discourse/spec/requests/posts_controller_spec.rb

# frozen_string_literal: true

RSpec.shared_examples 'finding and showing post' do
  let!(:post) { post_by_user }

  it "ensures the user can't see the post" do
    topic = post.topic
    topic.convert_to_private_message(Discourse.system_user)
    topic.remove_allowed_user(Discourse.system_user, user.username)
    get url
    expect(response).to be_forbidden
  end

  it 'succeeds' do
    get url
    expect(response.status).to eq(200)
  end

  it "returns 404 when post's topic is deleted" do
    post.topic.destroy!
    get url
    expect(response.status).to eq(404)
  end

  context "deleted post" do
    before do
      post.trash!(user)
    end

    it "can't find deleted posts as an anonymous user" do
      get url
      expect(response.status).to eq(404)
    end

    it "can't find deleted posts as a regular user" do
      sign_in(user)
      get url
      expect(response.status).to eq(404)
    end

    it "can find posts as a moderator" do
      sign_in(moderator)
      get url
      expect(response.status).to eq(200)
    end

    it "can find posts as a admin" do
      sign_in(admin)
      get url
      expect(response.status).to eq(200)
    end

    context "category group moderator" do
      fab!(:group_user) { Fabricate(:group_user) }
      let(:user_gm) { group_user.user }
      let(:group) { group_user.group }

      before do
        SiteSetting.enable_category_group_moderation = true
        sign_in(user_gm)
      end

      it "can find posts in the allowed category" do
        post.topic.category.update!(reviewable_by_group_id: group.id, topic_id: topic.id)
        get url
        expect(response.status).to eq(200)
      end

      it "can't find posts outside of the allowed category" do
        get url
        expect(response.status).to eq(404)
      end
    end
  end
end

RSpec.shared_examples 'action requires login' do |method, url, params = {}|
  it 'raises an exception when not logged in' do
    self.public_send(method, url, **params)
    expect(response.status).to eq(403)
  end
end

RSpec.describe PostsController do
  fab!(:admin) { Fabricate(:admin) }
  fab!(:moderator) { Fabricate(:moderator) }
  fab!(:user) { Fabricate(:user) }
  fab!(:user_trust_level_0) { Fabricate(:trust_level_0) }
  fab!(:user_trust_level_1) { Fabricate(:trust_level_1) }
  fab!(:category) { Fabricate(:category) }
  fab!(:topic) { Fabricate(:topic) }
  fab!(:post_by_user) { Fabricate(:post, user: user) }
  let(:public_post) { Fabricate(:post, user: user, topic: topic) }
  let(:topicless_post) { Fabricate(:post, user: user, raw: '<p>Car 54, where are you?</p>') }

  let(:private_topic) do
    Fabricate(:topic, archetype: Archetype.private_message, category_id: nil)
  end

  let(:private_post) { Fabricate(:post, user: user, topic: private_topic) }

  describe '#show' do
    include_examples 'finding and showing post' do
      let(:url) { "/posts/#{post.id}.json" }
    end

    it 'gets all the expected fields' do
      # non fabricated test
      new_post = create_post

      get "/posts/#{new_post.id}.json"
      parsed = response.parsed_body

      expect(parsed["topic_slug"]).to eq(new_post.topic.slug)
      expect(parsed["moderator"]).to eq(false)
      expect(parsed["username"]).to eq(new_post.user.username)
      expect(parsed["cooked"]).to eq(new_post.cooked)
    end
  end

  describe '#by_number' do
    include_examples 'finding and showing post' do
      let(:url) { "/posts/by_number/#{post.topic_id}/#{post.post_number}.json" }
    end
  end

  describe '#by_date' do
    include_examples 'finding and showing post' do
      let(:url) { "/posts/by-date/#{post.topic_id}/#{post.created_at.strftime("%Y-%m-%d")}.json" }
    end

    it 'returns the expected post' do
      first_post = Fabricate(:post, created_at: 10.days.ago)
      second_post = Fabricate(:post, topic: first_post.topic, created_at: 4.days.ago)
      _third_post = Fabricate(:post, topic: first_post.topic, created_at: 3.days.ago)

      get "/posts/by-date/#{second_post.topic_id}/#{(second_post.created_at - 2.days).strftime("%Y-%m-%d")}.json"
      json = response.parsed_body

      expect(response.status).to eq(200)
      expect(json["id"]).to eq(second_post.id)
    end

    it 'returns no post if date is > at last created post' do
      get "/posts/by-date/#{post.topic_id}/2245-11-11.json"
      _json = response.parsed_body
      expect(response.status).to eq(404)
    end
  end

  describe '#reply_history' do
    include_examples 'finding and showing post' do
      let(:url) { "/posts/#{post.id}/reply-history.json" }
    end

    it "returns the replies with allowlisted user custom fields" do
      parent = Fabricate(:post)
      child = Fabricate(:post, topic: parent.topic, reply_to_post_number: parent.post_number)

      parent.user.upsert_custom_fields(hello: 'world', hidden: 'dontshow')
      SiteSetting.public_user_custom_fields = 'hello'

      get "/posts/#{child.id}/reply-history.json"
      expect(response.status).to eq(200)

      json = response.parsed_body
      expect(json[0]['id']).to eq(parent.id)
      expect(json[0]['user_custom_fields']['hello']).to eq('world')
      expect(json[0]['user_custom_fields']['hidden']).to be_blank
    end
  end

  describe '#reply_ids' do
    include_examples 'finding and showing post' do
      let(:url) { "/posts/#{post.id}/reply-ids.json" }
    end

    it "returns ids of post's replies" do
      post = Fabricate(:post)
      reply1 = Fabricate(:post, topic: post.topic, reply_to_post_number: post.post_number)
      reply2 = Fabricate(:post, topic: post.topic, reply_to_post_number: post.post_number)
      PostReply.create(post_id: post.id, reply_post_id: reply1.id)
      PostReply.create(post_id: post.id, reply_post_id: reply2.id)

      get "/posts/#{post.id}/reply-ids.json"

      expect(response.status).to eq(200)
      expect(response.parsed_body).to eq([
        { "id" => reply1.id, "level" => 1 },
        { "id" => reply2.id, "level" => 1 },
      ])
    end
  end

  describe '#replies' do
    include_examples 'finding and showing post' do
      let(:url) { "/posts/#{post.id}/replies.json" }
    end

    it 'asks post for replies' do
      parent = Fabricate(:post)
      child = Fabricate(:post, topic: parent.topic, reply_to_post_number: parent.post_number)
      PostReply.create!(post: parent, reply: child)

      child.user.upsert_custom_fields(hello: 'world', hidden: 'dontshow')
      SiteSetting.public_user_custom_fields = 'hello'

      get "/posts/#{parent.id}/replies.json"
      expect(response.status).to eq(200)

      json = response.parsed_body
      expect(json[0]['id']).to eq(child.id)
      expect(json[0]['user_custom_fields']['hello']).to eq('world')
      expect(json[0]['user_custom_fields']['hidden']).to be_blank
    end
  end

  describe '#destroy' do
    include_examples 'action requires login', :delete, "/posts/123.json"

    describe 'when logged in' do
      let(:topic) { Fabricate(:topic) }

      it "raises an error when the user doesn't have permission to see the post" do
        pm = Fabricate(:private_message_topic)
        post = Fabricate(:post, topic: pm, post_number: 3)

        sign_in(user)

        delete "/posts/#{post.id}.json"
        expect(response).to be_forbidden
      end

      it "raises an error when the self deletions are disabled" do
        SiteSetting.max_post_deletions_per_day = 0
        post = Fabricate(:post, user: user, topic: topic, post_number: 3)
        sign_in(user)

        delete "/posts/#{post.id}.json"
        expect(response).to be_forbidden
      end

      it "uses a PostDestroyer" do
        post = Fabricate(:post, topic_id: topic.id, post_number: 3)
        sign_in(moderator)

        destroyer = mock
        PostDestroyer.expects(:new).returns(destroyer)
        destroyer.expects(:destroy)

        delete "/posts/#{post.id}.json"
      end

      context "permanently destroy" do
        let!(:post) { Fabricate(:post, topic_id: topic.id, post_number: 3) }

        before do
          SiteSetting.can_permanently_delete = true
        end

        it "does not work for a post that was not deleted yet" do
          sign_in(admin)

          delete "/posts/#{post.id}.json", params: { force_destroy: true }
          expect(response.status).to eq(403)
        end

        it "needs some time to pass to permanently delete a topic" do
          sign_in(admin)

          delete "/posts/#{post.id}.json"
          expect(response.status).to eq(200)
          expect(post.reload.deleted_by_id).to eq(admin.id)

          delete "/posts/#{post.id}.json", params: { force_destroy: true }
          expect(response.status).to eq(403)

          post.update!(deleted_at: 10.minutes.ago)

