discourse/spec/requests/users_controller_spec.rb

require 'rails_helper'

RSpec.describe UsersController do
  let(:user) { Fabricate(:user) }

  def honeypot_magic(params)
    get '/u/hp.json'
    json = JSON.parse(response.body)
    params[:password_confirmation] = json["value"]
    params[:challenge] = json["challenge"].reverse
    params
  end

  describe '#create' do

    context "when taking over a staged account" do
      let!(:staged) { Fabricate(:staged, email: "staged@account.com", active: true) }

      it "succeeds" do
        post '/u.json', params: honeypot_magic(
          email: staged.email,
          username: "zogstrip",
          password: "P4ssw0rd$$"
        )

        expect(response.status).to eq(200)
        result = ::JSON.parse(response.body)
        expect(result["success"]).to eq(true)

        created_user = User.find_by_email(staged.email)
        expect(created_user.staged).to eq(false)
        expect(created_user.active).to eq(false)
        expect(created_user.registration_ip_address).to be_present
        expect(!!created_user.custom_fields["from_staged"]).to eq(true)

        # do not allow emails changes please

        put "/u/update-activation-email.json", params: { email: 'bob@bob.com' }

        created_user.reload
        expect(created_user.email).to eq("staged@account.com")
        expect(response.status).not_to eq(200)
      end
    end

  end

  describe '#show' do

    it "should be able to view a user" do
      get "/u/#{user.username}"

      expect(response).to be_success
      expect(response.body).to include(user.username)
    end

    describe 'when username contains a period' do
      before do
        user.update!(username: 'test.test')
      end

      it "should be able to view a user" do
        get "/u/#{user.username}"

        expect(response).to be_success
        expect(response.body).to include(user.username)
      end
    end
  end

  describe "#badges" do
    it "renders fine by default" do
      get "/u/#{user.username}/badges"
      expect(response).to be_success
    end

    it "fails if badges are disabled" do
      SiteSetting.enable_badges = false
      get "/u/#{user.username}/badges"
      expect(response.status).to eq(404)
    end
  end

  describe "updating a user" do
    before do
      sign_in(user)
    end

    it "should be able to update a user" do
      put "/u/#{user.username}.json", params: { name: 'test.test' }

      expect(response).to be_success
      expect(user.reload.name).to eq('test.test')
    end

    describe 'when username contains a period' do
      before do
        user.update!(username: 'test.test')
      end

      it "should be able to update a user" do
        put "/u/#{user.username}.json", params: { name: 'testing123' }

        expect(response).to be_success
        expect(user.reload.name).to eq('testing123')
      end
    end
  end

  describe "#account_created" do
    it "returns a message when no session is present" do
      get "/u/account-created"

      expect(response).to be_success

      body = response.body

      expect(body).to match(I18n.t('activation.missing_session'))
    end

    it "redirects when the user is logged in" do
      sign_in(Fabricate(:user))
      get "/u/account-created"

      expect(response).to redirect_to("/")
    end

    context "when the user account is created" do
      include ApplicationHelper

      it "returns the message when set in the session" do
        user = create_user
        get "/u/account-created"

        expect(response).to be_success

        expect(response.body).to include(
          "{\"message\":\"#{I18n.t("login.activate_email", email: user.email).gsub!("</", "<\\/")}\",\"show_controls\":true,\"username\":\"#{user.username}\",\"email\":\"#{user.email}\"}"
        )
      end
    end
  end

  describe "search_users" do
    let(:topic) { Fabricate :topic }
    let(:user)  { Fabricate :user, username: "joecabot", name: "Lawrence Tierney" }
    let(:post1) { Fabricate(:post, user: user, topic: topic) }

    before do
      SearchIndexer.enable
      post1
    end

    it "searches when provided the term only" do
      get "/u/search/users.json", params: { term: user.name.split(" ").last }
      expect(response).to be_success
      json = JSON.parse(response.body)
      expect(json["users"].map { |u| u["username"] }).to include(user.username)
    end

    it "searches when provided the topic only" do
      get "/u/search/users.json", params: { topic_id: topic.id }
      expect(response).to be_success
      json = JSON.parse(response.body)
      expect(json["users"].map { |u| u["username"] }).to include(user.username)
    end

    it "searches when provided the term and topic" do
      get "/u/search/users.json", params: {
        term: user.name.split(" ").last, topic_id: topic.id
      }

      expect(response).to be_success
      json = JSON.parse(response.body)
      expect(json["users"].map { |u| u["username"] }).to include(user.username)
    end

