Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec/requests/invites_controller_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

1497 lines
54 KiB
Ruby
Raw Normal View History

DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
2019-04-29 20:27:42 -04:00
# frozen_string_literal: true
Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277
2022-07-27 22:27:38 -04:00
RSpec.describe InvitesController do
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
fab!(:admin) { Fabricate(:admin) }
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
fab!(:user) { Fabricate(:user, trust_level: SiteSetting.min_trust_level_to_allow_invite) }
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe "#show" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:invite) { Fabricate(:invite) }
FIX: better handling of invite links after they are redeemed FIX: deprecate invite_passthrough_hours setting
2018-05-08 10:42:58 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "shows the accept invite page" do
UX: improve error message for already logged in users (#11020)
2020-10-24 11:51:01 -04:00
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
DEV: Remove ember-cli flags from the backend (#17147) …and other auxiliary code * Restore `QUNIT_EMBER_CLI` flag warning * Add `ALLOW_EMBER_CLI_PROXY_BYPASS`
2022-06-20 10:33:05 -04:00
expect(response.body).to have_tag(:script, with: { src: "/assets/discourse.js" })
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.body).not_to include(invite.email)
expect(response.body).to_not include(
I18n.t(
"invite.not_found_template",
site_name: SiteSetting.title,
base_url: Discourse.base_url,
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
),
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
)
FIX: do not suggest "user1" as a username to invited users (#15031) Recently, the wrong new behavior appeared – we started to suggest to invited users usernames like "user1". To reproduce: 1. Create an invitation with default settings, do not restrict it to email 2. Copy an invitation link and follow it in incognito mode See username already filled, with eg “user1”. See screenshot. Should be empty. This bug was very likely introduced by my recent changes to UserNameSuggester.
2021-11-30 07:59:37 -05:00
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["username"]).to eq("")
expect(invite_info["email"]).to eq("i*****g@a***********e.ooo")
end
UX: improve error message for already logged in users (#11020)
2020-10-24 11:51:01 -04:00
end
DEV: Upgrade to Rails 7 This patch upgrades Rails to version 7.0.2.4.
2022-03-21 10:28:52 -04:00
context "when email data is present in authentication data" do
let(:store) { ActionDispatch::Session::CookieStore.new({}) }
let(:session_stub) do
ActionDispatch::Request::Session.create(store, ActionDispatch::TestRequest.create, {})
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
end
DEV: Upgrade to Rails 7 This patch upgrades Rails to version 7.0.2.4.
2022-03-21 10:28:52 -04:00
before do
session_stub[:authentication] = { email: invite.email }
ActionDispatch::Request.any_instance.stubs(:session).returns(session_stub)
end
it "shows unobfuscated email" do
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
DEV: Remove ember-cli flags from the backend (#17147) …and other auxiliary code * Restore `QUNIT_EMBER_CLI` flag warning * Add `ALLOW_EMBER_CLI_PROXY_BYPASS`
2022-06-20 10:33:05 -04:00
expect(response.body).to have_tag(:script, with: { src: "/assets/discourse.js" })
DEV: Upgrade to Rails 7 This patch upgrades Rails to version 7.0.2.4.
2022-03-21 10:28:52 -04:00
expect(response.body).to include(invite.email)
expect(response.body).not_to include("i*****g@a***********e.ooo")
end
FIX: Check if invite has expired before showing it (#10581)
2020-09-02 06:24:49 -04:00
end
FEATURE: Allow admins to pre-populate user fields (#12361) Admins can use bulk invites to pre-populate user fields. The imported CSV file must have a header with "email" column (first position) and names of the user fields (exact match). Under the hood, the bulk invite will create staged users and populate the user fields of those.
2021-03-29 07:03:19 -04:00
it "shows default user fields" do
user_field = Fabricate(:user_field)
staged_user = Fabricate(:user, staged: true, email: invite.email)
staged_user.set_user_field(user_field.id, "some value")
staged_user.save_custom_fields
get "/invites/#{invite.invite_key}"
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
FIX: Let staged users choose their username (#13678) When a staged user tried to redeem an invite, a different username was suggested and manually typing the staged username failed because the username was not available.
2021-07-11 17:57:38 -04:00
expect(invite_info["username"]).to eq(staged_user.username)
FEATURE: Allow admins to pre-populate user fields (#12361) Admins can use bulk invites to pre-populate user fields. The imported CSV file must have a header with "email" column (first position) and names of the user fields (exact match). Under the hood, the bulk invite will create staged users and populate the user fields of those.