          delete "/posts/#{post.id}.json", params: { force_destroy: true }
          expect(response.status).to eq(200)
          expect { post.reload }.to raise_error(ActiveRecord::RecordNotFound)
        end

        it "needs two users to permanently delete a topic" do
          sign_in(admin)

          delete "/posts/#{post.id}.json"
          expect(response.status).to eq(200)
          expect(post.reload.deleted_by_id).to eq(admin.id)

          sign_in(Fabricate(:admin))

          delete "/posts/#{post.id}.json", params: { force_destroy: true }
          expect(response.status).to eq(200)
          expect { post.reload }.to raise_error(ActiveRecord::RecordNotFound)
        end

        it "moderators cannot permanently delete topics" do
          sign_in(admin)

          delete "/posts/#{post.id}.json"
          expect(response.status).to eq(200)
          expect(post.reload.deleted_by_id).to eq(admin.id)

          sign_in(moderator)

          delete "/posts/#{post.id}.json", params: { force_destroy: true }
          expect(response.status).to eq(403)
        end
      end
    end
  end

  describe '#destroy_many' do
    include_examples 'action requires login', :delete, "/posts/destroy_many.json", params: { post_ids: [123, 345] }

    describe 'when logged in' do
      fab!(:poster) { Fabricate(:moderator) }
      fab!(:post1) { Fabricate(:post, user: poster, post_number: 2) }
      fab!(:post2) { Fabricate(:post, topic: post1.topic, user: poster, post_number: 3, reply_to_post_number: post1.post_number) }

      it "raises invalid parameters no post_ids" do
        sign_in(poster)
        delete "/posts/destroy_many.json"
        expect(response.status).to eq(400)
        expect(response.message.downcase).to eq("bad request")
      end

      it "raises invalid parameters with missing ids" do
        sign_in(poster)
        delete "/posts/destroy_many.json", params: { post_ids: [12345] }
        expect(response.status).to eq(400)
      end

      it "raises an error when the user doesn't have permission to delete the posts" do
        sign_in(user)
        delete "/posts/destroy_many.json", params: { post_ids: [post1.id, post2.id] }
        expect(response).to be_forbidden
      end

      it "deletes the post" do
        sign_in(poster)
        PostDestroyer.any_instance.expects(:destroy).twice
        delete "/posts/destroy_many.json", params: { post_ids: [post1.id, post2.id] }
        expect(response.status).to eq(200)
      end

      it "updates the highest read data for the forum" do
        sign_in(poster)
        Topic.expects(:reset_highest).twice
        delete "/posts/destroy_many.json", params: { post_ids: [post1.id, post2.id] }
      end

      describe "can delete replies" do
        before do
          PostReply.create(post_id: post1.id, reply_post_id: post2.id)
        end

        it "deletes the post and the reply to it" do
          sign_in(poster)
          PostDestroyer.any_instance.expects(:destroy).twice
          delete "/posts/destroy_many.json", params: { post_ids: [post1.id], reply_post_ids: [post1.id] }
        end
      end

      context "deleting flagged posts" do
        before do
          sign_in(moderator)
          PostActionCreator.off_topic(moderator, post1)
          PostActionCreator.off_topic(moderator, post2)
          Jobs::SendSystemMessage.clear
        end

        it "defers the child posts by default" do
          expect(ReviewableFlaggedPost.pending.count).to eq(2)
          delete "/posts/destroy_many.json", params: { post_ids: [post1.id, post2.id] }
          expect(Jobs::SendSystemMessage.jobs.size).to eq(1)
          expect(ReviewableFlaggedPost.pending.count).to eq(0)
        end

        it "can defer all posts based on `agree_with_first_reply_flag` param" do
          expect(ReviewableFlaggedPost.pending.count).to eq(2)
          delete "/posts/destroy_many.json", params: { post_ids: [post1.id, post2.id], agree_with_first_reply_flag: false }
          PostActionCreator.off_topic(moderator, post1)
          PostActionCreator.off_topic(moderator, post2)
          Jobs::SendSystemMessage.clear
        end
      end
    end
  end

  describe '#recover' do
    include_examples 'action requires login', :put, "/posts/123/recover.json"

    describe 'when logged in' do
      it "raises an error when the user doesn't have permission to see the post" do
        post = Fabricate(:post, topic: Fabricate(:private_message_topic), post_number: 3)
        sign_in(user)

        put "/posts/#{post.id}/recover.json"
        expect(response).to be_forbidden
      end

      it "raises an error when self deletion/recovery is disabled" do
        SiteSetting.max_post_deletions_per_day = 0
        post = Fabricate(:post, user: user, topic: topic, post_number: 3)
        sign_in(user)

        put "/posts/#{post.id}/recover.json"
        expect(response).to be_forbidden
      end

      it "recovers a post correctly" do
        topic_id = create_post.topic_id
        post = create_post(topic_id: topic_id)
        sign_in(user)

        PostDestroyer.new(user, post).destroy
        put "/posts/#{post.id}/recover.json"
        post.reload
        expect(post.trashed?).to be_falsey
      end
    end
  end

  describe '#update' do
    include_examples 'action requires login', :put, "/posts/2.json"

    let!(:post) { post_by_user }
    let(:update_params) do
      {
        post: { raw: 'edited body', edit_reason: 'typo' },
        image_sizes: { 'http://image.com/image.jpg' => { 'width' => 123, 'height' => 456 } },
      }
    end

    describe 'when logged in as a regular user' do
      before do
        sign_in(user)
      end

      it 'does not allow TL0 or TL1 to update when edit time limit expired' do
        SiteSetting.post_edit_time_limit = 5
        SiteSetting.tl2_post_edit_time_limit = 30

        post = Fabricate(:post, created_at: 10.minutes.ago, user: user)

        user.update_columns(trust_level: 1)

        put "/posts/#{post.id}.json", params: update_params

        expect(response.status).to eq(422)
        expect(response.parsed_body['errors']).to include(I18n.t('too_late_to_edit'))
      end

      it 'does not allow TL2 to update when edit time limit expired' do
        SiteSetting.post_edit_time_limit = 12
        SiteSetting.tl2_post_edit_time_limit = 8

        user.update_columns(trust_level: 2)

        post = Fabricate(:post, created_at: 10.minutes.ago, user: user)

        put "/posts/#{post.id}.json", params: update_params

        expect(response.status).to eq(422)
        expect(response.parsed_body['errors']).to include(I18n.t('too_late_to_edit'))
      end

      it 'passes the image sizes through' do
        Post.any_instance.expects(:image_sizes=)
        put "/posts/#{post.id}.json", params: update_params
      end

      it 'passes the edit reason through' do
        put "/posts/#{post.id}.json", params: update_params
        expect(response.status).to eq(200)
        post.reload
        expect(post.edit_reason).to eq("typo")
        expect(post.raw).to eq("edited body")
      end

      it 'checks for an edit conflict' do
        update_params[:post][:raw_old] = 'old body'
        put "/posts/#{post.id}.json", params: update_params

        expect(response.status).to eq(409)
      end

      it "raises an error when the post parameter is missing" do
        update_params.delete(:post)
        put "/posts/#{post.id}.json", params: update_params
        expect(response.status).to eq(400)
        expect(response.message.downcase).to eq("bad request")
      end

      it "raises an error when the user doesn't have permission to see the post" do
        post = Fabricate(:private_message_post, post_number: 3)
        put "/posts/#{post.id}.json", params: update_params
        expect(response).to be_forbidden
      end

      it "updates post's raw attribute" do
        put "/posts/#{post.id}.json", params: { post: { raw: 'edited body   ' } }

        expect(response.status).to eq(200)
        expect(response.parsed_body['post']['raw']).to eq('edited body')
        expect(post.reload.raw).to eq('edited body')
      end

      it "extracts links from the new body" do
        param = update_params
        param[:post][:raw] = 'I just visited this https://google.com so many cool links'

        put "/posts/#{post.id}.json", params: param

        expect(response.status).to eq(200)
        expect(TopicLink.count).to eq(1)
      end

      it "doesn't allow updating of deleted posts" do
        first_post = post.topic.ordered_posts.first
        PostDestroyer.new(moderator, first_post).destroy

        put "/posts/#{first_post.id}.json", params: update_params
        expect(response).not_to be_successful
      end
    end

    describe "when logged in as staff" do
      before do
        sign_in(moderator)
      end

      it "supports updating posts in deleted topics" do
        first_post = post.topic.ordered_posts.first
        PostDestroyer.new(moderator, first_post).destroy

        put "/posts/#{first_post.id}.json", params: update_params
        expect(response.status).to eq(200)

        post.reload
        expect(post.raw).to eq('edited body')
      end

      it "won't update bump date if post is a whisper" do
        created_at = freeze_time 1.day.ago
        post = Fabricate(:post, post_type: Post.types[:whisper], user: user)

