native Discourse SSO. If login is required, and a user tries to visit the forum, they will be directed straight to the external login page without requiring any clicks.
2019-11-13 12:28:12 -05:00
it "should redirect to login normally" do
get "/"
expect(response).to redirect_to("/login")
end
it "should redirect to SSO if enabled" do
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
SiteSetting.discourse_connect_url = 'http://someurl.com'
SiteSetting.enable_discourse_connect = true
FEATURE: Automatically redirect to authenticator when there is only one This brings the behavior in line with native Discourse SSO. If login is required, and a user tries to visit the forum, they will be directed straight to the external login page without requiring any clicks.
2019-11-13 12:28:12 -05:00
get "/"
expect(response).to redirect_to("/session/sso")
end
it "should redirect to authenticator if only one, and local logins disabled" do
# Local logins and google enabled, direct to login UI
SiteSetting.enable_google_oauth2_logins = true
get "/"
expect(response).to redirect_to("/login")
# Only google enabled, login immediately
SiteSetting.enable_local_logins = false
get "/"
expect(response).to redirect_to("/auth/google_oauth2")
# Google and GitHub enabled, direct to login UI
SiteSetting.enable_github_logins = true
get "/"
expect(response).to redirect_to("/login")
end
FIX: For a single authenticator, do not interrupt registration flow Followup to 0a14b9b42a2f597f5df26be97296a4d6909f6a34
2019-11-19 14:15:11 -05:00
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
it "should not redirect to SSO when auth_immediately is disabled" do
SiteSetting.auth_immediately = false
SiteSetting.discourse_connect_url = 'http://someurl.com'
SiteSetting.enable_discourse_connect = true
FEATURE: Add a site setting to control automatic auth redirect (#10732) This allows administrators to stop automatic redirect to an external authenticator. It only takes effect when there is a single authentication method, and the site is login_required
2020-09-24 12:06:07 -04:00
get "/"
expect(response).to redirect_to("/login")
end
FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
2021-02-08 05:04:33 -05:00
it "should not redirect to authenticator when auth_immediately is disabled" do
SiteSetting.auth_immediately = false
FEATURE: Add a site setting to control automatic auth redirect (#10732) This allows administrators to stop automatic redirect to an external authenticator. It only takes effect when there is a single authentication method, and the site is login_required
2020-09-24 12:06:07 -04:00
SiteSetting.enable_google_oauth2_logins = true
SiteSetting.enable_local_logins = false
get "/"
expect(response).to redirect_to("/login")
end
FIX: For a single authenticator, do not interrupt registration flow Followup to 0a14b9b42a2f597f5df26be97296a4d6909f6a34
2019-11-19 14:15:11 -05:00
context "with omniauth in test mode" do
before do
OmniAuth.config.test_mode = true
OmniAuth.config.add_mock(:google_oauth2,
info: OmniAuth::AuthHash::InfoHash.new(
email: "address@example.com",
),
extra: {
raw_info: OmniAuth::AuthHash.new(
email_verified: true,
email: "address@example.com",
)
}
)
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
end
after do
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2] = nil
OmniAuth.config.test_mode = false
end
it "should not redirect to authenticator if registration in progress" do
SiteSetting.enable_local_logins = false
SiteSetting.enable_google_oauth2_logins = true
get "/"
expect(response).to redirect_to("/auth/google_oauth2")
expect(cookies[:authentication_data]).to eq(nil)
get "/auth/google_oauth2/callback.json"
expect(response).to redirect_to("/")
expect(cookies[:authentication_data]).not_to eq(nil)
get "/"
expect(response).to redirect_to("/login")
end
end
FIX: correctly remove authentication_data cookie on oauth login flow Additionally correctly handle cookie path for authentication_data There were two bugs that exposed an interesting case where two discourse instances hosted across two subfolder installs in the same domain with oauth may clash and cause strange redirection on first login: Log in to example.com/forum1. authentication_data cookie is set with path / On the first redirection, the current authentication_data cookie is not unset. Log in to example.com/forum2. In this case, the authentication_data cookie is already set from forum1 - the initial page load will incorrectly redirect the user to the redirect URL from the already-stored cookie, to /forum1. This removes this issue by: * Setting the cookie for the correct path, and not having it on root * Correctly removing the cookie on first login
2020-03-21 16:24:49 -04:00
it 'contains authentication data when cookies exist' do
FIX: Cleanup authentication_data cookie after login (#11834) This cookie is only used during login. Having it persist after that can cause some unusual behavior, especially for sites with short session lengths. We were already deleting the cookie following a new signup, but not for existing users. This commit moves the cookie deletion logic out of the erb template, and adds logic and tests to ensure it is always deleted consistently. Co-authored-by: Jarek Radosz <jradosz@gmail.com>
2021-01-25 08:47:44 -05:00
cookie_data = "someauthenticationdata"
cookies['authentication_data'] = cookie_data
FIX: correctly remove authentication_data cookie on oauth login flow Additionally correctly handle cookie path for authentication_data There were two bugs that exposed an interesting case where two discourse instances hosted across two subfolder installs in the same domain with oauth may clash and cause strange redirection on first login: Log in to example.com/forum1. authentication_data cookie is set with path / On the first redirection, the current authentication_data cookie is not unset. Log in to example.com/forum2. In this case, the authentication_data cookie is already set from forum1 - the initial page load will incorrectly redirect the user to the redirect URL from the already-stored cookie, to /forum1. This removes this issue by: * Setting the cookie for the correct path, and not having it on root * Correctly removing the cookie on first login
2020-03-21 16:24:49 -04:00
get '/login'
expect(response.status).to eq(200)
FIX: Cleanup authentication_data cookie after login (#11834) This cookie is only used during login. Having it persist after that can cause some unusual behavior, especially for sites with short session lengths. We were already deleting the cookie following a new signup, but not for existing users. This commit moves the cookie deletion logic out of the erb template, and adds logic and tests to ensure it is always deleted consistently. Co-authored-by: Jarek Radosz <jradosz@gmail.com>
2021-01-25 08:47:44 -05:00
expect(response.body).to include("data-authentication-data=\"#{cookie_data}\"")
expect(response.headers["Set-Cookie"]).to include("authentication_data=;") # Delete cookie
end
it 'deletes authentication data cookie even if already authenticated' do
sign_in(Fabricate(:user))
cookies['authentication_data'] = "someauthenticationdata"
get '/'
expect(response.status).to eq(200)
expect(response.body).not_to include("data-authentication-data=")
expect(response.headers["Set-Cookie"]).to include("authentication_data=;") # Delete cookie
FIX: correctly remove authentication_data cookie on oauth login flow Additionally correctly handle cookie path for authentication_data There were two bugs that exposed an interesting case where two discourse instances hosted across two subfolder installs in the same domain with oauth may clash and cause strange redirection on first login: Log in to example.com/forum1. authentication_data cookie is set with path / On the first redirection, the current authentication_data cookie is not unset. Log in to example.com/forum2. In this case, the authentication_data cookie is already set from forum1 - the initial page load will incorrectly redirect the user to the redirect URL from the already-stored cookie, to /forum1. This removes this issue by: * Setting the cookie for the correct path, and not having it on root * Correctly removing the cookie on first login
2020-03-21 16:24:49 -04:00
end
FIX: Don't redirect XHR/JSON requests when login is required (#15093) When redirecting to login, we store a destination_url cookie, which the user is then redirected to after login. We never want the user to be redirected to a JSON URL. Instead, we should return a 403 in these situations. This should also be much less confusing for API consumers - a 403 is a better representation than a 302.