2021-03-29 07:03:19 -04:00
expect(invite_info["user_fields"][user_field.id.to_s]).to eq("some value")
end
end
FIX: Make UI match server behavior for external-auth invites (#13113) There are two methods which the server uses to verify an invite is being redeemed with a matching email: 1) The email token, supplied via a `?t=` parameter 2) The validity of the email, as provided by the auth provider Only one of these needs to be true for the invite to be redeemed successfully on the server. The frontend logic was previously only checking (2). This commit updates the frontend logic to match the server. This commit does not affect the invite redemption logic. It only affects the 'show' endpoint, and the UI.
2021-05-26 04:47:44 -04:00
it "includes token validity boolean" do
get "/invites/#{invite.invite_key}"
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["email_verified_by_link"]).to eq(false)
end
get "/invites/#{invite.invite_key}?t=#{invite.email_token}"
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["email_verified_by_link"]).to eq(true)
end
end
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
describe "logged in user viewing an invite" do
fab!(:group) { Fabricate(:group) }
FEATURE: Make invites work with existing users (#13532) * FEATURE: Redirect logged in user to invite topic Users who were already logged in and were given an invite link to a topic used to see an error message saying that they already have an account and cannot redeem the invite. This commit amends that behavior and redirects the user directly to the topic, if they can see it. * FEATURE: Add logged in user to invite groups Users who were already logged in and were given an invite link to a group used to see an error message saying that they already have an account and cannot redeem the invite. This commit amends that behavior and adds the user to the group.
2021-07-07 12:42:42 -04:00
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
before { sign_in(user) }
FEATURE: Make invites work with existing users (#13532) * FEATURE: Redirect logged in user to invite topic Users who were already logged in and were given an invite link to a topic used to see an error message saying that they already have an account and cannot redeem the invite. This commit amends that behavior and redirects the user directly to the topic, if they can see it. * FEATURE: Add logged in user to invite groups Users who were already logged in and were given an invite link to a group used to see an error message saying that they already have an account and cannot redeem the invite. This commit amends that behavior and adds the user to the group.
2021-07-07 12:42:42 -04:00
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
it "shows the accept invite page when user's email matches the invite email" do
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
invite.update_columns(email: user.email)
FEATURE: Make invites work with existing users (#13532) * FEATURE: Redirect logged in user to invite topic Users who were already logged in and were given an invite link to a topic used to see an error message saying that they already have an account and cannot redeem the invite. This commit amends that behavior and redirects the user directly to the topic, if they can see it. * FEATURE: Add logged in user to invite groups Users who were already logged in and were given an invite link to a group used to see an error message saying that they already have an account and cannot redeem the invite. This commit amends that behavior and adds the user to the group.
2021-07-07 12:42:42 -04:00
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag(:script, with: { src: "/assets/discourse.js" })
expect(response.body).not_to include(
I18n.t(
"invite.not_found_template",
site_name: SiteSetting.title,
base_url: Discourse.base_url,
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
),
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
)
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["username"]).to eq(user.username)
expect(invite_info["email"]).to eq(user.email)
expect(invite_info["existing_user_id"]).to eq(user.id)
expect(invite_info["existing_user_can_redeem"]).to eq(true)
end
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
end
FEATURE: Make invites work with existing users (#13532) * FEATURE: Redirect logged in user to invite topic Users who were already logged in and were given an invite link to a topic used to see an error message saying that they already have an account and cannot redeem the invite. This commit amends that behavior and redirects the user directly to the topic, if they can see it. * FEATURE: Add logged in user to invite groups Users who were already logged in and were given an invite link to a group used to see an error message saying that they already have an account and cannot redeem the invite. This commit amends that behavior and adds the user to the group.
2021-07-07 12:42:42 -04:00
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
it "shows the accept invite page when user's email domain matches the domain an invite link is restricted to" do
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
invite.update!(email: nil, domain: "discourse.org")
user.update!(email: "someguy@discourse.org")
FEATURE: Redeem invites for existent users (#15866) This adds logic to increase an `InvitedUser` record, increase `redemption_count` and create a `:invitee_accepted` to let the inviter know that the invitee used the invite. Initial support for this was implemented in commit 9969631.