        unfreeze_time
        put "/posts/#{post.id}.json", params: update_params

        expect(response.status).to eq(200)
        expect(post.topic.reload.bumped_at).to eq_time(created_at)
      end
    end

    describe "when logged in as group moderator" do
      fab!(:topic) { Fabricate(:topic, category: category) }
      fab!(:post) { Fabricate(:post, user: user, topic: topic) }
      fab!(:group_user) { Fabricate(:group_user) }
      let(:user_gm) { group_user.user }
      let(:group) { group_user.group }

      before do
        SiteSetting.enable_category_group_moderation = true
        post.topic.category.update!(reviewable_by_group_id: group.id, topic_id: topic.id)
        sign_in(user_gm)
      end

      it "allows updating the category description" do
        put "/posts/#{post.id}.json", params: update_params
        expect(response.status).to eq(200)

        post.reload
        expect(post.raw).to eq('edited body')
        expect(UserHistory.where(action: UserHistory.actions[:post_edit]).count).to eq(1)
      end

      it "can not update category descriptions in other categories" do
        second_category = Fabricate(:category)
        topic.update!(category: second_category)

        put "/posts/#{post.id}.json", params: update_params
        expect(response.status).to eq(403)
      end

    end

    it 'can not change category to a disallowed category' do
      post = create_post
      sign_in(post.user)

      category = Fabricate(:category)
      category.set_permissions(staff: :full)
      category.save!

      put "/posts/#{post.id}.json", params: {
        post: { category_id: category.id, raw: "this is a test edit to post" }
      }

      expect(response.status).not_to eq(200)
      expect(post.topic.category_id).not_to eq(category.id)
    end

    it 'can not move to a category that requires topic approval' do
      post = create_post
      sign_in(post.user)

      category = Fabricate(:category)
      category.custom_fields[Category::REQUIRE_TOPIC_APPROVAL] = true
      category.save!

      put "/posts/#{post.id}.json", params: { post: { category_id: category.id, raw: "this is a test edit to post" } }

      expect(response.status).to eq(403)
      expect(post.topic.reload.category_id).not_to eq(category.id)
    end

    describe "with Post.plugin_permitted_update_params" do
      before do
        plugin = Plugin::Instance.new
        plugin.add_permitted_post_update_param(:random_number) do |post, value|
          post.custom_fields[:random_number] = value
          post.save
        end
      end

      after do
        DiscoursePluginRegistry.reset!
      end

      it "calls blocks passed into `add_permitted_post_update_param`" do
        sign_in(post.user)
        put "/posts/#{post.id}.json", params: {
          post: {
            raw: "this is a random post",
            raw_old: post.raw,
            random_number: 244
          }
        }

        expect(response.status).to eq(200)
        expect(post.reload.custom_fields[:random_number]).to eq("244")
      end
    end
  end

  describe "#destroy_bookmark" do
    fab!(:post) { Fabricate(:post) }
    fab!(:bookmark) { Fabricate(:bookmark, user: user, bookmarkable: post) }

    before do
      sign_in(user)
    end

    it "deletes the bookmark" do
      bookmark_id = bookmark.id
      delete "/posts/#{post.id}/bookmark.json"
      expect(Bookmark.find_by(id: bookmark_id)).to eq(nil)
    end

    context "when the user still has bookmarks in the topic" do
      before do
        Fabricate(:bookmark, user: user, bookmarkable: Fabricate(:post, topic: post.topic))
      end
      it "marks topic_bookmarked as true" do
        delete "/posts/#{post.id}/bookmark.json"
        expect(response.parsed_body['topic_bookmarked']).to eq(true)
      end
    end
  end

  describe '#wiki' do
    include_examples "action requires login", :put, "/posts/2/wiki.json"

    describe "when logged in" do
      before do
        sign_in(user)
      end

      let!(:post) { post_by_user }

      it "returns 400 when wiki parameter is not present" do
        sign_in(admin)

        put "/posts/#{post.id}/wiki.json", params: {}

        expect(response.status).to eq(400)
      end

      it "raises an error if the user doesn't have permission to wiki the post" do
        put "/posts/#{post.id}/wiki.json", params: { wiki: 'true' }
        expect(response).to be_forbidden
      end

      it "toggle wiki status should create a new version" do
        sign_in(admin)
        another_user = Fabricate(:user)
        another_post = Fabricate(:post, user: another_user)

        expect do
          put "/posts/#{another_post.id}/wiki.json", params: { wiki: 'true' }
        end.to change { another_post.reload.version }.by(1)

        expect do
          put "/posts/#{another_post.id}/wiki.json", params: { wiki: 'false' }
        end.to change { another_post.reload.version }.by(-1)

        sign_in(Fabricate(:admin))

        expect do
          put "/posts/#{another_post.id}/wiki.json", params: { wiki: 'true' }
        end.to change { another_post.reload.version }.by(1)
      end

      it "can wiki a post" do
        sign_in(admin)
        put "/posts/#{post.id}/wiki.json", params: { wiki: 'true' }

        post.reload
        expect(post.wiki).to eq(true)
      end

      it "can unwiki a post" do
        wikied_post = Fabricate(:post, user: user, wiki: true)
        sign_in(admin)

        put "/posts/#{wikied_post.id}/wiki.json", params: { wiki: 'false' }

        wikied_post.reload
        expect(wikied_post.wiki).to eq(false)
      end
    end
  end

  describe '#post_type' do
    include_examples "action requires login", :put, "/posts/2/post_type.json"

    describe "when logged in" do
      before do
        sign_in(moderator)
      end

      let!(:post) { post_by_user }

      it "raises an error if the user doesn't have permission to change the post type" do
        sign_in(user)

        put "/posts/#{post.id}/post_type.json", params: { post_type: 2 }
        expect(response).to be_forbidden
      end

      it "returns 400 if post_type parameter is not present" do
        put "/posts/#{post.id}/post_type.json", params: {}

        expect(response.status).to eq(400)
      end

      it "returns 400 if post_type parameters is invalid" do
        put "/posts/#{post.id}/post_type.json", params: { post_type: -1 }

        expect(response.status).to eq(400)
      end

      it "can change the post type" do
        put "/posts/#{post.id}/post_type.json", params: { post_type: 2 }

        post.reload
        expect(post.post_type).to eq(2)
      end
    end
  end

  describe '#rebake' do
    include_examples "action requires login", :put, "/posts/2/rebake.json"

    describe "when logged in" do
      let!(:post) { post_by_user }

      it "raises an error if the user doesn't have permission to rebake the post" do
        sign_in(user)
        put "/posts/#{post.id}/rebake.json"
        expect(response).to be_forbidden
      end

      it "can rebake the post" do
        sign_in(moderator)
        put "/posts/#{post.id}/rebake.json"
        expect(response.status).to eq(200)
      end

      it "will invalidate broken images cache" do
        sign_in(moderator)
        PostHotlinkedMedia.create!(url: "https://example.com/image.jpg", post: post, status: 'download_failed')
        put "/posts/#{post.id}/rebake.json"
        post.reload
        expect(post.post_hotlinked_media).to eq([])
      end
    end
  end

  describe '#create' do
    include_examples 'action requires login', :post, "/posts.json"

    before do
      SiteSetting.min_first_post_typing_time = 0
      SiteSetting.enable_whispers = true
    end

    context 'api' do
      it 'memoizes duplicate requests' do
        raw = "this is a test post 123 #{SecureRandom.hash}"
        title = "this is a title #{SecureRandom.hash}"

        master_key = Fabricate(:api_key).key

        post "/posts.json",
          params: { raw: raw, title: title, wpid: 1 },
          headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }

        expect(response.status).to eq(200)
        original = response.body

        post "/posts.json",
          params: { raw: raw, title: title, wpid: 2 },
          headers: { HTTP_API_USERNAME: user.username_lower, HTTP_API_KEY: master_key }

        expect(response.status).to eq(200)
        expect(response.body).to eq(original)
      end

      it 'allows to create posts in import_mode' do
        Jobs.run_immediately!
        NotificationEmailer.enable
        post_1 = Fabricate(:post)
        master_key = Fabricate(:api_key).key

        post "/posts.json",
          params: { raw: 'this is test reply 1', topic_id: post_1.topic.id, reply_to_post_number: 1 },
          headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }

        expect(response.status).to eq(200)
        expect(post_1.topic.user.notifications.count).to eq(1)
        post_1.topic.user.notifications.destroy_all

        post "/posts.json",
          params: { raw: 'this is test reply 2', topic_id: post_1.topic.id, reply_to_post_number: 1, import_mode: true },
          headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }

        expect(response.status).to eq(200)
        expect(post_1.topic.user.notifications.count).to eq(0)

        post "/posts.json",
          params: { raw: 'this is test reply 3', topic_id: post_1.topic.id, reply_to_post_number: 1, import_mode: false },
          headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }

        expect(response.status).to eq(200)
        expect(post_1.topic.user.notifications.count).to eq(1)
      end

      it 'allows a topic to be created with an external_id' do
        master_key = Fabricate(:api_key).key
        post "/posts.json", params: {
          raw: 'this is the test content',
          title: "this is some post",
          external_id: 'external_id'
        }, headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }

        expect(response.status).to eq(200)

        new_topic = Topic.last

        expect(new_topic.external_id).to eq('external_id')
      end

      it 'prevents whispers for regular users' do
        post_1 = Fabricate(:post)
        user_key = ApiKey.create!(user: user).key

        post "/posts.json",
          params: { raw: 'this is test whisper', topic_id: post_1.topic.id, reply_to_post_number: 1, whisper: true },
          headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: user_key }

        expect(response.status).to eq(403)
      end

      it 'does not advance draft' do
        Draft.set(user, Draft::NEW_TOPIC, 0, "test")
        user_key = ApiKey.create!(user: user).key

        post "/posts.json",
          params: { title: 'this is a test topic', raw: 'this is test whisper' },
          headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: user_key }

        expect(response.status).to eq(200)
        expect(Draft.get(user, Draft::NEW_TOPIC, 0)).to eq("test")
      end

      it 'will raise an error if specified category cannot be found' do
        user = Fabricate(:admin)
        master_key = Fabricate(:api_key).key

        post "/posts.json",
          params: { title: 'this is a test title', raw: 'this is test body', category: 'invalid' },
          headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }

        expect(response.status).to eq(400)

        expect(response.parsed_body["errors"]).to include(
          I18n.t("invalid_params", message: "category")
        )
      end

      it 'will raise an error if specified embed_url is invalid' do
        user = Fabricate(:admin)
        master_key = Fabricate(:api_key).key

        post "/posts.json",
          params: { title: 'this is a test title', raw: 'this is test body', embed_url: '/test.txt' },
          headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key }

        expect(response.status).to eq(422)
      end
    end

    describe "when logged in" do
      fab!(:user) { Fabricate(:user) }

      before do
        sign_in(user)
      end

      context "fast typing" do
        before do
          SiteSetting.min_first_post_typing_time = 3000
          SiteSetting.auto_silence_fast_typers_max_trust_level = 1
        end

        it 'queues the post if min_first_post_typing_time is not met' do
          post "/posts.json", params: {
            raw: 'this is the test content',
            title: 'this is the test title for the topic',
            composer_open_duration_msecs: 204,
            typing_duration_msecs: 100,
            reply_to_post_number: 123
          }

          expect(response.status).to eq(200)
          parsed = response.parsed_body

          expect(parsed["action"]).to eq("enqueued")

          user.reload
          expect(user).to be_silenced

          rp = ReviewableQueuedPost.find_by(created_by: user)
          expect(rp.payload['typing_duration_msecs']).to eq(100)
          expect(rp.payload['composer_open_duration_msecs']).to eq(204)
          expect(rp.payload['reply_to_post_number']).to eq(123)
          expect(rp.reviewable_scores.first.reason).to eq('fast_typer')

          expect(parsed['pending_post']).to be_present
          expect(parsed['pending_post']['id']).to eq(rp.id)
          expect(parsed['pending_post']['raw']).to eq("this is the test content")

          mod = moderator
          rp.perform(mod, :approve_post)

          user.reload
          expect(user).not_to be_silenced
        end

        it "doesn't enqueue posts when user first creates a topic" do
          topic = Fabricate(:post, user: user).topic

          Draft.set(user, "should_clear", 0, "{'a' : 'b'}")

          post "/posts.json", params: {
            raw: 'this is the test content',
            title: 'this is the test title for the topic',
            composer_open_duration_msecs: 204,
            typing_duration_msecs: 100,
            topic_id: topic.id,
            draft_key: "should_clear"
          }

          expect(response.status).to eq(200)
          parsed = response.parsed_body

          expect(parsed["action"]).not_to be_present

          expect {
            Draft.get(user, "should_clear", 0)
          }.to raise_error(Draft::OutOfSequence)
        end

        it "doesn't enqueue replies when the topic is closed" do
          topic = Fabricate(:closed_topic)

          post "/posts.json", params: {
            raw: 'this is the test content',
            title: 'this is the test title for the topic',
            topic_id: topic.id
          }

          expect(response).not_to be_successful
          parsed = response.parsed_body
          expect(parsed["action"]).not_to eq("enqueued")
        end

        it "doesn't enqueue replies when the post is too long" do
          SiteSetting.max_post_length = 10

          post "/posts.json", params: {
            raw: 'this is the test content',
            title: 'this is the test title for the topic'
          }

          expect(response).not_to be_successful
          parsed = response.parsed_body
          expect(parsed["action"]).not_to eq("enqueued")
        end
      end

      it 'silences correctly based on auto_silence_first_post_regex' do
        SiteSetting.auto_silence_first_post_regex = "I love candy|i eat s[1-5]"

        post "/posts.json", params: {
          raw: 'this is the test content',
          title: 'when I eat s3 sometimes when not looking'
        }

        expect(response.status).to eq(200)
        parsed = response.parsed_body

        expect(parsed["action"]).to eq("enqueued")
        reviewable = ReviewableQueuedPost.find_by(created_by: user)
        score = reviewable.reviewable_scores.first
        expect(score.reason).to eq('auto_silence_regex')

        user.reload
        expect(user).to be_silenced
      end

      it 'silences correctly based on silence watched words' do
        SiteSetting.watched_words_regular_expressions = true
        WatchedWord.create!(action: WatchedWord.actions[:silence], word: 'I love candy')
        WatchedWord.create!(action: WatchedWord.actions[:silence], word: 'i eat s[1-5]')

        post "/posts.json", params: {
          raw: 'this is the test content',
          title: 'when I eat s3 sometimes when not looking'
        }

        expect(response.status).to eq(200)
        parsed = response.parsed_body

        expect(parsed["action"]).to eq("enqueued")
        reviewable = ReviewableQueuedPost.find_by(created_by: user)
        score = reviewable.reviewable_scores.first
        expect(score.reason).to eq('auto_silence_regex')

        user.reload
        expect(user).to be_silenced
      end

      it "can send a message to a group" do
        group = Group.create(name: 'test_group', messageable_level: Group::ALIAS_LEVELS[:nobody])
        user1 = user
        group.add(user1)

        post "/posts.json", params: {
          raw: 'I can haz a test',
          title: 'I loves my test',
          target_recipients: group.name,
          archetype: Archetype.private_message
        }

        expect(response).not_to be_successful

        # allow pm to this group
        group.update_columns(messageable_level: Group::ALIAS_LEVELS[:everyone])

        post "/posts.json", params: {
          raw: 'I can haz a test',
          title: 'I loves my test',
          target_recipients: "test_Group",
          archetype: Archetype.private_message
        }

        expect(response.status).to eq(200)

        parsed = response.parsed_body
        post = Post.find(parsed['id'])

        expect(post.topic.topic_allowed_users.length).to eq(1)
        expect(post.topic.topic_allowed_groups.length).to eq(1)
      end

      it "can send a message to a group with caps" do
        group = Group.create(name: 'Test_group', messageable_level: Group::ALIAS_LEVELS[:nobody])
        user1 = user
        group.add(user1)

        # allow pm to this group
        group.update_columns(messageable_level: Group::ALIAS_LEVELS[:everyone])

        post "/posts.json", params: {
          raw: 'I can haz a test',
          title: 'I loves my test',
          target_recipients: "test_Group",
          archetype: Archetype.private_message
        }

        expect(response.status).to eq(200)

        parsed = response.parsed_body
        post = Post.find(parsed['id'])

        expect(post.topic.topic_allowed_users.length).to eq(1)
        expect(post.topic.topic_allowed_groups.length).to eq(1)
      end

      it "returns the nested post with a param" do
        post "/posts.json", params: {
          raw: 'this is the test content  ',
          title: 'this is the test title for the topic',
          nested_post: true
        }

        expect(response.status).to eq(200)
        parsed = response.parsed_body
        expect(parsed['post']).to be_present
        expect(parsed['post']['raw']).to eq('this is the test content')
        expect(parsed['post']['cooked']).to be_present
      end

      it 'protects against dupes' do
        raw = "this is a test post 123 #{SecureRandom.hash}"
        title = "this is a title #{SecureRandom.hash}"

        expect do
          post "/posts.json", params: { raw: raw, title: title, wpid: 1 }
        end.to change { Post.count }

        expect(response.status).to eq(200)

        expect do
          post "/posts.json", params: { raw: raw, title: title, wpid: 2 }
        end.to_not change { Post.count }

        expect(response.status).to eq(422)
      end

      it 'cannot create a post in a disallowed category' do
        category.set_permissions(staff: :full)
        category.save!