2021-12-02 10:12:25 -05:00
it "returns a 403 for json requests" do
get '/latest'
expect(response.status).to eq(302)
get '/latest.json'
expect(response.status).to eq(403)
end
Add spec test for authComplete param carry-forward
2018-03-27 08:34:40 -04:00
end
FIX: not found page shouldn't include the Google search form for sites with login_required enabled
2018-05-23 16:58:47 -04:00
FEATURE: Enforce two-factor authentication. (#6348)
2019-03-15 07:09:37 -04:00
describe '#redirect_to_second_factor_if_required' do
let(:admin) { Fabricate(:admin) }
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:user) { Fabricate(:user) }
FEATURE: Enforce two-factor authentication. (#6348)
2019-03-15 07:09:37 -04:00
before do
admin # to skip welcome wizard at home page `/`
end
it "should redirect admins when enforce_second_factor is 'all'" do
SiteSetting.enforce_second_factor = "all"
sign_in(admin)
get "/"
expect(response).to redirect_to("/u/#{admin.username}/preferences/second-factor")
end
it "should redirect users when enforce_second_factor is 'all'" do
SiteSetting.enforce_second_factor = "all"
sign_in(user)
get "/"
expect(response).to redirect_to("/u/#{user.username}/preferences/second-factor")
end
Don't check for second factor when switching to anonymous account (#7803)
2019-06-27 18:01:27 -04:00
it "should not redirect anonymous users when enforce_second_factor is 'all'" do
SiteSetting.enforce_second_factor = "all"
SiteSetting.allow_anonymous_posting = true
sign_in(user)
post "/u/toggle-anon.json"
expect(response.status).to eq(200)
get "/"
expect(response.status).to eq(200)
end
FEATURE: Enforce two-factor authentication. (#6348)
2019-03-15 07:09:37 -04:00
it "should redirect admins when enforce_second_factor is 'staff'" do
SiteSetting.enforce_second_factor = "staff"
sign_in(admin)
get "/"
expect(response).to redirect_to("/u/#{admin.username}/preferences/second-factor")
end
it "should not redirect users when enforce_second_factor is 'staff'" do
SiteSetting.enforce_second_factor = "staff"
sign_in(user)
get "/"
expect(response.status).to eq(200)
end
it "should not redirect admins when turned off" do
SiteSetting.enforce_second_factor = "no"
sign_in(admin)
get "/"
expect(response.status).to eq(200)
end
it "should not redirect users when turned off" do
SiteSetting.enforce_second_factor = "no"
sign_in(user)
get "/"
expect(response.status).to eq(200)
end
SECURITY: 2FA with U2F / TOTP
2020-01-15 05:27:12 -05:00
FIX: Redirects containing Unicode usernames didn't work
2020-06-05 12:31:58 -04:00
it "correctly redirects for Unicode usernames" do
SiteSetting.enforce_second_factor = "all"
SiteSetting.unicode_usernames = true
user = sign_in(Fabricate(:unicode_user))
get "/"
expect(response).to redirect_to("/u/#{user.encoded_username}/preferences/second-factor")
end
SECURITY: 2FA with U2F / TOTP
2020-01-15 05:27:12 -05:00
context "when enforcing second factor for staff" do
before do
SiteSetting.enforce_second_factor = "staff"
sign_in(admin)
end
context "when the staff member has not enabled TOTP or security keys" do
it "redirects the staff to the second factor preferences" do
get "/"
expect(response).to redirect_to("/u/#{admin.username}/preferences/second-factor")
end
end
context "when the staff member has enabled TOTP" do
before do
Fabricate(:user_second_factor_totp, user: admin)
end
it "does not redirects the staff to set up 2FA" do
get "/"
expect(response.status).to eq(200)
end
end
context "when the staff member has enabled security keys" do
before do
Fabricate(:user_security_key_with_random_credential, user: admin)
end
it "does not redirects the staff to set up 2FA" do
get "/"
expect(response.status).to eq(200)
end
end
end
FEATURE: Enforce two-factor authentication. (#6348)
2019-03-15 07:09:37 -04:00
end
FIX: stop logging every time invalid params are sent Previously we were logging warning for invalid encoded params, this can cause a log flood
2018-10-05 00:33:08 -04:00
describe 'invalid request params' do
before do
@old_logger = Rails.logger
@logs = StringIO.new
Rails.logger = Logger.new(@logs)
end
after do
Rails.logger = @old_logger
end
it 'should not raise a 500 (nor should it log a warning) for bad params' do
DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
2019-04-29 20:27:42 -04:00
bad_str = (+"d\xDE").force_encoding('utf-8')
FIX: stop logging every time invalid params are sent Previously we were logging warning for invalid encoded params, this can cause a log flood
2018-10-05 00:33:08 -04:00
expect(bad_str.valid_encoding?).to eq(false)
get "/latest.json", params: { test: bad_str }
expect(response.status).to eq(400)
DEV: add extra diagnostics for intermittent test fail
2018-12-02 19:31:12 -05:00
log = @logs.string
if (log.include? 'exception app middleware')
# heisentest diagnostics
puts
DEV: Correct typos and spelling mistakes (#12812) Over the years we accrued many spelling mistakes in the code base. This PR attempts to fix spelling mistakes and typos in all areas of the code that are extremely safe to change - comments - test descriptions - other low risk areas
2021-05-20 21:43:47 -04:00
puts "EXTRA DIAGNOSTICS FOR INTERMITTENT TEST FAIL"
DEV: add extra diagnostics for intermittent test fail
2018-12-02 19:31:12 -05:00
puts log
puts ">> action_dispatch.exception"
ex = request.env['action_dispatch.exception']
puts ">> exception class: #{ex.class} : #{ex}"
end
expect(log).not_to include('exception app middleware')
FIX: stop logging every time invalid params are sent Previously we were logging warning for invalid encoded params, this can cause a log flood
2018-10-05 00:33:08 -04:00
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1.