2022-02-09 10:22:30 -05:00
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag(:script, with: { src: "/assets/discourse.js" })
expect(response.body).not_to include(
I18n.t(
"invite.not_found_template",
site_name: SiteSetting.title,
base_url: Discourse.base_url,
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
),
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
)
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["username"]).to eq(user.username)
expect(invite_info["email"]).to eq(user.email)
expect(invite_info["existing_user_id"]).to eq(user.id)
expect(invite_info["existing_user_can_redeem"]).to eq(true)
end
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
end
FIX: Check if invite has expired before showing it (#10581)
2020-09-02 06:24:49 -04:00
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
it "does not allow the user to accept the invite when their email domain does not match the domain of the invite" do
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
user.update!(email: "someguy@discourse.com")
invite.update!(email: nil, domain: "discourse.org")
FIX: Do not increase invite count for current user (#15952) The current user could redeem an invite created by themselves.
2022-02-15 10:35:58 -05:00
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["existing_user_can_redeem"]).to eq(false)
FIX: Invite redemption error if user had already redeemed (#19070) When opening the invite acceptance page when the user was already logged in, we were still showing the Accept Invitation prompt even if the user had already redeemed the invitation and was present in the `InvitedUser` table. This would lead to errors when the user clicked on the button. This commit fixes the issue by hiding the Accept Invitation button and showing an error message instead indicating that the user had already redeemed the invitation. This only applies to multi-use invite links.
2022-11-17 00:51:58 -05:00
expect(invite_info["existing_user_can_redeem_error"]).to eq(
I18n.t("invite.existing_user_cannot_redeem"),
)
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
end
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
end
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
it "does not allow the user to accept the invite when their email does not match the invite" do
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
invite.update_columns(email: "notuseremail@discourse.org")
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["existing_user_can_redeem"]).to eq(false)
end
SECURITY: Validate email constraints when trying to redeem an invite In certain situations, a logged in user can redeem an invite with an email that either doesn't match the invite's email or does not adhere to the email domain restriction of an invite link. The impact of this flaw is aggrevated when the invite has been configured to add the user that accepts the invite into restricted groups.
2022-06-20 23:56:50 -04:00
end
FIX: Invite redemption error if user had already redeemed (#19070) When opening the invite acceptance page when the user was already logged in, we were still showing the Accept Invitation prompt even if the user had already redeemed the invitation and was present in the `InvitedUser` table. This would lead to errors when the user clicked on the button. This commit fixes the issue by hiding the Accept Invitation button and showing an error message instead indicating that the user had already redeemed the invitation. This only applies to multi-use invite links.
2022-11-17 00:51:58 -05:00
it "does not allow the user to accept the invite when a multi-use invite link has already been redeemed by the user" do
invite.update!(email: nil, max_redemptions_allowed: 10)
expect(invite.redeem(redeeming_user: user)).not_to eq(nil)
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["existing_user_id"]).to eq(user.id)
expect(invite_info["existing_user_can_redeem"]).to eq(false)
expect(invite_info["existing_user_can_redeem_error"]).to eq(
I18n.t("invite.existing_user_already_redemeed"),
)
end
end
FIX: Existing users were mistakenly unable to redeem invite (#19191) Follow up to 40e8912395ee2dc0f43c2b2a4504f4984c1f040d In this previous commit I introduced a bug that prevented a legitimate case for an existing user to redeem an invite, where the email/domain were both blank and the invite was still redeemable by the user. Fixes the issue and adds more specs for that case.
2022-11-24 20:57:04 -05:00
it "allows the user to accept the invite when its an invite link that they have not redeemed" do
invite.update!(email: nil, max_redemptions_allowed: 10)
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute("data-preloaded").value)
invite_info = JSON.parse(json["invite_info"])
expect(invite_info["existing_user_id"]).to eq(user.id)
expect(invite_info["existing_user_can_redeem"]).to eq(true)
end
end
FIX: Do not increase invite count for current user (#15952) The current user could redeem an invite created by themselves.