    it "searches only for users who have access to private topic" do
      privileged_user = Fabricate(:user, trust_level: 4, username: "joecabit", name: "Lawrence Tierney")
      privileged_group = Fabricate(:group)
      privileged_group.add(privileged_user)
      privileged_group.save

      category = Fabricate(:category)
      category.set_permissions(privileged_group => :readonly)
      category.save

      private_topic = Fabricate(:topic, category: category)

      get "/u/search/users.json", params: {
        term: user.name.split(" ").last, topic_id: private_topic.id, topic_allowed_users: "true"
      }

      expect(response).to be_success
      json = JSON.parse(response.body)
      expect(json["users"].map { |u| u["username"] }).to_not include(user.username)
      expect(json["users"].map { |u| u["username"] }).to include(privileged_user.username)
    end

    context "when `enable_names` is true" do
      before do
        SiteSetting.enable_names = true
      end

      it "returns names" do
        get "/u/search/users.json", params: { term: user.name }
        json = JSON.parse(response.body)
        expect(json["users"].map { |u| u["name"] }).to include(user.name)
      end
    end

    context "when `enable_names` is false" do
      before do
        SiteSetting.enable_names = false
      end

      it "returns names" do
        get "/u/search/users.json", params: { term: user.name }
        json = JSON.parse(response.body)
        expect(json["users"].map { |u| u["name"] }).not_to include(user.name)
      end
    end

    context 'groups' do
      let!(:mentionable_group) do
        Fabricate(:group,
          mentionable_level: 99,
          messageable_level: 0,
          visibility_level: 0
        )
      end

      let!(:mentionable_group_2) do
        Fabricate(:group,
          mentionable_level: 99,
          messageable_level: 0,
          visibility_level: 1
        )
      end

      let!(:messageable_group) do
        Fabricate(:group,
          mentionable_level: 0,
          messageable_level: 99
        )
      end

      describe 'when signed in' do
        before do
          sign_in(user)
        end

        it "only returns visible groups" do
          get "/u/search/users.json", params: { include_groups: "true" }

          expect(response).to be_success

          groups = JSON.parse(response.body)["groups"]

          expect(groups.map { |group| group['name'] })
            .to_not include(mentionable_group_2.name)
        end

        it "doesn't search for groups" do
          get "/u/search/users.json", params: {
            include_mentionable_groups: 'false',
            include_messageable_groups: 'false'
          }

          expect(response).to be_success
          expect(JSON.parse(response.body)).not_to have_key(:groups)
        end

        it "searches for messageable groups" do
          get "/u/search/users.json", params: {
            include_mentionable_groups: 'false',
            include_messageable_groups: 'true'
          }

          expect(response).to be_success

          expect(JSON.parse(response.body)["groups"].map { |group| group['name'] })
            .to contain_exactly(messageable_group.name, Group.find(Group::AUTO_GROUPS[:moderators]).name)
        end

        it 'searches for mentionable groups' do
          get "/u/search/users.json", params: {
            include_messageable_groups: 'false',
            include_mentionable_groups: 'true'
          }

          expect(response).to be_success

          groups = JSON.parse(response.body)["groups"]

          expect(groups.map { |group| group['name'] })
            .to contain_exactly(mentionable_group.name, mentionable_group_2.name)
        end
      end

      describe 'when not signed in' do
        it 'should not include mentionable/messageable groups' do
          get "/u/search/users.json", params: {
            include_mentionable_groups: 'false',
            include_messageable_groups: 'false'
          }

          expect(response).to be_success
          expect(JSON.parse(response.body)).not_to have_key(:groups)

          get "/u/search/users.json", params: {
            include_mentionable_groups: 'false',
            include_messageable_groups: 'true'
          }

          expect(response).to be_success
          expect(JSON.parse(response.body)).not_to have_key(:groups)

          get "/u/search/users.json", params: {
            include_messageable_groups: 'false',
            include_mentionable_groups: 'true'
          }

          expect(response).to be_success
          expect(JSON.parse(response.body)).not_to have_key(:groups)
        end
      end
    end
  end

  describe '.user_preferences_redirect' do
    it 'requires the user to be logged in' do
      get '/user_preferences'
      expect(response.status).to eq(404)
    end

    it "redirects to their profile when logged in" do
      sign_in(user)
      get '/user_preferences'
      expect(response).to redirect_to("/u/#{user.username_lower}/preferences")
    end
  end
end
FIX: Incorrect route for updating username. 2016-12-16 11:21:28 -05:00			`require 'rails_helper'`

Move new controller specs to reqeusts folder. 2017-08-23 23:01:11 -04:00			`RSpec.describe UsersController do`
FIX: Incorrect route for updating username. 2016-12-16 11:21:28 -05:00			`let(:user) { Fabricate(:user) }`