2020-05-07 11:04:12 -04:00
expect(response.parsed_body).to eq(
FIX: stop logging every time invalid params are sent Previously we were logging warning for invalid encoded params, this can cause a log flood
2018-10-05 00:33:08 -04:00
"status" => 400,
"error" => "Bad Request"
)
DEV: add extra diagnostics for intermittent test fail
2018-12-02 19:31:12 -05:00
FIX: stop logging every time invalid params are sent Previously we were logging warning for invalid encoded params, this can cause a log flood
2018-10-05 00:33:08 -04:00
end
end
FIX: return 400 for missing required params (#6546) If a required param is missing return a 400 and show a message displaying which param was missing. Added this to the application controller so that we don't have to add this logic to every controller action.
2018-10-30 22:02:48 -04:00
describe 'missing required param' do
it 'should return a 400' do
get "/search/query.json", params: { trem: "misspelled term" }
expect(response.status).to eq(400)
DEV: Upgrade Rails to 6.1.3.1 (#12688) Rails 6.1.3.1 deprecates a few API and has some internal changes that break our tests suite, so this commit fixes all the deprecations and errors and now Discourse should be fully compatible with Rails 6.1.3.1. We also have a new release of the rails_failover gem that's compatible with Rails 6.1.3.1.
2021-04-21 05:36:32 -04:00
expect(response.parsed_body["errors"].first).to include("param is missing or the value is empty: term")
FIX: return 400 for missing required params (#6546) If a required param is missing return a 400 and show a message displaying which param was missing. Added this to the application controller so that we don't have to add this logic to every controller action.
2018-10-30 22:02:48 -04:00
end
end
FIX: not found page shouldn't include the Google search form for sites with login_required enabled
2018-05-23 16:58:47 -04:00
describe 'build_not_found_page' do
describe 'topic not found' do
FIX: check permalinks for deleted topics - allow to specify 410 vs 404 in Discourse::NotFound exception - remove unused `permalink_redirect_or_not_found` which - handle JS side links to topics via Discourse-Xhr-Redirect mechanism
2018-08-09 01:05:12 -04:00
FIX: if we have not target available do not redirect
2018-08-19 23:10:49 -04:00
it 'should not redirect to permalink if topic/category does not exist' do
topic = create_post.topic
Permalink.create!(url: topic.relative_url, topic_id: topic.id + 1)
topic.trash!
FEATURE: Add site setting to show more detailed 404 errors. (#8014) If the setting is turned on, then the user will receive information about the subject: if it was deleted or requires some special access to a group (only if the group is public). Otherwise, the user will receive a generic #404 error message. For now, this change affects only the topics and categories controller. This commit also tries to refactor some of the code related to error handling. To make error pages more consistent (design-wise), the actual error page will be rendered server-side.
2019-10-08 07:15:08 -04:00
SiteSetting.detailed_404 = false
get topic.relative_url
expect(response.status).to eq(404)
SiteSetting.detailed_404 = true
FIX: if we have not target available do not redirect
2018-08-19 23:10:49 -04:00
get topic.relative_url
expect(response.status).to eq(410)
end
FIX: check permalinks for deleted topics - allow to specify 410 vs 404 in Discourse::NotFound exception - remove unused `permalink_redirect_or_not_found` which - handle JS side links to topics via Discourse-Xhr-Redirect mechanism
2018-08-09 01:05:12 -04:00
it 'should return permalink for deleted topics' do
topic = create_post.topic
external_url = 'https://somewhere.over.rainbow'
Permalink.create!(url: topic.relative_url, external_url: external_url)
topic.trash!
get topic.relative_url
expect(response.status).to eq(301)
expect(response).to redirect_to(external_url)
get "/t/#{topic.id}.json"
expect(response.status).to eq(301)
expect(response).to redirect_to(external_url)
get "/t/#{topic.id}.json", xhr: true
expect(response.status).to eq(200)
expect(response.body).to eq(external_url)
end
FIX: permalink redirects with subfolder
2018-08-09 11:05:08 -04:00
it 'supports subfolder with permalinks' do
DEV: improve usability of subfolder specs Previously people were not consistent about mocking which left internals in a fragile state when running subfolder specs. This introduces a simple helper `set_subfolder` which you can use to set the subfolder for the spec. It takes care of proper configuration of subfolder and teardown. ``` # usage set_subfolder "/my_amazing_subfolder" ``` You should no longer stub base_uri or global_settings
2019-11-15 00:48:24 -05:00
set_subfolder "/forum"
FIX: permalink redirects with subfolder
2018-08-09 11:05:08 -04:00
trashed_topic = create_post.topic
trashed_topic.trash!
new_topic = create_post.topic
permalink = Permalink.create!(url: trashed_topic.relative_url, topic_id: new_topic.id)
# no subfolder because router doesn't know about subfolder in this test
get "/t/#{trashed_topic.slug}/#{trashed_topic.id}"
expect(response.status).to eq(301)
expect(response).to redirect_to("/forum/t/#{new_topic.slug}/#{new_topic.id}")
permalink.destroy
category = Fabricate(:category)
permalink = Permalink.create!(url: trashed_topic.relative_url, category_id: category.id)
get "/t/#{trashed_topic.slug}/#{trashed_topic.id}"
expect(response.status).to eq(301)
DEV: Update spec for category permalink Followup to 3215f2b6ee683b4a1290f8fd61c08ab7ac27090d
2020-03-20 18:26:45 -04:00
expect(response).to redirect_to("/forum/c/#{category.slug}/#{category.id}")
FIX: permalink redirects with subfolder
2018-08-09 11:05:08 -04:00
permalink.destroy
permalink = Permalink.create!(url: trashed_topic.relative_url, post_id: new_topic.posts.last.id)
get "/t/#{trashed_topic.slug}/#{trashed_topic.id}"
expect(response.status).to eq(301)
expect(response).to redirect_to("/forum/t/#{new_topic.slug}/#{new_topic.id}/#{new_topic.posts.last.post_number}")
end
DEV: Fix another frozen string error.