2022-02-15 10:35:58 -05:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails if invite does not exist" do
get "/invites/missing"
expect(response.status).to eq(200)
expect(response.body).to_not have_tag(:script, with: { src: "/assets/application.js" })
expect(response.body).to include(I18n.t("invite.not_found", base_url: Discourse.base_url))
FIX: better handling of invite links after they are redeemed FIX: deprecate invite_passthrough_hours setting
2018-05-08 10:42:58 -04:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails if invite expired" do
invite.update(expires_at: 1.day.ago)
FIX: better handling of invite links after they are redeemed FIX: deprecate invite_passthrough_hours setting
2018-05-08 10:42:58 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
get "/invites/#{invite.invite_key}"
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 04:11:09 -04:00
expect(response.status).to eq(200)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.body).to_not have_tag(:script, with: { src: "/assets/application.js" })
expect(response.body).to include(I18n.t("invite.expired", base_url: Discourse.base_url))
FIX: better handling of invite links after they are redeemed FIX: deprecate invite_passthrough_hours setting
2018-05-08 10:42:58 -04:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "stores the invite key in the secure session if invite exists" do
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
invite_key = read_secure_session["invite-key"]
FEATURE: Allow using invites when DiscourseConnect SSO is enabled (#12419) This PR allows invitations to be used when the DiscourseConnect SSO is enabled for a site (`enable_discourse_connect`) and local logins are disabled. Previously invites could not be accepted with SSO enabled simply because we did not have the code paths to handle that logic. The invitation methods that are supported include: * Inviting people to groups via email address * Inviting people to topics via email address * Using invitation links generated by the Invite Users UI in the /my/invited/pending route The flow works like this: 1. User visits an invite URL 2. The normal invitation validations (redemptions/expiry) happen at that point 3. We store the invite key in a secure session 4. The user clicks "Accept Invitation and Continue" (see below) 5. The user is redirected to /session/sso then to the SSO provider URL then back to /session/sso_login 6. We retrieve the invite based on the invite key in secure session. We revalidate the invitation. We show an error to the user if it is not valid. An additional check here for invites with an email specified is to check the SSO email matches the invite email 7. If the invite is OK we create the user via the normal SSO methods 8. We redeem the invite and activate the user. We clear the invite key in secure session. 9. If the invite had a topic we redirect the user there, otherwise we redirect to / Note that we decided for SSO-based invites the `must_approve_users` site setting is ignored, because the invite is a form of pre-approval, and because regular non-staff users cannot send out email invites or generally invite to the forum in this case. Also deletes some group invite checks as per https://github.com/discourse/discourse/pull/12353
2021-03-18 20:20:10 -04:00
expect(invite_key).to eq(invite.invite_key)
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "returns error if invite has already been redeemed" do
FIX: Better error message for redeemed invite (#12580) This commit improves the error message when a user tries to redeem a completely redeemed invite link.
2021-04-02 04:11:07 -04:00
expect(invite.redeem).not_to eq(nil)
FIX: better handling of invite links after they are redeemed FIX: deprecate invite_passthrough_hours setting
2018-05-08 10:42:58 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
get "/invites/#{invite.invite_key}"
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 04:11:09 -04:00
expect(response.status).to eq(200)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.body).to_not have_tag(:script, with: { src: "/assets/application.js" })
expect(response.body).to include(
I18n.t(
"invite.not_found_template",
site_name: SiteSetting.title,
base_url: Discourse.base_url,
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
),
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
)
FIX: Better error message for redeemed invite (#12580) This commit improves the error message when a user tries to redeem a completely redeemed invite link.
2021-04-02 04:11:07 -04:00
invite.update!(email: nil) # convert to email invite
get "/invites/#{invite.invite_key}"
expect(response.status).to eq(200)
expect(response.body).to_not have_tag(:script, with: { src: "/assets/application.js" })
expect(response.body).to include(
I18n.t(
"invite.not_found_template_link",
site_name: SiteSetting.title,
base_url: Discourse.base_url,
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
),
FIX: Better error message for redeemed invite (#12580) This commit improves the error message when a user tries to redeem a completely redeemed invite link.
2021-04-02 04:11:07 -04:00
)
FIX: better handling of invite links after they are redeemed FIX: deprecate invite_passthrough_hours setting
2018-05-08 10:42:58 -04:00
end
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe "#create" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "requires to be logged in" do
post "/invites.json", params: { email: "test@example.com" }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(response.status).to eq(403)
end
context "while logged in" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
before { sign_in(user) }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails if you cannot invite to the forum" do
sign_in(Fabricate(:user))
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json", params: { email: "test@example.com" }
expect(response).to be_forbidden
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
end
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "with invite to topic" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
fab!(:topic) { Fabricate(:topic) }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "works" do
sign_in(user)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
FIX: Correctly pass `invite_to_topic` param to invites (#18229) Ensures the correct mailer template is used.