        post "/posts.json", params: {
          raw: 'this is the test content',
          title: 'this is the test title for the topic',
          category: category.id,
          meta_data: { xyz: 'abc' }
        }

        expect(response.status).to eq(403)
      end

      it 'cannot create a post with a tag that is restricted' do
        SiteSetting.tagging_enabled = true
        tag = Fabricate(:tag)
        category.allowed_tags = [tag.name]
        category.save!

        post "/posts.json", params: {
          raw: 'this is the test content',
          title: 'this is the test title for the topic',
          tags: [tag.name],
        }

        expect(response.status).to eq(422)
        json = response.parsed_body
        expect(json['errors']).to be_present
      end

      it 'cannot create a post with a tag when tagging is disabled' do
        SiteSetting.tagging_enabled = false
        tag = Fabricate(:tag)

        post "/posts.json", params: {
          raw: 'this is the test content',
          title: 'this is the test title for the topic',
          tags: [tag.name],
        }

        expect(response.status).to eq(422)
        json = response.parsed_body
        expect(json['errors']).to be_present
      end

      it 'cannot create a post with a tag without tagging permission' do
        SiteSetting.tagging_enabled = true
        SiteSetting.min_trust_level_to_tag_topics = 4
        tag = Fabricate(:tag)

        post "/posts.json", params: {
          raw: 'this is the test content',
          title: 'this is the test title for the topic',
          tags: [tag.name],
        }

        expect(response.status).to eq(422)
        json = response.parsed_body
        expect(json['errors']).to be_present
      end

      it 'can create a post with a tag when tagging is enabled' do
        SiteSetting.tagging_enabled = true
        tag = Fabricate(:tag)

        post "/posts.json", params: {
          raw: 'this is the test content',
          title: 'this is the test title for the topic',
          tags: [tag.name],
        }

        expect(response.status).to eq(200)
        expect(Post.last.topic.tags.count).to eq(1)
      end

      it 'creates the post' do
        post "/posts.json", params: {
          raw: 'this is the test content',
          title: 'this is the test title for the topic',
          category: category.id,
          meta_data: { xyz: 'abc' }
        }

        expect(response.status).to eq(200)

        new_post = Post.last
        topic = new_post.topic

        expect(new_post.user).to eq(user)
        expect(new_post.raw).to eq('this is the test content')
        expect(topic.title).to eq('This is the test title for the topic')
        expect(topic.category).to eq(category)
        expect(topic.meta_data).to eq("xyz" => 'abc')
      end

      it 'can create an uncategorized topic' do
        title = 'this is the test title for the topic'

        expect do
          post "/posts.json", params: {
            raw: 'this is the test content',
            title: title,
            category: ""
          }

          expect(response.status).to eq(200)
        end.to change { Topic.count }.by(1)

        topic = Topic.last

        expect(topic.title).to eq(title.capitalize)
        expect(topic.category_id).to eq(SiteSetting.uncategorized_category_id)
      end

      it 'can create a reply to a post' do
        topic = Fabricate(:private_message_post, user: user).topic
        post_2 = Fabricate(:private_message_post, user: user, topic: topic)

        post "/posts.json", params: {
          raw: 'this is the test content',
          topic_id: topic.id,
          reply_to_post_number: post_2.post_number,
          image_sizes: { width: '100', height: '200' }
        }

        expect(response.status).to eq(200)

        new_post = Post.last
        topic = new_post.topic

        expect(new_post.user).to eq(user)
        expect(new_post.raw).to eq('this is the test content')
        expect(new_post.reply_to_post_number).to eq(post_2.post_number)

        job_args = Jobs::ProcessPost.jobs.first["args"].first

        expect(job_args["image_sizes"]).to eq("width" => '100', "height" => '200')
      end

      it 'creates a private post' do
        user_2 = Fabricate(:user)
        user_3 = Fabricate(:user, username: "foo_bar")

        # In certain edge cases, it's possible to end up with a username
        # containing characters that would normally fail to validate
        user_4 = Fabricate(:user, username: "Iyi_Iyi")
        user_4.update_attribute(:username, "İyi_İyi")
        user_4.update_attribute(:username_lower, "İyi_İyi".downcase)

        post "/posts.json", params: {
          raw: 'this is the test content',
          archetype: 'private_message',
          title: "this is some post",
          target_recipients: "#{user_2.username},Foo_Bar,İyi_İyi"
        }

        expect(response.status).to eq(200)

        new_post = Post.last
        new_topic = Topic.last

        expect(new_post.user).to eq(user)
        expect(new_topic.private_message?).to eq(true)
        expect(new_topic.allowed_users).to contain_exactly(user, user_2, user_3, user_4)
      end

      context "when target_recipients not provided" do
        it "errors when creating a private post" do
          post "/posts.json", params: {
            raw: 'this is the test content',
            archetype: 'private_message',
            title: "this is some post",
            target_recipients: ""
          }

          expect(response.status).to eq(422)
          expect(response.parsed_body["errors"]).to include(
            I18n.t("activerecord.errors.models.topic.attributes.base.no_user_selected")
          )
        end
      end

      context "when topic_id is set" do
        fab!(:topic) { Fabricate(:topic) }

        it "errors when creating a private post" do
          user_2 = Fabricate(:user)

          post "/posts.json", params: {
            raw: 'this is the test content',
            archetype: 'private_message',
            title: "this is some post",
            target_recipients: user_2.username,
            topic_id: topic.id
          }

          expect(response.status).to eq(422)
          expect(response.parsed_body["errors"]).to include(
            I18n.t("create_pm_on_existing_topic")
          )
        end
      end

      context "errors" do
        it "does not succeed" do
          post "/posts.json", params: { raw: 'test' }
          expect(response).not_to be_successful
          expect(response.status).to eq(422)
        end

        it "it triggers flag_linked_posts_as_spam when the post creator returns spam" do
          SiteSetting.newuser_spam_host_threshold = 1
          sign_in(Fabricate(:user, trust_level: 0))

          post "/posts.json", params: {
            raw: 'this is the test content http://fakespamwebsite.com http://fakespamwebsite.com/spam http://fakespamwebsite.com/spammy',
            title: 'this is the test title for the topic',
            meta_data: { xyz: 'abc' }
          }

          expect(response.parsed_body["errors"]).to include(I18n.t(:spamming_host))
        end

        context "allow_uncategorized_topics is false" do
          before do
            SiteSetting.allow_uncategorized_topics = false
          end

          it "cant create an uncategorized post" do
            post "/posts.json", params: {
              raw: "a new post with no category",
              title: "a new post with no category"
            }
            expect(response).not_to be_successful
          end

          context "as staff" do
            before do
              sign_in(admin)
            end

            it "cant create an uncategorized post" do
              post "/posts.json", params: {
                raw: "a new post with no category",
                title: "a new post with no category"
              }
              expect(response).not_to be_successful
            end
          end
        end
      end
    end

    describe 'shared draft' do
      fab!(:destination_category) { Fabricate(:category) }

      it "will raise an error for regular users" do
        post "/posts.json", params: {
          raw: 'this is the shared draft content',
          title: "this is the shared draft title",
          category: destination_category.id,
          shared_draft: 'true'
        }
        expect(response).not_to be_successful
      end

      describe "as a staff user" do
        before do
          sign_in(moderator)
        end

        it "will raise an error if there is no shared draft category" do
          post "/posts.json", params: {
            raw: 'this is the shared draft content',
            title: "this is the shared draft title",
            category: destination_category.id,
            shared_draft: 'true'
          }
          expect(response).not_to be_successful
        end

        context "with a shared category" do
          fab!(:shared_category) { Fabricate(:category) }
          before do
            SiteSetting.shared_drafts_category = shared_category.id
          end

          it "will work if the shared draft category is present" do
            post "/posts.json", params: {
              raw: 'this is the shared draft content',
              title: "this is the shared draft title",
              category: destination_category.id,
              shared_draft: 'true'
            }
            expect(response.status).to eq(200)
            result = response.parsed_body
            topic = Topic.find(result['topic_id'])
            expect(topic.category_id).to eq(shared_category.id)
            expect(topic.shared_draft.category_id).to eq(destination_category.id)
          end
        end
      end
    end

    describe 'warnings' do
      fab!(:user_2) { Fabricate(:user) }

      context 'as a staff user' do
        before do
          sign_in(admin)
        end

        it 'should be able to mark a topic as warning' do
          post "/posts.json", params: {
            raw: 'this is the test content',
            archetype: 'private_message',
            title: "this is some post",
            target_recipients: user_2.username,
            is_warning: true
          }

          expect(response.status).to eq(200)

          new_topic = Topic.last

          expect(new_topic.title).to eq('This is some post')
          expect(new_topic.is_official_warning?).to eq(true)
        end