2019-05-16 22:07:18 -04:00
it 'should return 404 and show Google search for an invalid topic route' do
FIX: not found page shouldn't include the Google search form for sites with login_required enabled
2018-05-23 16:58:47 -04:00
get "/t/nope-nope/99999999"
DEV: Fix another frozen string error.
2019-05-16 22:07:18 -04:00
FIX: not found page shouldn't include the Google search form for sites with login_required enabled
2018-05-23 16:58:47 -04:00
expect(response.status).to eq(404)
DEV: Fix another frozen string error.
2019-05-16 22:07:18 -04:00
response_body = response.body
expect(response_body).to include(I18n.t('page_not_found.search_button'))
FEATURE: Add site setting to show more detailed 404 errors. (#8014) If the setting is turned on, then the user will receive information about the subject: if it was deleted or requires some special access to a group (only if the group is public). Otherwise, the user will receive a generic #404 error message. For now, this change affects only the topics and categories controller. This commit also tries to refactor some of the code related to error handling. To make error pages more consistent (design-wise), the actual error page will be rendered server-side.
2019-10-08 07:15:08 -04:00
expect(response_body).to have_tag("input", with: { value: 'nope nope' })
FIX: not found page shouldn't include the Google search form for sites with login_required enabled
2018-05-23 16:58:47 -04:00
end
it 'should not include Google search if login_required is enabled' do
SiteSetting.login_required = true
sign_in(Fabricate(:user))
get "/t/nope-nope/99999999"
expect(response.status).to eq(404)
expect(response.body).to_not include('google.com/search')
end
PERF: Cache build_not_found_page
2019-02-12 05:20:33 -05:00
FIX: logspam due to 404s on CSS files We had a missing formats: string on our render partial that caused logs to spam when CSS files got 404s. Due to magic discourse_public_exceptions.rb was actually returning the correct 404 cause it switched format when rendering the error.
2019-02-14 01:58:16 -05:00
describe 'no logspam' do
before do
@orig_logger = Rails.logger
Rails.logger = @fake_logger = FakeLogger.new
end
after do
Rails.logger = @orig_logger
end
it 'should handle 404 to a css file' do
FIX: Include locale in cache key for not_found_topics (#11406) This ensures that users are only served cached content in their own language. This commit also refactors to make use of the `Discourse.cache` framework rather than direct redis access
2020-12-07 07:24:18 -05:00
Discourse.cache.delete("page_not_found_topics:#{I18n.locale}")
FIX: logspam due to 404s on CSS files We had a missing formats: string on our render partial that caused logs to spam when CSS files got 404s. Due to magic discourse_public_exceptions.rb was actually returning the correct 404 cause it switched format when rendering the error.
2019-02-14 01:58:16 -05:00
topic1 = Fabricate(:topic)
get '/stylesheets/mobile_1_4cd559272273fe6d3c7db620c617d596a5fdf240.css', headers: { 'HTTP_ACCEPT' => 'text/css,*/*,q=0.1' }
expect(response.status).to eq(404)
expect(response.body).to include(topic1.title)
topic2 = Fabricate(:topic)
get '/stylesheets/mobile_1_4cd559272273fe6d3c7db620c617d596a5fdf240.css', headers: { 'HTTP_ACCEPT' => 'text/css,*/*,q=0.1' }
expect(response.status).to eq(404)
expect(response.body).to include(topic1.title)
expect(response.body).to_not include(topic2.title)
expect(Rails.logger.fatals.length).to eq(0)
expect(Rails.logger.errors.length).to eq(0)
expect(Rails.logger.warnings.length).to eq(0)
end
end
PERF: Cache build_not_found_page
2019-02-12 05:20:33 -05:00
it 'should cache results' do
FIX: Include locale in cache key for not_found_topics (#11406) This ensures that users are only served cached content in their own language. This commit also refactors to make use of the `Discourse.cache` framework rather than direct redis access
2020-12-07 07:24:18 -05:00
Discourse.cache.delete("page_not_found_topics:#{I18n.locale}")
Discourse.cache.delete("page_not_found_topics:fr")
PERF: Cache build_not_found_page
2019-02-12 05:20:33 -05:00
topic1 = Fabricate(:topic)
get '/t/nope-nope/99999999'
expect(response.status).to eq(404)
expect(response.body).to include(topic1.title)
topic2 = Fabricate(:topic)
get '/t/nope-nope/99999999'
expect(response.status).to eq(404)
expect(response.body).to include(topic1.title)
expect(response.body).to_not include(topic2.title)
FIX: Include locale in cache key for not_found_topics (#11406) This ensures that users are only served cached content in their own language. This commit also refactors to make use of the `Discourse.cache` framework rather than direct redis access
2020-12-07 07:24:18 -05:00
# Different locale should have different cache
SiteSetting.default_locale = :fr
get '/t/nope-nope/99999999'
expect(response.status).to eq(404)
expect(response.body).to include(topic1.title)
expect(response.body).to include(topic2.title)
PERF: Cache build_not_found_page
2019-02-12 05:20:33 -05:00
end
FIX: not found page shouldn't include the Google search form for sites with login_required enabled
2018-05-23 16:58:47 -04:00
end
end
FIX: move crawler blocking to app controller We need access to site settings in multisite, we do not have access yet if we attempt to get them in request tracker middleware
2018-07-03 20:07:14 -04:00
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
describe "#handle_theme" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
let!(:theme) { Fabricate(:theme, user_selectable: true) }
let!(:theme2) { Fabricate(:theme, user_selectable: true) }
let!(:non_selectable_theme) { Fabricate(:theme, user_selectable: false) }
fab!(:user) { Fabricate(:user) }
fab!(:admin) { Fabricate(:admin) }
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
before do
sign_in(user)
end
it "selects the theme the user has selected" do
user.user_option.update_columns(theme_ids: [theme.id])
get "/"
expect(response.status).to eq(200)
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
expect(controller.theme_id).to eq(theme.id)
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
theme.update_attribute(:user_selectable, false)
get "/"
expect(response.status).to eq(200)
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
expect(controller.theme_id).to eq(SiteSetting.default_theme_id)
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
end
it "can be overridden with a cookie" do
user.user_option.update_columns(theme_ids: [theme.id])
cookies['theme_ids'] = "#{theme2.id}|#{user.user_option.theme_key_seq}"
get "/"
expect(response.status).to eq(200)
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
expect(controller.theme_id).to eq(theme2.id)
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
end
it "falls back to the default theme when the user has no cookies or preferences" do
user.user_option.update_columns(theme_ids: [])
cookies["theme_ids"] = nil
theme2.set_default!