2022-09-12 13:16:53 -04:00
post "/invites.json",
params: {
email: "test@example.com",
topic_id: topic.id,
invite_to_topic: true,
}
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.status).to eq(200)
FIX: Correctly pass `invite_to_topic` param to invites (#18229) Ensures the correct mailer template is used.
2022-09-12 13:16:53 -04:00
expect(Jobs::InviteEmail.jobs.first["args"].first["invite_to_topic"]).to be_truthy
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails when topic_id is invalid" do
sign_in(user)
post "/invites.json", params: { email: "test@example.com", topic_id: -9999 }
expect(response.status).to eq(400)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
FEATURE: Show error if invite to topic is invalid (#15959) This can happen if the topic to which a user is invited is in a private category and the user was not invited to one of the groups that can see that specific category. This used to be a warning and this commit makes it an error.
2022-02-16 11:35:02 -05:00
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "when topic is private" do
FEATURE: Show error if invite to topic is invalid (#15959) This can happen if the topic to which a user is invited is in a private category and the user was not invited to one of the groups that can see that specific category. This used to be a warning and this commit makes it an error.
2022-02-16 11:35:02 -05:00
fab!(:group) { Fabricate(:group) }
fab!(:secured_category) do |category|
category = Fabricate(:category)
category.permissions = { group.name => :full }
category.save!
category
end
fab!(:topic) { Fabricate(:topic, category: secured_category) }
it "does not work and returns a list of required groups" do
sign_in(admin)
post "/invites.json", params: { email: "test@example.com", topic_id: topic.id }
expect(response.status).to eq(422)
expect(response.parsed_body["errors"]).to contain_exactly(
I18n.t("invite.requires_groups", groups: group.name),
)
end
it "does not work if user cannot edit groups" do
group.add(user)
sign_in(user)
post "/invites.json", params: { email: "test@example.com", topic_id: topic.id }
expect(response.status).to eq(403)
end
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "with invite to group" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
fab!(:group) { Fabricate(:group) }
it "works for admins" do
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
sign_in(admin)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] }
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 04:11:09 -04:00
expect(response.status).to eq(200)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(1)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "works for group owners" do
sign_in(user)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
group.add_owner(user)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] }
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 04:11:09 -04:00
expect(response.status).to eq(200)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(1)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "works with multiple groups" do
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
sign_in(admin)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
group2 = Fabricate(:group)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json",
params: {
email: "test@example.com",
group_names: "#{group.name},#{group2.name}",
}
expect(response.status).to eq(200)
expect(Invite.find_by(email: "test@example.com").invited_groups.count).to eq(2)
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails for group members" do
sign_in(user)
group.add(user)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] }
expect(response.status).to eq(403)
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails for other users" do
sign_in(user)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json", params: { email: "test@example.com", group_ids: [group.id] }
expect(response.status).to eq(403)
end
FIX: Return 400 when invalid topic_id is provided when creating invite.
2020-06-09 21:29:28 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails to invite new user to a group-private topic" do
sign_in(user)
private_category = Fabricate(:private_category, group: group)
group_private_topic = Fabricate(:topic, category: private_category)
FIX: Return 400 when invalid topic_id is provided when creating invite.