        it 'should be able to mark a topic as not a warning' do
          post "/posts.json", params: {
            raw: 'this is the test content',
            archetype: 'private_message',
            title: "this is some post",
            target_recipients: user_2.username,
            is_warning: false
          }

          expect(response.status).to eq(200)

          new_topic = Topic.last

          expect(new_topic.title).to eq('This is some post')
          expect(new_topic.is_official_warning?).to eq(false)
        end
      end

      context 'as a normal user' do
        it 'should not be able to mark a topic as warning' do
          sign_in(user)
          post "/posts.json", params: {
            raw: 'this is the test content',
            archetype: 'private_message',
            title: "this is some post",
            target_recipients: user_2.username,
            is_warning: true
          }

          expect(response.status).to eq(200)

          new_topic = Topic.last

          expect(new_topic.title).to eq('This is some post')
          expect(new_topic.is_official_warning?).to eq(false)
        end
      end
    end

    context "topic bump" do
      shared_examples "it works" do
        it "should be able to skip topic bumping" do
          original_bumped_at = 1.day.ago
          topic = Fabricate(:topic, bumped_at: original_bumped_at)

          post "/posts.json", params: {
            raw: 'this is the test content',
            topic_id: topic.id,
            no_bump: true
          }

          expect(response.status).to eq(200)
          expect(topic.reload.bumped_at).to eq_time(original_bumped_at)
        end

        it "should be able to post with topic bumping" do
          post "/posts.json", params: {
            raw: 'this is the test content',
            topic_id: topic.id
          }

          expect(response.status).to eq(200)
          expect(topic.reload.bumped_at).to eq_time(topic.posts.last.created_at)
        end
      end

      context "admins" do
        before do
          sign_in(admin)
        end

        include_examples "it works"
      end

      context "moderators" do
        before do
          sign_in(moderator)
        end

        include_examples "it works"
      end

      context "TL4 users" do
        fab!(:trust_level_4) { Fabricate(:trust_level_4) }

        before do
          sign_in(trust_level_4)
        end

        include_examples "it works"
      end

      context "users" do
        fab!(:topic) { Fabricate(:topic) }

        [:user].each do |user|
          it "will raise an error for #{user}" do
            sign_in(Fabricate(user))
            post "/posts.json", params: {
              raw: 'this is the test content',
              topic_id: topic.id,
              no_bump: true
            }
            expect(response.status).to eq(400)
          end
        end
      end
    end

    describe "featured links" do
      it "allows to create topics with featured links" do
        sign_in(user_trust_level_1)

        post "/posts.json", params: {
          title: "this is the test title for the topic",
          raw: "this is the test content",
          featured_link: "https://discourse.org"
        }

        expect(response.status).to eq(200)
      end

      it "doesn't allow TL0 users to create topics with featured links" do
        sign_in(user_trust_level_0)

        post "/posts.json", params: {
          title: "this is the test title for the topic",
          raw: "this is the test content",
          featured_link: "https://discourse.org"
        }

        expect(response.status).to eq(422)
      end

      it "doesn't allow to create topics with featured links if featured links are disabled in settings" do
        SiteSetting.topic_featured_link_enabled = false
        sign_in(user_trust_level_1)

        post "/posts.json", params: {
          title: "this is the test title for the topic",
          raw: "this is the test content",
          featured_link: "https://discourse.org"
        }

        expect(response.status).to eq(422)
      end

      it "doesn't allow to create topics with featured links in the category with forbidden feature links" do
        category = Fabricate(:category, topic_featured_link_allowed: false)
        sign_in(user_trust_level_1)

        post "/posts.json", params: {
          title: "this is the test title for the topic",
          raw: "this is the test content",
          featured_link: "https://discourse.org",
          category: category.id
        }

        expect(response.status).to eq(422)
      end
    end
  end

  describe '#revisions' do
    fab!(:post) { Fabricate(:post, version: 2) }
    let(:post_revision) { Fabricate(:post_revision, post: post) }

    it "throws an exception when revision is < 2" do
      get "/posts/#{post.id}/revisions/1.json"
      expect(response.status).to eq(400)
    end

    context "when edit history is not visible to the public" do

      before { SiteSetting.edit_history_visible_to_public = false }

      it "ensures anonymous cannot see the revisions" do
        get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
        expect(response).to be_forbidden
      end

      it "ensures regular user cannot see the revisions" do
        sign_in(user)
        get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
        expect(response).to be_forbidden
      end

      it "ensures staff can see the revisions" do
        sign_in(admin)
        get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
        expect(response.status).to eq(200)
      end

      it "ensures poster can see the revisions" do
        user = Fabricate(:active_user)
        sign_in(user)

        post = Fabricate(:post, user: user, version: 3)
        pr = Fabricate(:post_revision, user: user, post: post)

        get "/posts/#{pr.post_id}/revisions/#{pr.number}.json"
        expect(response.status).to eq(200)
      end

      it "ensures trust level 4 cannot see the revisions" do
        sign_in(Fabricate(:user, trust_level: 4))
        get "/posts/#{post_revision.post_id}/revisions/#{post_revision.number}.json"
        expect(response.status).to eq(403)
      end
    end

    context "when post is hidden" do
      before {
        post.hidden = true
        post.save
      }

      it "throws an exception for users" do
        sign_in(user)
        get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
        expect(response.status).to eq(404)
      end

      it "works for admins" do
        sign_in(admin)
        get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
        expect(response.status).to eq(200)
      end
    end

    context "when edit history is visible to everyone" do

      before { SiteSetting.edit_history_visible_to_public = true }

      it "ensures anyone can see the revisions" do
        get "/posts/#{post_revision.post_id}/revisions/#{post_revision.number}.json"
        expect(response.status).to eq(200)
      end
    end

    context "deleted post" do
      fab!(:deleted_post) { Fabricate(:post, user: admin, version: 3) }
      fab!(:deleted_post_revision) { Fabricate(:post_revision, user: admin, post: deleted_post) }

      before { deleted_post.trash!(admin) }

      it "also work on deleted post" do
        sign_in(admin)
        get "/posts/#{deleted_post_revision.post_id}/revisions/#{deleted_post_revision.number}.json"
        expect(response.status).to eq(200)
      end
    end

    context "deleted topic" do
      fab!(:deleted_topic) { Fabricate(:topic, user: admin) }
      fab!(:post) { Fabricate(:post, user: admin, topic: deleted_topic, version: 3) }
      fab!(:post_revision) { Fabricate(:post_revision, user: admin, post: post) }

      before { deleted_topic.trash!(admin) }

      it "also work on deleted topic" do
        sign_in(admin)
        get "/posts/#{post_revision.post_id}/revisions/#{post_revision.number}.json"
        expect(response.status).to eq(200)
      end
    end
  end

  describe '#revert' do
    include_examples 'action requires login', :put, "/posts/123/revisions/2/revert.json"

    fab!(:post) { Fabricate(:post, user: Fabricate(:user), raw: "Lorem ipsum dolor sit amet, cu nam libris tractatos, ancillae senserit ius ex") }
    let(:post_revision) { Fabricate(:post_revision, post: post, modifications: { "raw" => ["this is original post body.", "this is edited post body."] }) }
    let(:blank_post_revision) { Fabricate(:post_revision, post: post, modifications: { "edit_reason" => ["edit reason #1", "edit reason #2"] }) }
    let(:same_post_revision) { Fabricate(:post_revision, post: post, modifications: { "raw" => ["Lorem ipsum dolor sit amet, cu nam libris tractatos, ancillae senserit ius ex", "this is edited post body."] }) }

    let(:post_id) { post.id }
    let(:revision_id) { post_revision.number }

    describe 'when logged in as a regular user' do
      it "does not work" do
        sign_in(user)
        put "/posts/#{post_id}/revisions/#{revision_id}/revert.json"
        expect(response).to_not be_successful
      end
    end

    describe "when logged in as staff" do
      before do
        sign_in(moderator)
      end

      it "fails when revision is < 2" do
        put "/posts/#{post_id}/revisions/1/revert.json"
        expect(response.status).to eq(400)
      end

      it "fails when post_revision record is not found" do
        put "/posts/#{post_id}/revisions/#{revision_id + 1}/revert.json"
        expect(response).to_not be_successful
      end

      it "fails when post record is not found" do
        put "/posts/#{post_id + 1}/revisions/#{revision_id}/revert.json"
        expect(response).to_not be_successful
      end

      it "fails when revision is blank" do
        put "/posts/#{post_id}/revisions/#{blank_post_revision.number}/revert.json"
        expect(response.status).to eq(422)
        expect(response.parsed_body['errors']).to include(I18n.t('revert_version_same'))
      end

      it "fails when revised version is same as current version" do
        put "/posts/#{post_id}/revisions/#{same_post_revision.number}/revert.json"
        expect(response.status).to eq(422)
        expect(response.parsed_body['errors']).to include(I18n.t('revert_version_same'))
      end