get "/"
expect(response.status).to eq(200)
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
expect(controller.theme_id).to eq(theme2.id)
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
end
it "can be overridden with preview_theme_id param" do
sign_in(admin)
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
cookies['theme_ids'] = "#{theme.id}|#{admin.user_option.theme_key_seq}"
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
get "/", params: { preview_theme_id: theme2.id }
expect(response.status).to eq(200)
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
expect(controller.theme_id).to eq(theme2.id)
FIX: check admin theme cookie against user selectable previously admin got a free pass and could set theme via cookie to anything including themes that are not selectable this refactor ensures that only "preview" gets a free pass, all the rest goes through the same pipeline
2018-09-06 20:44:57 -04:00
get "/", params: { preview_theme_id: non_selectable_theme.id }
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
expect(controller.theme_id).to eq(non_selectable_theme.id)
FIX: check admin theme cookie against user selectable previously admin got a free pass and could set theme via cookie to anything including themes that are not selectable this refactor ensures that only "preview" gets a free pass, all the rest goes through the same pipeline
2018-09-06 20:44:57 -04:00
end
it "does not allow non privileged user to preview themes" do
sign_in(user)
get "/", params: { preview_theme_id: non_selectable_theme.id }
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
expect(controller.theme_id).to eq(SiteSetting.default_theme_id)
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
end
it "cookie can fail back to user if out of sync" do
user.user_option.update_columns(theme_ids: [theme.id])
cookies['theme_ids'] = "#{theme2.id}|#{user.user_option.theme_key_seq - 1}"
get "/"
expect(response.status).to eq(200)
PERF: Eager load Theme associations in Stylesheet Manager. Before this change, calling `StyleSheet::Manager.stylesheet_details` for the first time resulted in multiple queries to the database. This is because the code was modelled in a way where each `Theme` was loaded from the database one at a time. This PR restructures the code such that it allows us to load all the theme records in a single query. It also allows us to eager load the required associations upfront. In order to achieve this, I removed the support of loading multiple themes per request. It was initially added to support user selectable theme components but the feature was never completed and abandoned because it wasn't a feature that we thought was worth building.
2021-06-15 02:57:17 -04:00
expect(controller.theme_id).to eq(theme.id)
FEATURE: backend support for user-selectable components * FEATURE: backend support for user-selectable components * fix problems with previewing default theme * rename preview_key => preview_theme_id * omit default theme from child themes dropdown and try a different fix * cache & freeze stylesheets arrays
2018-08-08 00:46:34 -04:00
end
end
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead
2018-10-22 13:22:23 -04:00
SECURITY: enforce hostname to match discourse hostname This ensures that the hostname rails uses for various helpers always matches the Discourse hostname
2018-11-14 23:22:02 -05:00
describe 'Custom hostname' do
it 'does not allow arbitrary host injection' do
get("/latest",
headers: {
"X-Forwarded-Host" => "test123.com"
}
)
expect(response.body).not_to include("test123")
end
end
FEATURE: add site setting to remove `X-Frame-Options` header.
2019-12-05 16:45:09 -05:00
describe 'allow_embedding_site_in_an_iframe' do
it "should have the 'X-Frame-Options' header with value 'sameorigin'" do
get("/latest")
expect(response.headers['X-Frame-Options']).to eq("SAMEORIGIN")
end
it "should not include the 'X-Frame-Options' header" do
SiteSetting.allow_embedding_site_in_an_iframe = true
get("/latest")
expect(response.headers).not_to include('X-Frame-Options')
end
end
FEATURE: Delegated authentication via user api keys (#7272)
2019-04-01 13:18:53 -04:00
describe 'Delegated auth' do
let :public_key do
<<~TXT
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh7BS7Ey8hfbNhlNAW/47pqT7w
IhBz3UyBYzin8JurEQ2pY9jWWlY8CH147KyIZf1fpcsi7ZNxGHeDhVsbtUKZxnFV
p16Op3CHLJnnJKKBMNdXMy0yDfCAHZtqxeBOTcCo1Vt/bHpIgiK5kmaekyXIaD0n
w0z/BYpOgZ8QwnI5ZwIDAQAB
-----END PUBLIC KEY-----
TXT
end
let :args do
{
auth_redirect: 'http://no-good.com',
user_api_public_key: "not-a-valid-public-key"
}
end
it 'disallows invalid public_key param' do
args[:auth_redirect] = "discourse://auth_redirect"
get "/latest", params: args
expect(response.body).to eq(I18n.t("user_api_key.invalid_public_key"))
end
it 'does not allow invalid auth_redirect' do
args[:user_api_public_key] = public_key
get "/latest", params: args
expect(response.body).to eq(I18n.t("user_api_key.invalid_auth_redirect"))
end
it 'does not redirect if one_time_password scope is disallowed' do
SiteSetting.allow_user_api_key_scopes = "read|write"
args[:user_api_public_key] = public_key
args[:auth_redirect] = "discourse://auth_redirect"
get "/latest", params: args
expect(response.status).to_not eq(302)
expect(response).to_not redirect_to("#{args[:auth_redirect]}?otp=true")
end
it 'redirects correctly with valid params' do
FIX: double render error with delegated authentication Makes sure delegated authentication is checked before other login redirects Updates specs to cover login_required = true cases
2019-04-01 22:13:53 -04:00
SiteSetting.login_required = true
FEATURE: Delegated authentication via user api keys (#7272)
2019-04-01 13:18:53 -04:00
args[:user_api_public_key] = public_key