2020-06-09 21:29:28 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json",
params: {
email: "test@example.com",
topic_id: group_private_topic.id,
}
expect(response.status).to eq(403)
end
end
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "with email invite" do
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
subject(:create_invite) { post "/invites.json", params: params }
let(:params) { { email: email } }
let(:email) { "test@example.com" }
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
before { sign_in(user) }
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
context "when doing successive calls" do
let(:invite) { Invite.last }
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
it "creates invite once and updates it after" do
create_invite
expect(response).to have_http_status :ok
expect(Jobs::InviteEmail.jobs.size).to eq(1)
FIX: Various invite system fixes (#13003) * FIX: Ensure the same email cannot be invited twice When creating a new invite with a duplicated email, the old invite will be updated and returned. When updating an invite with a duplicated email address, an error will be returned. * FIX: not Ember helper does not exist * FIX: Sync can_invite_to_forum? and can_invite_to? The two methods should perform the same basic set of checks, such as check must_approve_users site setting. Ideally, one of the methods would call the other one or be merged and that will happen in the future. * FIX: Show invite to group if user is group owner
2021-05-12 06:06:39 -04:00
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
create_invite
expect(response).to have_http_status :ok
expect(response.parsed_body["id"]).to eq(invite.id)
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
end
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
context 'when "skip_email" parameter is provided' do
before { params[:skip_email] = true }
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
it "accepts the parameter" do
create_invite
expect(response).to have_http_status :ok
expect(Jobs::InviteEmail.jobs.size).to eq(0)
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
end
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
context "when validations fail" do
let(:email) { "test@mailinator.com" }
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
it "fails" do
create_invite
expect(response).to have_http_status :unprocessable_entity
expect(response.parsed_body["errors"]).to be_present
end
end
context "when providing an email belonging to an existing user" do
let(:email) { user.email }
before { SiteSetting.hide_email_address_taken = hide_email_address_taken }
context 'when "hide_email_address_taken" setting is disabled' do
let(:hide_email_address_taken) { false }
it "returns an error" do
create_invite
expect(response).to have_http_status :unprocessable_entity
expect(body).to match(/no need to invite/)
end
end
context 'when "hide_email_address_taken" setting is enabled' do
let(:hide_email_address_taken) { true }
it "doesnt inform the user" do
create_invite
FIX: Display a proper error when user already exists and email addresses are hidden. (#20585) Follow-up to #16703. Returning an empty response leads to a bad UX since the user has no feedback about what happened.
2023-03-08 10:38:58 -05:00
expect(response).to have_http_status :unprocessable_entity
expect(body).to match(/There was a problem with your request./)
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
end
end
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
end
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "with link invite" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "works" do
sign_in(admin)
post "/invites.json"
expect(response.status).to eq(200)
expect(Invite.last.email).to eq(nil)
expect(Invite.last.invited_by).to eq(admin)
expect(Invite.last.max_redemptions_allowed).to eq(1)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails if over invite_link_max_redemptions_limit" do
sign_in(admin)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json",
params: {
max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit - 1,
}
expect(response.status).to eq(200)
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json",
params: {
max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit + 1,
}
expect(response.status).to eq(422)
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails if over invite_link_max_redemptions_limit_users" do
sign_in(user)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json",
params: {
max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit_users - 1,
}
expect(response.status).to eq(200)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites.json",
params: {
max_redemptions_allowed: SiteSetting.invite_link_max_redemptions_limit_users + 1,
}
expect(response.status).to eq(422)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
end
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe "#retrieve" do
FEATURE: Retrieve an existing link only invite (#12575) In Improve invite system, a newly created link only invite cannot be retrieved via API with the invitee's email once created. A new route, /invites/retrieve, is introduced to fetch an already created invite by email address.
2021-04-06 11:01:07 -04:00
it "requires to be logged in" do
get "/invites/retrieve.json", params: { email: "test@example.com" }
expect(response.status).to eq(403)
end
context "while logged in" do
before { sign_in(user) }
fab!(:invite) { Fabricate(:invite, invited_by: user, email: "test@example.com") }