      it "works!" do
        put "/posts/#{post_id}/revisions/#{revision_id}/revert.json"
        expect(response.status).to eq(200)
      end

      it "supports reverting posts in deleted topics" do
        first_post = post.topic.ordered_posts.first
        PostDestroyer.new(moderator, first_post).destroy

        put "/posts/#{post_id}/revisions/#{revision_id}/revert.json"
        expect(response.status).to eq(200)
      end
    end
  end

  describe '#expand_embed' do
    before do
      sign_in(user)
    end

    fab!(:post) { Fabricate(:post) }

    it "raises an error when you can't see the post" do
      post = Fabricate(:private_message_post)
      get "/posts/#{post.id}/expand-embed.json"
      expect(response).not_to be_successful
    end

    it "retrieves the body when you can see the post" do
      TopicEmbed.expects(:expanded_for).with(post).returns("full content")
      get "/posts/#{post.id}/expand-embed.json"
      expect(response.status).to eq(200)
      expect(response.parsed_body['cooked']).to eq("full content")
    end
  end

  describe '#flagged_posts' do
    include_examples "action requires login", :get, "/posts/system/flagged.json"

    describe "when logged in" do
      it "raises an error if the user doesn't have permission to see the flagged posts" do
        sign_in(user)
        get "/posts/system/flagged.json"
        expect(response).to be_forbidden
      end

      it "can see the flagged posts when authorized" do
        sign_in(moderator)
        get "/posts/system/flagged.json"
        expect(response.status).to eq(200)
      end

      it "only shows agreed and deferred flags" do
        post_agreed = create_post(user: user)
        post_deferred = create_post(user: user)
        post_disagreed = create_post(user: user)

        r0 = PostActionCreator.spam(moderator, post_agreed).reviewable
        r1 = PostActionCreator.off_topic(moderator, post_deferred).reviewable
        r2 = PostActionCreator.inappropriate(moderator, post_disagreed).reviewable

        r0.perform(admin, :agree_and_keep)
        r1.perform(admin, :ignore)
        r2.perform(admin, :disagree)

        sign_in(Fabricate(:moderator))
        get "/posts/#{user.username}/flagged.json"
        expect(response.status).to eq(200)

        expect(response.parsed_body.length).to eq(2)
      end
    end
  end

  describe '#deleted_posts' do
    include_examples "action requires login", :get, "/posts/system/deleted.json"

    describe "when logged in" do
      it "raises an error if the user doesn't have permission to see the deleted posts" do
        sign_in(user)
        get "/posts/system/deleted.json"
        expect(response).to be_forbidden
      end

      it "can see the deleted posts when authorized" do
        sign_in(moderator)
        get "/posts/system/deleted.json"
        expect(response.status).to eq(200)
      end

      it "does not raise if topic has been permanently deleted" do
        post = Fabricate(:post, user: admin)
        PostDestroyer.new(admin, post).destroy
        post.update!(topic_id: -1000)

        sign_in(admin)
        get "/posts/#{admin.username}/deleted.json"
        expect(response.status).to eq(200)
      end

      it "doesn't return secured categories for moderators if they don't have access" do
        Fabricate(:moderator)

        group = Fabricate(:group)
        group.add_owner(user)

        secured_category = Fabricate(:private_category, group: group)
        secured_post = create_post(user: user, category: secured_category)
        PostDestroyer.new(admin, secured_post).destroy

        sign_in(moderator)
        get "/posts/#{user.username}/deleted.json"
        expect(response.status).to eq(200)

        data = response.parsed_body
        expect(data.length).to eq(0)
      end

      it "doesn't return PMs for moderators" do
        Fabricate(:moderator)

        pm_post = create_post(user: user, archetype: 'private_message', target_usernames: [admin.username])
        PostDestroyer.new(admin, pm_post).destroy

        sign_in(moderator)
        get "/posts/#{user.username}/deleted.json"
        expect(response.status).to eq(200)

        data = response.parsed_body
        expect(data.length).to eq(0)
      end

      it "only shows posts deleted by other users" do
        create_post(user: user)
        post_deleted_by_user = create_post(user: user)
        post_deleted_by_admin = create_post(user: user)

        PostDestroyer.new(user, post_deleted_by_user).destroy
        PostDestroyer.new(admin, post_deleted_by_admin).destroy

        sign_in(admin)
        get "/posts/#{user.username}/deleted.json"
        expect(response.status).to eq(200)

        data = response.parsed_body
        expect(data.length).to eq(1)
        expect(data[0]["id"]).to eq(post_deleted_by_admin.id)
        expect(data[0]["deleted_by"]["id"]).to eq(admin.id)
      end
    end
  end

  describe '#markdown_id' do
    it "can be viewed by anonymous" do
      post = Fabricate(:post, raw: "123456789")
      get "/posts/#{post.id}/raw.json"
      expect(response.status).to eq(200)
      expect(response.body).to eq("123456789")
    end

    it "renders a 404 page" do
      get "/posts/0/raw"
      expect(response.status).to eq(404)
      expect(response.body).to include(I18n.t("page_not_found.title"))
    end
  end

  describe '#markdown_num' do
    it "can be viewed by anonymous" do
      topic = Fabricate(:topic)
      post = Fabricate(:post, topic: topic, post_number: 1, raw: "123456789")
      post.save
      get "/raw/#{topic.id}/1.json"
      expect(response.status).to eq(200)
      expect(response.body).to eq("123456789")
    end

    it "can show whole topics" do
      topic = Fabricate(:topic)
      post = Fabricate(:post, topic: topic, post_number: 1, raw: "123456789")
      post_2 = Fabricate(:post, topic: topic, post_number: 2, raw: "abcdefghij")
      post.save
      get "/raw/#{topic.id}"
      expect(response.status).to eq(200)
      expect(response.body).to include("123456789", "abcdefghij")
    end
  end

  describe '#short_link' do
    fab!(:topic) { Fabricate(:topic) }
    fab!(:post) { Fabricate(:post, topic: topic) }

    it "redirects to the topic" do
      get "/p/#{post.id}.json"
      expect(response).to be_redirect
    end

    it "returns a 403 when access is denied for JSON format" do
      post = Fabricate(:private_message_post)
      get "/p/#{post.id}.json"
      expect(response).to be_forbidden
    end

    it "returns a 403 when access is denied for HTML format" do
      post = Fabricate(:private_message_post)
      get "/p/#{post.id}"
      expect(response).to be_forbidden
      expect(response.body).to have_tag("body.no-ember")
    end

    it "renders a 404 page" do
      get "/p/0"
      expect(response.status).to eq(404)
      expect(response.body).to include(I18n.t("page_not_found.title"))
    end
  end

  describe '#user_posts_feed' do
    it 'returns public posts rss feed' do
      public_post
      private_post

      get "/u/#{user.username}/activity.rss"

      expect(response.status).to eq(200)

      body = response.body

      expect(body).to_not include(private_post.url)
      expect(body).to include(public_post.url)
    end

    it 'returns public posts as JSON' do
      public_post
      private_post

      get "/u/#{user.username}/activity.json"

      expect(response.status).to eq(200)

      body = response.body

      expect(body).to_not include(private_post.topic.slug)
      expect(body).to include(public_post.topic.slug)
    end

    it "returns 404 if `hide_profile_and_presence` user option is checked" do
      user.user_option.update_columns(hide_profile_and_presence: true)

      get "/u/#{user.username}/activity.rss"
      expect(response.status).to eq(404)

      get "/u/#{user.username}/activity.json"
      expect(response.status).to eq(404)
    end

    it "succeeds when `allow_users_to_hide_profile` is false" do
      user.user_option.update_columns(hide_profile_and_presence: true)
      SiteSetting.allow_users_to_hide_profile = false

      get "/u/#{user.username}/activity.rss"
      expect(response.status).to eq(200)

      get "/u/#{user.username}/activity.json"
      expect(response.status).to eq(200)
    end
  end

  describe '#latest' do
    context 'private posts' do
      describe 'when not logged in' do
        it 'should return the right response' do
          Fabricate(:post)

          get "/private-posts.rss"

          expect(response.status).to eq(404)

          expect(response.body).to have_tag(
            "input", with: { value: "private_posts" }
          )
        end
      end

      it 'returns private posts rss feed' do
        sign_in(admin)

        public_post
        private_post
        get "/private-posts.rss"

        expect(response.status).to eq(200)

        body = response.body

        expect(body).to include(private_post.url)
        expect(body).to_not include(public_post.url)
      end

      it 'returns private posts for json' do
        sign_in(admin)

        public_post
        private_post
        get "/private-posts.json"
        expect(response.status).to eq(200)

        json = response.parsed_body
        post_ids = json['private_posts'].map { |p| p['id'] }