args[:auth_redirect] = "discourse://auth_redirect"
get "/categories", params: args
expect(response.status).to eq(302)
expect(response).to redirect_to("#{args[:auth_redirect]}?otp=true")
end
end
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead
2018-10-22 13:22:23 -04:00
describe 'Content Security Policy' do
it 'is enabled by SiteSettings' do
SiteSetting.content_security_policy = false
SiteSetting.content_security_policy_report_only = false
get '/'
expect(response.headers).to_not include('Content-Security-Policy')
expect(response.headers).to_not include('Content-Security-Policy-Report-Only')
SiteSetting.content_security_policy = true
SiteSetting.content_security_policy_report_only = true
get '/'
expect(response.headers).to include('Content-Security-Policy')
expect(response.headers).to include('Content-Security-Policy-Report-Only')
end
it 'can be customized with SiteSetting' do
SiteSetting.content_security_policy = true
get '/'
script_src = parse(response.headers['Content-Security-Policy'])['script-src']
expect(script_src).to_not include('example.com')
SiteSetting.content_security_policy_script_src = 'example.com'
get '/'
script_src = parse(response.headers['Content-Security-Policy'])['script-src']
expect(script_src).to include('example.com')
end
it 'does not set CSP when responding to non-HTML' do
SiteSetting.content_security_policy = true
SiteSetting.content_security_policy_report_only = true
get '/latest.json'
expect(response.headers).to_not include('Content-Security-Policy')
expect(response.headers).to_not include('Content-Security-Policy-Report-Only')
end
FEATURE: Implement nonces for Google Tag Manager integration (#12531)
2021-03-26 11:19:31 -04:00
it 'when GTM is enabled it adds the same nonce to the policy and the GTM tag' do
SiteSetting.content_security_policy = true
SiteSetting.gtm_container_id = 'GTM-ABCDEF'
get '/latest'
nonce = ApplicationHelper.google_tag_manager_nonce
expect(response.headers).to include('Content-Security-Policy')
script_src = parse(response.headers['Content-Security-Policy'])['script-src']
expect(script_src.to_s).to include(nonce)
expect(response.body).to include(nonce)
end
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead
2018-10-22 13:22:23 -04:00
def parse(csp_string)
csp_string.split(';').map do |policy|
directive, *sources = policy.split
[directive, sources]
end.to_h
end
end
FIX: apply defaults constraints to routes format (take 2) (#7920) Reapplies https://github.com/discourse/discourse/commit/7d01c5de1a92b020e19f387123a3cbbbe969c727
2019-07-23 13:17:44 -04:00
it 'can respond to a request with */* accept header' do
get '/', headers: { HTTP_ACCEPT: '*/*' }
expect(response.status).to eq(200)
expect(response.body).to include('Discourse')
end
FEATURE: default canonical URL (#9738) For pages that do not specify canonical URL we will default to `https://SITENAME/PATH`. This ensures that if a URL is crawled on the CDN the search ranking will transfer to the main site. Additionally we whitelist the `?page` param
2020-05-11 19:13:20 -04:00
it 'has canonical tag' do
get '/', headers: { HTTP_ACCEPT: '*/*' }
expect(response.body).to have_tag("link", with: { rel: "canonical", href: "http://test.localhost/" })
get '/?query_param=true', headers: { HTTP_ACCEPT: '*/*' }
expect(response.body).to have_tag("link", with: { rel: "canonical", href: "http://test.localhost/" })
get '/latest?page=2&additional_param=true', headers: { HTTP_ACCEPT: '*/*' }
expect(response.body).to have_tag("link", with: { rel: "canonical", href: "http://test.localhost/latest?page=2" })
get '/404', headers: { HTTP_ACCEPT: '*/*' }
expect(response.body).to have_tag("link", with: { rel: "canonical", href: "http://test.localhost/404" })
topic = create_post.topic
get "/t/#{topic.slug}/#{topic.id}"
expect(response.body).to have_tag("link", with: { rel: "canonical", href: "http://test.localhost/t/#{topic.slug}/#{topic.id}" })
end
FIX: Make set_locale an around_action to avoid leaking between requests (#10282)
2020-07-22 12:30:26 -04:00
FEATURE: Send a 'noindex' header in non-canonical responses (#15026) * FEATURE: Optionally send a 'noindex' header in non-canonical responses This will be used in a SEO experiment. Co-authored-by: David Taylor <david@taylorhq.com>
2021-11-25 14:58:39 -05:00
it "adds a noindex header if non-canonical indexing is disabled" do
SiteSetting.allow_indexing_non_canonical_urls = false
get '/'
expect(response.headers['X-Robots-Tag']).to be_nil
get '/latest'
expect(response.headers['X-Robots-Tag']).to be_nil
get '/categories'
expect(response.headers['X-Robots-Tag']).to be_nil
topic = create_post.topic
get "/t/#{topic.slug}/#{topic.id}"
expect(response.headers['X-Robots-Tag']).to be_nil
post = create_post(topic_id: topic.id)
get "/t/#{topic.slug}/#{topic.id}/2"
expect(response.headers['X-Robots-Tag']).to eq('noindex')
20.times do
create_post(topic_id: topic.id)
end
get "/t/#{topic.slug}/#{topic.id}/21"
expect(response.headers['X-Robots-Tag']).to eq('noindex')
get "/t/#{topic.slug}/#{topic.id}?page=2"
expect(response.headers['X-Robots-Tag']).to be_nil
end
FIX: Use correct locale for error messages (#10776) Error messages for exceeded rate limits and invalid parameters always used the English locale instead of the default locale or the current user's locale.
2020-09-29 15:42:45 -04:00
context "default locale" do
before do
SiteSetting.default_locale = :fr
sign_in(Fabricate(:user))
end
after do
I18n.reload!
end
context "with rate limits" do
DEV: Fix heisentest
2020-09-30 11:04:19 -04:00
before do
RateLimiter.clear_all!
RateLimiter.enable
end
FIX: Use correct locale for error messages (#10776) Error messages for exceeded rate limits and invalid parameters always used the English locale instead of the default locale or the current user's locale.