it "raises an error when the email is missing" do
get "/invites/retrieve.json"
expect(response.status).to eq(400)
end
it "raises an error when the email cannot be found" do
get "/invites/retrieve.json", params: { email: "test2@example.com" }
expect(response.status).to eq(400)
end
it "can retrieve the invite" do
get "/invites/retrieve.json", params: { email: "test@example.com" }
expect(response.status).to eq(200)
end
end
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe "#update" do
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
fab!(:invite) { Fabricate(:invite, invited_by: admin, email: "test@example.com") }
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "requires to be logged in" do
put "/invites/#{invite.id}", params: { email: "test2@example.com" }
expect(response.status).to eq(400)
FEATURE: Various improvements to invite system (#12298) * FIX: Do not show expired invites under Pending tab * DEV: Controller action was renamed in previous commit * FEATURE: Add 'Expired' tab to invites * FEATURE: Refresh model after removing expired invites * FEATURE: Do not immediately add invite to the list Opening the 'create-invite' modal used to automatically generate an invite to reserve an invite link. If the user did not save it and closed the modal, the invite would be destroyed. This operations caused the invite list to change in the background and confuse users. * FEATURE: Sort redeemed users by creation time * UX: Improve show / hide advanced options link * FIX: Show redeemed users even if invites were trashed * UX: Change modal title when editing invite * UX: Remove Get Link button Users can get it from the edit modal * FEATURE: Add limit for invite links generated by regular users * FEATURE: Add option to skip email * UX: Show better error messages * FIX: Show "Invited by" even if invite was trashed Follow up to 1fdfa13a099d8e46edd0c481b3aaaafe40455ced. * FEATURE: Add button to save without sending email Follow up to c86379a465f28a3cc64a4a8c939cf32cf2931659. * DEV: Use a buffer to hold all changed data * FEATURE: Close modal after save * FEATURE: Rate limit resend invite email * FEATURE: Make the save buttons smarter * FEATURE: Do not always send email even for new invites
2021-03-06 06:29:35 -05:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
context "while logged in" do
before { sign_in(admin) }
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "resends invite email if updating email address" do
put "/invites/#{invite.id}", params: { email: "test2@example.com" }
expect(response.status).to eq(200)
expect(Jobs::InviteEmail.jobs.size).to eq(1)
end
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "does not resend invite email if skip_email if updating email address" do
put "/invites/#{invite.id}", params: { email: "test2@example.com", skip_email: true }
expect(response.status).to eq(200)
expect(Jobs::InviteEmail.jobs.size).to eq(0)
end
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "does not resend invite email when updating other fields" do
put "/invites/#{invite.id}", params: { custom_message: "new message" }
expect(response.status).to eq(200)
expect(invite.reload.custom_message).to eq("new message")
expect(Jobs::InviteEmail.jobs.size).to eq(0)
end
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "can send invite email" do
sign_in(user)
RateLimiter.enable
RateLimiter.clear_all!
invite = Fabricate(:invite, invited_by: user, email: "test@example.com")
expect { put "/invites/#{invite.id}", params: { send_email: true } }.to change {
RateLimiter.new(user, "resend-invite-per-hour", 10, 1.hour).remaining
}.by(-1)
expect(response.status).to eq(200)
expect(Jobs::InviteEmail.jobs.size).to eq(1)
end
FIX: Various invite system fixes (#13003) * FIX: Ensure the same email cannot be invited twice When creating a new invite with a duplicated email, the old invite will be updated and returned. When updating an invite with a duplicated email address, an error will be returned. * FIX: not Ember helper does not exist * FIX: Sync can_invite_to_forum? and can_invite_to? The two methods should perform the same basic set of checks, such as check must_approve_users site setting. Ideally, one of the methods would call the other one or be merged and that will happen in the future. * FIX: Show invite to group if user is group owner
2021-05-12 06:06:39 -04:00
it "cannot create duplicated invites" do
Fabricate(:invite, invited_by: admin, email: "test2@example.com")
put "/invites/#{invite.id}.json", params: { email: "test2@example.com" }
expect(response.status).to eq(409)
end
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
context "when providing an email belonging to an existing user" do
subject(:update_invite) { put "/invites/#{invite.id}.json", params: { email: admin.email } }
before { SiteSetting.hide_email_address_taken = hide_email_address_taken }
context "when 'hide_email_address_taken' setting is disabled" do
let(:hide_email_address_taken) { false }
it "returns an error" do
update_invite
expect(response).to have_http_status :unprocessable_entity
expect(body).to match(/no need to invite/)
end
end
context "when 'hide_email_address_taken' setting is enabled" do
let(:hide_email_address_taken) { true }
it "doesn't inform the user" do
update_invite
FIX: Display a proper error when user already exists and email addresses are hidden. (#20585) Follow-up to #16703. Returning an empty response leads to a bad UX since the user has no feedback about what happened.