SECURITY: prevent staged accounts from changing email 2017-12-14 01:16:49 -05:00			`def honeypot_magic(params)`
			`get '/u/hp.json'`
			`json = JSON.parse(response.body)`
			`params[:password_confirmation] = json["value"]`
			`params[:challenge] = json["challenge"].reverse`
			`params`
			`end`

			`describe '#create' do`

			`context "when taking over a staged account" do`
			`let!(:staged) { Fabricate(:staged, email: "staged@account.com", active: true) }`

			`it "succeeds" do`
			`post '/u.json', params: honeypot_magic(`
			`email: staged.email,`
			`username: "zogstrip",`
			`password: "P4ssw0rd$$"`
			`)`

			`expect(response.status).to eq(200)`
			`result = ::JSON.parse(response.body)`
			`expect(result["success"]).to eq(true)`

			`created_user = User.find_by_email(staged.email)`
			`expect(created_user.staged).to eq(false)`
			`expect(created_user.active).to eq(false)`
			`expect(created_user.registration_ip_address).to be_present`
			`expect(!!created_user.custom_fields["from_staged"]).to eq(true)`

			`# do not allow emails changes please`

			`put "/u/update-activation-email.json", params: { email: 'bob@bob.com' }`

			`created_user.reload`
			`expect(created_user.email).to eq("staged@account.com")`
			`expect(response.status).not_to eq(200)`
			`end`
			`end`

			`end`

Move new controller specs to reqeusts folder. 2017-08-23 23:01:11 -04:00			`describe '#show' do`
FIX: username route was broken 2016-12-16 13:26:22 -05:00
			`it "should be able to view a user" do`
Convert server side paths to use `/u/` 2017-03-28 14:27:54 -04:00			`get "/u/#{user.username}"`
FIX: username route was broken 2016-12-16 13:26:22 -05:00
			`expect(response).to be_success`
			`expect(response.body).to include(user.username)`
			`end`

			`describe 'when username contains a period' do`
			`before do`
			`user.update!(username: 'test.test')`
			`end`

			`it "should be able to view a user" do`
Convert server side paths to use `/u/` 2017-03-28 14:27:54 -04:00			`get "/u/#{user.username}"`
FIX: username route was broken 2016-12-16 13:26:22 -05:00
			`expect(response).to be_success`
			`expect(response.body).to include(user.username)`
			`end`
			`end`
			`end`

FIX: Some badge routes were still working even with badges disabled 2017-11-21 12:22:24 -05:00			`describe "#badges" do`
			`it "renders fine by default" do`
			`get "/u/#{user.username}/badges"`
			`expect(response).to be_success`
			`end`

			`it "fails if badges are disabled" do`
			`SiteSetting.enable_badges = false`
			`get "/u/#{user.username}/badges"`
Improve specs to test for the right response status. 2017-11-23 20:32:44 -05:00			`expect(response.status).to eq(404)`
FIX: Some badge routes were still working even with badges disabled 2017-11-21 12:22:24 -05:00			`end`
			`end`

FIX: Incorrect route for updating username. 2016-12-16 11:21:28 -05:00			`describe "updating a user" do`
			`before do`
			`sign_in(user)`
			`end`

			`it "should be able to update a user" do`
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 00:06:56 -04:00			`put "/u/#{user.username}.json", params: { name: 'test.test' }`
FIX: Incorrect route for updating username. 2016-12-16 11:21:28 -05:00
			`expect(response).to be_success`
			`expect(user.reload.name).to eq('test.test')`
			`end`

			`describe 'when username contains a period' do`
			`before do`
			`user.update!(username: 'test.test')`
			`end`

			`it "should be able to update a user" do`
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 00:06:56 -04:00			`put "/u/#{user.username}.json", params: { name: 'testing123' }`
FIX: Incorrect route for updating username. 2016-12-16 11:21:28 -05:00
			`expect(response).to be_success`
			`expect(user.reload.name).to eq('testing123')`
			`end`
			`end`
			`end`
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 00:06:56 -04:00
			`describe "#account_created" do`
			`it "returns a message when no session is present" do`
			`get "/u/account-created"`

			`expect(response).to be_success`

			`body = response.body`

			`expect(body).to match(I18n.t('activation.missing_session'))`
			`end`

			`it "redirects when the user is logged in" do`
			`sign_in(Fabricate(:user))`
			`get "/u/account-created"`