2020-09-29 15:42:45 -04:00
it "serves a LimitExceeded error in the preferred locale" do
SiteSetting.max_likes_per_day = 1
post1 = Fabricate(:post)
post2 = Fabricate(:post)
override = TranslationOverride.create(
locale: "fr",
translation_key: "rate_limiter.by_type.create_like",
value: "French LimitExceeded error message"
)
I18n.reload!
post "/post_actions.json", params: {
id: post1.id, post_action_type_id: PostActionType.types[:like]
}
expect(response.status).to eq(200)
post "/post_actions.json", params: {
id: post2.id, post_action_type_id: PostActionType.types[:like]
}
expect(response.status).to eq(429)
expect(response.parsed_body["errors"].first).to eq(override.value)
end
end
it "serves an InvalidParameters error with the default locale" do
override = TranslationOverride.create(
locale: "fr",
translation_key: "invalid_params",
value: "French InvalidParameters error message"
)
I18n.reload!
get "/search.json", params: { q: "hello\0hello" }
expect(response.status).to eq(400)
expect(response.parsed_body["errors"].first).to eq(override.value)
end
end
FIX: Make set_locale an around_action to avoid leaking between requests (#10282)
2020-07-22 12:30:26 -04:00
describe "set_locale" do
# Using /bootstrap.json because it returns a locale-dependent value
def headers(locale)
{ HTTP_ACCEPT_LANGUAGE: locale }
end
context "allow_user_locale disabled" do
context "accept-language header differs from default locale" do
before do
SiteSetting.allow_user_locale = false
SiteSetting.default_locale = "en"
end
context "with an anonymous user" do
it "uses the default locale" do
get "/bootstrap.json", headers: headers("fr")
expect(response.status).to eq(200)
expect(response.parsed_body['bootstrap']['locale_script']).to end_with("en.js")
end
end
context "with a logged in user" do
it "it uses the default locale" do
user = Fabricate(:user, locale: :fr)
sign_in(user)
get "/bootstrap.json", headers: headers("fr")
expect(response.status).to eq(200)
expect(response.parsed_body['bootstrap']['locale_script']).to end_with("en.js")
end
end
end
end
context "set_locale_from_accept_language_header enabled" do
context "accept-language header differs from default locale" do
before do
SiteSetting.allow_user_locale = true
SiteSetting.set_locale_from_accept_language_header = true
SiteSetting.default_locale = "en"
end
context "with an anonymous user" do
it "uses the locale from the headers" do
get "/bootstrap.json", headers: headers("fr")
expect(response.status).to eq(200)
expect(response.parsed_body['bootstrap']['locale_script']).to end_with("fr.js")
end
it "doesn't leak after requests" do
get "/bootstrap.json", headers: headers("fr")
expect(response.status).to eq(200)
expect(response.parsed_body['bootstrap']['locale_script']).to end_with("fr.js")
expect(I18n.locale.to_s).to eq(SiteSettings::DefaultsProvider::DEFAULT_LOCALE)
end
end
context "with a logged in user" do
FIX: Ensure correct locale is set during RenderEmpty responses Follow-up to bcb0e623
2020-07-28 17:20:38 -04:00
let(:user) { Fabricate(:user, locale: :fr) }
FIX: Make set_locale an around_action to avoid leaking between requests (#10282)
2020-07-22 12:30:26 -04:00
before do
sign_in(user)
end
it "uses the user's preferred locale" do
get "/bootstrap.json", headers: headers("fr")
expect(response.status).to eq(200)
expect(response.parsed_body['bootstrap']['locale_script']).to end_with("fr.js")
end
it "serves a 404 page in the preferred locale" do
get "/missingroute", headers: headers("fr")
expect(response.status).to eq(404)
expected_title = I18n.t("page_not_found.title", locale: :fr)
expect(response.body).to include(CGI.escapeHTML(expected_title))
end
FIX: Ensure correct locale is set during RenderEmpty responses Follow-up to bcb0e623
2020-07-28 17:20:38 -04:00
it "serves a RenderEmpty page in the preferred locale" do
get "/u/#{user.username}/preferences/interface"
expect(response.status).to eq(200)
expect(response.body).to have_tag('script', with: { src: "/assets/locales/fr.js" })
end
FIX: Make set_locale an around_action to avoid leaking between requests (#10282)
2020-07-22 12:30:26 -04:00
end
end
context "the preferred locale includes a region" do
it "returns the locale and region separated by an underscore" do
SiteSetting.allow_user_locale = true
SiteSetting.set_locale_from_accept_language_header = true
SiteSetting.default_locale = "en"
get "/bootstrap.json", headers: headers("zh-CN")
expect(response.status).to eq(200)
expect(response.parsed_body['bootstrap']['locale_script']).to end_with("zh_CN.js")
end
end
context 'accept-language header is not set' do
it 'uses the site default locale' do
SiteSetting.allow_user_locale = true
SiteSetting.default_locale = 'en'
get "/bootstrap.json", headers: headers("")
expect(response.status).to eq(200)
expect(response.parsed_body['bootstrap']['locale_script']).to end_with("en.js")
end
end
end
end
FIX: Include the Vary:Accept header on all Accept-based responses (#14647) By default, Rails only includes the Vary:Accept header in responses when the Accept: header is included in the request. This means that proxies/browsers may cache a response to a request with a missing Accept header, and then later serve that cached version for a request which **does** supply the Accept header. This can lead to some very unexpected behavior in browsers. This commit adds the Vary:Accept header for all requests, even if the Accept header is not present in the request. If a format parameter (e.g. `.json` suffix) is included in the path, then the Accept header is still omitted. (The format parameter takes precedence over any Accept: header, so the response is no longer varies based on the Accept header)
2021-10-25 07:53:50 -04:00
describe 'vary header' do
it 'includes Vary:Accept on all requests where format is not explicit' do
# Rails default behaviour - include Vary:Accept when Accept is supplied
get "/latest", headers: { "Accept" => "application/json" }
expect(response.status).to eq(200)
expect(response.headers["Vary"]).to eq("Accept")
# Discourse additional behaviour (see lib/vary_header.rb)
# Include Vary:Accept even when Accept is not supplied
get "/latest"
expect(response.status).to eq(200)
expect(response.headers["Vary"]).to eq("Accept")
# Not needed, because the path 'format' parameter overrides the Accept header
get "/latest.json"
expect(response.status).to eq(200)
expect(response.headers["Vary"]).to eq(nil)
end
end
FEATURE: Apply rate limits per user instead of IP for trusted users (#14706) Currently, Discourse rate limits all incoming requests by the IP address they originate from regardless of the user making the request. This can be frustrating if there are multiple users using Discourse simultaneously while sharing the same IP address (e.g. employees in an office). This commit implements a new feature to make Discourse apply rate limits by user id rather than IP address for users at or higher than the configured trust level (1 is the default). For example, let's say a Discourse instance is configured to allow 200 requests per minute per IP address, and we have 10 users at trust level 4 using Discourse simultaneously from the same IP address. Before this feature, the 10 users could only make a total of 200 requests per minute before they got rate limited. But with the new feature, each user is allowed to make 200 requests per minute because the rate limits are applied on user id rather than the IP address. The minimum trust level for applying user-id-based rate limits can be configured by the `skip_per_ip_rate_limit_trust_level` global setting. The default is 1, but it can be changed by either adding the `DISCOURSE_SKIP_PER_IP_RATE_LIMIT_TRUST_LEVEL` environment variable with the desired value to your `app.yml`, or changing the setting's value in the `discourse.conf` file. Requests made with API keys are still rate limited by IP address and the relevant global settings that control API keys rate limits. Before this commit, Discourse's auth cookie (`_t`) was simply a 32 characters string that Discourse used to lookup the current user from the database and the cookie contained no additional information about the user. However, we had to change the cookie content in this commit so we could identify the user from the cookie without making a database query before the rate limits logic and avoid introducing a bottleneck on busy sites. Besides the 32 characters auth token, the cookie now includes the user id, trust level and the cookie's generation date, and we encrypt/sign the cookie to prevent tampering. Internal ticket number: t54739.