        expect(post_ids).to include private_post.id
        expect(post_ids).to_not include public_post.id
      end
    end

    context 'public posts' do
      it 'returns public posts with topic rss feed' do
        public_post
        private_post

        get "/posts.rss"

        expect(response.status).to eq(200)

        body = response.body

        # we cache in redis, in rare cases this can cause a flaky test
        PostsHelper.clear_canonical_cache!(public_post)

        expect(body).to include(public_post.canonical_url)
        expect(body).to_not include(private_post.url)
      end

      it 'returns public posts with topic for json' do
        topicless_post.update topic_id: -100

        public_post
        private_post
        topicless_post

        get "/posts.json"
        expect(response.status).to eq(200)

        json = response.parsed_body
        post_ids = json['latest_posts'].map { |p| p['id'] }

        expect(post_ids).to include public_post.id
        expect(post_ids).to_not include private_post.id
        expect(post_ids).to_not include topicless_post.id
      end
    end
  end

  describe '#cooked' do
    it 'returns the cooked content' do
      post = Fabricate(:post, cooked: "WAt")
      get "/posts/#{post.id}/cooked.json"

      expect(response.status).to eq(200)
      json = response.parsed_body

      expect(json).to be_present
      expect(json['cooked']).to eq('WAt')
    end
  end

  describe '#raw_email' do
    include_examples "action requires login", :get, "/posts/2/raw-email.json"

    describe "when logged in" do
      let(:post) { Fabricate(:post, deleted_at: 2.hours.ago, user: Fabricate(:user), raw_email: 'email_content') }

      it "raises an error if the user doesn't have permission to view raw email" do
        sign_in(user)

        get "/posts/#{post.id}/raw-email.json"
        expect(response).to be_forbidden
      end

      it "can view raw email" do
        sign_in(moderator)

        get "/posts/#{post.id}/raw-email.json"
        expect(response.status).to eq(200)

        json = response.parsed_body
        expect(json['raw_email']).to eq('email_content')
      end
    end
  end

  describe "#locked" do
    before do
      sign_in(moderator)
    end

    it 'can lock and unlock the post' do
      put "/posts/#{public_post.id}/locked.json", params: { locked: "true" }
      expect(response.status).to eq(200)
      public_post.reload
      expect(public_post).to be_locked

      put "/posts/#{public_post.id}/locked.json", params: { locked: "false" }
      expect(response.status).to eq(200)
      public_post.reload
      expect(public_post).not_to be_locked
    end
  end

  describe "#notice" do
    it 'can create and remove notices as a moderator' do
      sign_in(moderator)

      raw_notice = "Hello *world*!\n\nhttps://github.com/discourse/discourse"
      put "/posts/#{public_post.id}/notice.json", params: { notice: raw_notice }

      expect(response.status).to eq(200)
      expect(public_post.reload.custom_fields[Post::NOTICE]).to eq("type" => Post.notices[:custom], "raw" => raw_notice, "cooked" => PrettyText.cook(raw_notice, features: { onebox: false }))
      expect(UserHistory.where(action: UserHistory.actions[:post_staff_note_create]).count).to eq(1)

      put "/posts/#{public_post.id}/notice.json", params: { notice: nil }

      expect(response.status).to eq(200)
      expect(public_post.reload.custom_fields[Post::NOTICE]).to eq(nil)
      expect(UserHistory.where(action: UserHistory.actions[:post_staff_note_destroy]).count).to eq(1)
    end

    describe 'group moderators' do
      fab!(:group_user) { Fabricate(:group_user) }
      let(:user) { group_user.user }
      let(:group) { group_user.group }

      before do
        SiteSetting.enable_category_group_moderation = true
        topic.category.update!(reviewable_by_group_id: group.id)

        sign_in(user)
      end

      it 'can create and remove notices as a group moderator' do
        raw_notice = "Hello *world*!\n\nhttps://github.com/discourse/discourse"
        put "/posts/#{public_post.id}/notice.json", params: { notice: raw_notice }

        expect(response.status).to eq(200)
        expect(public_post.reload.custom_fields[Post::NOTICE]).to eq("type" => Post.notices[:custom], "raw" => raw_notice, "cooked" => PrettyText.cook(raw_notice, features: { onebox: false }))

        put "/posts/#{public_post.id}/notice.json", params: { notice: nil }

        expect(response.status).to eq(200)
        expect(public_post.reload.custom_fields[Post::NOTICE]).to eq(nil)
      end

      it 'prevents a group moderator from altering notes outside of their category' do
        moderatable_group = Fabricate(:group)
        topic.category.update!(reviewable_by_group_id: moderatable_group.id)

        put "/posts/#{public_post.id}/notice.json", params: { notice: "Hello" }

        expect(response.status).to eq(404)
      end

      it 'prevents a normal user from altering notes' do
        group_user.destroy!
        put "/posts/#{public_post.id}/notice.json", params: { notice: "Hello" }

        expect(response.status).to eq(404)
      end
    end
  end

  describe "#pending" do
    subject(:request) { get "/posts/#{user.username}/pending.json" }

    context "when user is not logged in" do
      it_behaves_like "action requires login", :get, "/posts/system/pending.json"
    end

    context "when user is logged in" do
      let(:pending_posts) { response.parsed_body["pending_posts"] }

      before { sign_in(current_user) }

      context "when current user is the same as user" do
        let(:current_user) { user }

        context "when there are existing pending posts" do
          let!(:owner_pending_posts) { Fabricate.times(2, :reviewable_queued_post, created_by: user) }
          let!(:other_pending_post) { Fabricate(:reviewable_queued_post) }
          let(:expected_keys) do
            %w[
          avatar_template
          category_id
          created_at
          created_by_id
          name
          raw_text
          title
          topic_id
          topic_url
          username
            ]
          end

          it "returns user's pending posts" do
            request
            expect(pending_posts).to all include "id" => be_in(owner_pending_posts.map(&:id))
            expect(pending_posts).to all include(*expected_keys)
          end
        end

        context "when there aren't any pending posts" do
          it "returns an empty array" do
            request
            expect(pending_posts).to be_empty
          end
        end
      end

      context "when current user is a staff member" do
        let(:current_user) { moderator }

        context "when there are existing pending posts" do
          let!(:owner_pending_posts) { Fabricate.times(2, :reviewable_queued_post, created_by: user) }
          let!(:other_pending_post) { Fabricate(:reviewable_queued_post) }
          let(:expected_keys) do
            %w[
          avatar_template
          category_id
          created_at
          created_by_id
          name
          raw_text
          title
          topic_id
          topic_url
          username
            ]
          end

          it "returns user's pending posts" do
            request
            expect(pending_posts).to all include "id" => be_in(owner_pending_posts.map(&:id))
            expect(pending_posts).to all include(*expected_keys)
          end
        end

        context "when there aren't any pending posts" do
          it "returns an empty array" do
            request
            expect(pending_posts).to be_empty
          end
        end
      end

      context "when current user is another user" do
        let(:current_user) { Fabricate(:user) }

        it "does not allow access" do
          request
          expect(response).to have_http_status :not_found
        end
      end
    end
  end

  describe Plugin::Instance do
    describe '#add_permitted_post_create_param' do
      fab!(:user) { Fabricate(:user) }
      let(:instance) { Plugin::Instance.new }
      let(:request) do
        Proc.new {
          post "/posts.json", params: {
            raw: 'this is the test content',
            title: 'this is the test title for the topic',
            composer_open_duration_msecs: 204,
            typing_duration_msecs: 100,
            reply_to_post_number: 123,
            string_arg: '123',
            hash_arg: { key1: 'val' },
            array_arg: ['1', '2', '3']
          }
        }
      end

      before do
        sign_in(user)
        SiteSetting.min_first_post_typing_time = 0
      end

      it 'allows strings to be added' do
        request.call
        expect(@controller.send(:create_params)).not_to include(string_arg: '123')

        instance.add_permitted_post_create_param(:string_arg)
        request.call
        expect(@controller.send(:create_params)).to include(string_arg: '123')
      end

      it 'allows hashes to be added' do
        instance.add_permitted_post_create_param(:hash_arg)
        request.call
        expect(@controller.send(:create_params)).not_to include(hash_arg: { key1: 'val' })

        instance.add_permitted_post_create_param(:hash_arg, :hash)
        request.call
        expect(@controller.send(:create_params)).to include(hash_arg: { key1: 'val' })
      end

      it 'allows strings to be added' do
        instance.add_permitted_post_create_param(:array_arg)
        request.call
        expect(@controller.send(:create_params)).not_to include(array_arg: ['1', '2', '3'])

        instance.add_permitted_post_create_param(:array_arg, :array)
        request.call
        expect(@controller.send(:create_params)).to include(array_arg: ['1', '2', '3'])
      end

    end
  end
end