			`expect(response).to redirect_to("/")`
			`end`

			`context "when the user account is created" do`
			`include ApplicationHelper`

			`it "returns the message when set in the session" do`
			`user = create_user`
			`get "/u/account-created"`

			`expect(response).to be_success`

			`expect(response.body).to include(`
			`"{\"message\":\"#{I18n.t("login.activate_email", email: user.email).gsub!("</", "<\\/")}\",\"show_controls\":true,\"username\":\"#{user.username}\",\"email\":\"#{user.email}\"}"`
			`)`
			`end`
			`end`
			`end`
FIX: More fixes for `Group#mentionable` and `Group#messageable` feature. 2017-10-02 05:45:58 -04:00
			`describe "search_users" do`
			`let(:topic) { Fabricate :topic }`
			`let(:user) { Fabricate :user, username: "joecabot", name: "Lawrence Tierney" }`
			`let(:post1) { Fabricate(:post, user: user, topic: topic) }`

			`before do`
			`SearchIndexer.enable`
			`post1`
			`end`

			`it "searches when provided the term only" do`
			`get "/u/search/users.json", params: { term: user.name.split(" ").last }`
			`expect(response).to be_success`
			`json = JSON.parse(response.body)`
			`expect(json["users"].map { \|u\| u["username"] }).to include(user.username)`
			`end`

			`it "searches when provided the topic only" do`
			`get "/u/search/users.json", params: { topic_id: topic.id }`
			`expect(response).to be_success`
			`json = JSON.parse(response.body)`
			`expect(json["users"].map { \|u\| u["username"] }).to include(user.username)`
			`end`

			`it "searches when provided the term and topic" do`
			`get "/u/search/users.json", params: {`
			`term: user.name.split(" ").last, topic_id: topic.id`
			`}`

			`expect(response).to be_success`
			`json = JSON.parse(response.body)`
			`expect(json["users"].map { \|u\| u["username"] }).to include(user.username)`
			`end`

			`it "searches only for users who have access to private topic" do`
			`privileged_user = Fabricate(:user, trust_level: 4, username: "joecabit", name: "Lawrence Tierney")`
			`privileged_group = Fabricate(:group)`
			`privileged_group.add(privileged_user)`
			`privileged_group.save`

			`category = Fabricate(:category)`
			`category.set_permissions(privileged_group => :readonly)`
			`category.save`

			`private_topic = Fabricate(:topic, category: category)`

			`get "/u/search/users.json", params: {`
			`term: user.name.split(" ").last, topic_id: private_topic.id, topic_allowed_users: "true"`
			`}`

			`expect(response).to be_success`
			`json = JSON.parse(response.body)`
			`expect(json["users"].map { \|u\| u["username"] }).to_not include(user.username)`
			`expect(json["users"].map { \|u\| u["username"] }).to include(privileged_user.username)`
			`end`

			context "when `enable_names` is true" do
			`before do`
			`SiteSetting.enable_names = true`
			`end`

			`it "returns names" do`
			`get "/u/search/users.json", params: { term: user.name }`
			`json = JSON.parse(response.body)`
			`expect(json["users"].map { \|u\| u["name"] }).to include(user.name)`
			`end`
			`end`

			context "when `enable_names` is false" do
			`before do`
			`SiteSetting.enable_names = false`
			`end`

			`it "returns names" do`
			`get "/u/search/users.json", params: { term: user.name }`
			`json = JSON.parse(response.body)`
			`expect(json["users"].map { \|u\| u["name"] }).not_to include(user.name)`
			`end`
			`end`

			`context 'groups' do`
FIX: Unable to invite groups that are not public visible into pms. https://meta.discourse.org/t/inviting-groups-broken-in-head/73346/6 2017-11-03 09:39:55 -04:00			`let!(:mentionable_group) do`
			`Fabricate(:group,`
			`mentionable_level: 99,`
			`messageable_level: 0,`
			`visibility_level: 0`
			`)`
			`end`

			`let!(:mentionable_group_2) do`
			`Fabricate(:group,`
			`mentionable_level: 99,`
			`messageable_level: 0,`
			`visibility_level: 1`
			`)`
			`end`

			`let!(:messageable_group) do`
			`Fabricate(:group,`
			`mentionable_level: 0,`
			`messageable_level: 99`
			`)`
			`end`
FIX: More fixes for `Group#mentionable` and `Group#messageable` feature. 2017-10-02 05:45:58 -04:00
			`describe 'when signed in' do`
			`before do`
			`sign_in(user)`
			`end`

FIX: Unable to invite groups that are not public visible into pms. https://meta.discourse.org/t/inviting-groups-broken-in-head/73346/6 2017-11-03 09:39:55 -04:00			`it "only returns visible groups" do`
			`get "/u/search/users.json", params: { include_groups: "true" }`