2021-11-17 15:27:30 -05:00
describe "Discourse-Rate-Limit-Error-Code header" do
fab!(:admin) { Fabricate(:admin) }
before do
RateLimiter.clear_all!
RateLimiter.enable
end
it "is included when API key is rate limited" do
global_setting :max_admin_api_reqs_per_minute, 1
api_key = ApiKey.create!(user_id: admin.id).key
get "/latest.json", headers: {
"Api-Key": api_key,
"Api-Username": admin.username
}
expect(response.status).to eq(200)
get "/latest.json", headers: {
"Api-Key": api_key,
"Api-Username": admin.username
}
expect(response.status).to eq(429)
expect(response.headers["Discourse-Rate-Limit-Error-Code"]).to eq("admin_api_key_rate_limit")
end
it "is included when user API key is rate limited" do
global_setting :max_user_api_reqs_per_minute, 1
user_api_key = UserApiKey.create!(
user_id: admin.id,
client_id: "",
application_name: "discourseapp"
)
user_api_key.scopes = UserApiKeyScope.all_scopes.keys.map do |name|
UserApiKeyScope.create!(name: name, user_api_key_id: user_api_key.id)
end
user_api_key.save!
get "/session/current.json", headers: {
"User-Api-Key": user_api_key.key,
}
expect(response.status).to eq(200)
get "/session/current.json", headers: {
"User-Api-Key": user_api_key.key,
}
expect(response.status).to eq(429)
expect(
response.headers["Discourse-Rate-Limit-Error-Code"]
).to eq("user_api_key_limiter_60_secs")
global_setting :max_user_api_reqs_per_minute, 100
global_setting :max_user_api_reqs_per_day, 1
get "/session/current.json", headers: {
"User-Api-Key": user_api_key.key,
}
expect(response.status).to eq(429)
expect(
response.headers["Discourse-Rate-Limit-Error-Code"]
).to eq("user_api_key_limiter_1_day")
end
end
FEATURE: Replace `Crawl-delay` directive with proper rate limiting (#15131) We have a couple of site setting, `slow_down_crawler_user_agents` and `slow_down_crawler_rate`, that are meant to allow site owners to signal to specific crawlers that they're crawling the site too aggressively and that they should slow down. When a crawler is added to the `slow_down_crawler_user_agents` setting, Discourse currently adds a `Crawl-delay` directive for that crawler in `/robots.txt`. Unfortunately, many crawlers don't support the `Crawl-delay` directive in `/robots.txt` which leaves the site owners no options if a crawler is crawling the site too aggressively. This PR replaces the `Crawl-delay` directive with proper rate limiting for crawlers added to the `slow_down_crawler_user_agents` list. On every request made by a non-logged in user, Discourse will check the User Agent string and if it contains one of the values of the `slow_down_crawler_user_agents` list, Discourse will only allow 1 request every N seconds for that User Agent (N is the value of the `slow_down_crawler_rate` setting) and the rest of requests made within the same interval will get a 429 response. The `slow_down_crawler_user_agents` setting becomes quite dangerous with this PR since it could rate limit lots if not all of anonymous traffic if the setting is not used appropriately. So to protect against this scenario, we've added a couple of new validations to the setting when it's changed: 1) each value added to setting must 3 characters or longer 2) each value cannot be a substring of tokens found in popular browser User Agent. The current list of prohibited values is: apple, windows, linux, ubuntu, gecko, firefox, chrome, safari, applewebkit, webkit, mozilla, macintosh, khtml, intel, osx, os x, iphone, ipad and mac.
2021-11-30 04:55:25 -05:00
describe "crawlers in slow_down_crawler_user_agents site setting" do
before do
RateLimiter.enable
RateLimiter.clear_all!
end
it "are rate limited" do
SiteSetting.slow_down_crawler_rate = 128
SiteSetting.slow_down_crawler_user_agents = "badcrawler|problematiccrawler"
now = Time.zone.now
freeze_time now
get "/", headers: {
"HTTP_USER_AGENT" => "iam badcrawler"
}
expect(response.status).to eq(200)
get "/", headers: {
"HTTP_USER_AGENT" => "iam badcrawler"
}
expect(response.status).to eq(429)
expect(response.headers["Retry-After"]).to eq("128")
get "/", headers: {
"HTTP_USER_AGENT" => "iam problematiccrawler"
}
expect(response.status).to eq(200)
get "/", headers: {
"HTTP_USER_AGENT" => "iam problematiccrawler"
}
expect(response.status).to eq(429)
expect(response.headers["Retry-After"]).to eq("128")
freeze_time now + 100.seconds
get "/", headers: {
"HTTP_USER_AGENT" => "iam badcrawler"
}
expect(response.status).to eq(429)
expect(response.headers["Retry-After"]).to eq("28")
get "/", headers: {
"HTTP_USER_AGENT" => "iam problematiccrawler"
}
expect(response.status).to eq(429)
expect(response.headers["Retry-After"]).to eq("28")
freeze_time now + 150.seconds
get "/", headers: {
"HTTP_USER_AGENT" => "iam badcrawler"
}
expect(response.status).to eq(200)
get "/", headers: {
"HTTP_USER_AGENT" => "iam problematiccrawler"
}
expect(response.status).to eq(200)
end
end
Add spec test for authComplete param carry-forward
2018-03-27 08:34:40 -04:00
end