			`expect(response).to be_success`

			`groups = JSON.parse(response.body)["groups"]`

			`expect(groups.map { \|group\| group['name'] })`
			`.to_not include(mentionable_group_2.name)`
			`end`

FIX: username autocomplete in assign modal wasn't working 2017-10-03 06:49:45 -04:00			`it "doesn't search for groups" do`
			`get "/u/search/users.json", params: {`
			`include_mentionable_groups: 'false',`
			`include_messageable_groups: 'false'`
			`}`

			`expect(response).to be_success`
			`expect(JSON.parse(response.body)).not_to have_key(:groups)`
			`end`

FIX: More fixes for `Group#mentionable` and `Group#messageable` feature. 2017-10-02 05:45:58 -04:00			`it "searches for messageable groups" do`
			`get "/u/search/users.json", params: {`
			`include_mentionable_groups: 'false',`
			`include_messageable_groups: 'true'`
			`}`

			`expect(response).to be_success`
Fix randomly failing spec. 2018-01-03 01:42:16 -05:00
			`expect(JSON.parse(response.body)["groups"].map { \|group\| group['name'] })`
			`.to contain_exactly(messageable_group.name, Group.find(Group::AUTO_GROUPS[:moderators]).name)`
FIX: More fixes for `Group#mentionable` and `Group#messageable` feature. 2017-10-02 05:45:58 -04:00			`end`

			`it 'searches for mentionable groups' do`
			`get "/u/search/users.json", params: {`
			`include_messageable_groups: 'false',`
			`include_mentionable_groups: 'true'`
			`}`

			`expect(response).to be_success`
FIX: Unable to invite groups that are not public visible into pms. https://meta.discourse.org/t/inviting-groups-broken-in-head/73346/6 2017-11-03 09:39:55 -04:00
			`groups = JSON.parse(response.body)["groups"]`

			`expect(groups.map { \|group\| group['name'] })`
FIX: Brittle, order dependent spec 2017-11-04 09:30:17 -04:00			`.to contain_exactly(mentionable_group.name, mentionable_group_2.name)`
FIX: More fixes for `Group#mentionable` and `Group#messageable` feature. 2017-10-02 05:45:58 -04:00			`end`
			`end`

			`describe 'when not signed in' do`
			`it 'should not include mentionable/messageable groups' do`
FIX: username autocomplete in assign modal wasn't working 2017-10-03 06:49:45 -04:00			`get "/u/search/users.json", params: {`
			`include_mentionable_groups: 'false',`
			`include_messageable_groups: 'false'`
			`}`

			`expect(response).to be_success`
			`expect(JSON.parse(response.body)).not_to have_key(:groups)`
remove trailing whitespaces 2017-10-03 07:02:04 -04:00
FIX: More fixes for `Group#mentionable` and `Group#messageable` feature. 2017-10-02 05:45:58 -04:00			`get "/u/search/users.json", params: {`
			`include_mentionable_groups: 'false',`
			`include_messageable_groups: 'true'`
			`}`

			`expect(response).to be_success`
FIX: username autocomplete in assign modal wasn't working 2017-10-03 06:49:45 -04:00			`expect(JSON.parse(response.body)).not_to have_key(:groups)`
FIX: More fixes for `Group#mentionable` and `Group#messageable` feature. 2017-10-02 05:45:58 -04:00
			`get "/u/search/users.json", params: {`
			`include_messageable_groups: 'false',`
			`include_mentionable_groups: 'true'`
			`}`

			`expect(response).to be_success`
FIX: username autocomplete in assign modal wasn't working 2017-10-03 06:49:45 -04:00			`expect(JSON.parse(response.body)).not_to have_key(:groups)`
FIX: More fixes for `Group#mentionable` and `Group#messageable` feature. 2017-10-02 05:45:58 -04:00			`end`
			`end`
			`end`
			`end`
FIX: return 429 when admin api key is limited on admin route This also handles a general case where exceptions leak out prior to being handled by the application controller 2018-01-11 22:15:10 -05:00
			`describe '.user_preferences_redirect' do`
			`it 'requires the user to be logged in' do`
			`get '/user_preferences'`
			`expect(response.status).to eq(404)`
			`end`

			`it "redirects to their profile when logged in" do`
			`sign_in(user)`
			`get '/user_preferences'`
			`expect(response).to redirect_to("/u/#{user.username_lower}/preferences")`
			`end`
			`end`
FIX: Incorrect route for updating username. 2016-12-16 11:21:28 -05:00			`end`