2023-03-08 10:38:58 -05:00
expect(response).to have_http_status :unprocessable_entity
expect(body).to match(/There was a problem with your request./)
FIX: Apply 'hide email account' for invites
2022-05-10 11:45:43 -04:00
end
end
end
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
end
FEATURE: Various improvements to invite system (#12298) * FIX: Do not show expired invites under Pending tab * DEV: Controller action was renamed in previous commit * FEATURE: Add 'Expired' tab to invites * FEATURE: Refresh model after removing expired invites * FEATURE: Do not immediately add invite to the list Opening the 'create-invite' modal used to automatically generate an invite to reserve an invite link. If the user did not save it and closed the modal, the invite would be destroyed. This operations caused the invite list to change in the background and confuse users. * FEATURE: Sort redeemed users by creation time * UX: Improve show / hide advanced options link * FIX: Show redeemed users even if invites were trashed * UX: Change modal title when editing invite * UX: Remove Get Link button Users can get it from the edit modal * FEATURE: Add limit for invite links generated by regular users * FEATURE: Add option to skip email * UX: Show better error messages * FIX: Show "Invited by" even if invite was trashed Follow up to 1fdfa13a099d8e46edd0c481b3aaaafe40455ced. * FEATURE: Add button to save without sending email Follow up to c86379a465f28a3cc64a4a8c939cf32cf2931659. * DEV: Use a buffer to hold all changed data * FEATURE: Close modal after save * FEATURE: Rate limit resend invite email * FEATURE: Make the save buttons smarter * FEATURE: Do not always send email even for new invites
2021-03-06 06:29:35 -05:00
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe "#destroy" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "requires to be logged in" do
delete "/invites.json", params: { email: "test@example.com" }
expect(response.status).to eq(403)
end
FEATURE: Various improvements to invite system (#12298) * FIX: Do not show expired invites under Pending tab * DEV: Controller action was renamed in previous commit * FEATURE: Add 'Expired' tab to invites * FEATURE: Refresh model after removing expired invites * FEATURE: Do not immediately add invite to the list Opening the 'create-invite' modal used to automatically generate an invite to reserve an invite link. If the user did not save it and closed the modal, the invite would be destroyed. This operations caused the invite list to change in the background and confuse users. * FEATURE: Sort redeemed users by creation time * UX: Improve show / hide advanced options link * FIX: Show redeemed users even if invites were trashed * UX: Change modal title when editing invite * UX: Remove Get Link button Users can get it from the edit modal * FEATURE: Add limit for invite links generated by regular users * FEATURE: Add option to skip email * UX: Show better error messages * FIX: Show "Invited by" even if invite was trashed Follow up to 1fdfa13a099d8e46edd0c481b3aaaafe40455ced. * FEATURE: Add button to save without sending email Follow up to c86379a465f28a3cc64a4a8c939cf32cf2931659. * DEV: Use a buffer to hold all changed data * FEATURE: Close modal after save * FEATURE: Rate limit resend invite email * FEATURE: Make the save buttons smarter * FEATURE: Do not always send email even for new invites
2021-03-06 06:29:35 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
context "while logged in" do
fab!(:invite) { Fabricate(:invite, invited_by: user) }
FEATURE: Various improvements to invite system (#12298) * FIX: Do not show expired invites under Pending tab * DEV: Controller action was renamed in previous commit * FEATURE: Add 'Expired' tab to invites * FEATURE: Refresh model after removing expired invites * FEATURE: Do not immediately add invite to the list Opening the 'create-invite' modal used to automatically generate an invite to reserve an invite link. If the user did not save it and closed the modal, the invite would be destroyed. This operations caused the invite list to change in the background and confuse users. * FEATURE: Sort redeemed users by creation time * UX: Improve show / hide advanced options link * FIX: Show redeemed users even if invites were trashed * UX: Change modal title when editing invite * UX: Remove Get Link button Users can get it from the edit modal * FEATURE: Add limit for invite links generated by regular users * FEATURE: Add option to skip email * UX: Show better error messages * FIX: Show "Invited by" even if invite was trashed Follow up to 1fdfa13a099d8e46edd0c481b3aaaafe40455ced. * FEATURE: Add button to save without sending email Follow up to c86379a465f28a3cc64a4a8c939cf32cf2931659. * DEV: Use a buffer to hold all changed data * FEATURE: Close modal after save * FEATURE: Rate limit resend invite email * FEATURE: Make the save buttons smarter * FEATURE: Do not always send email even for new invites
2021-03-06 06:29:35 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
before { sign_in(user) }
FEATURE: Various improvements to invite system (#12298) * FIX: Do not show expired invites under Pending tab * DEV: Controller action was renamed in previous commit * FEATURE: Add 'Expired' tab to invites * FEATURE: Refresh model after removing expired invites * FEATURE: Do not immediately add invite to the list Opening the 'create-invite' modal used to automatically generate an invite to reserve an invite link. If the user did not save it and closed the modal, the invite would be destroyed. This operations caused the invite list to change in the background and confuse users. * FEATURE: Sort redeemed users by creation time * UX: Improve show / hide advanced options link * FIX: Show redeemed users even if invites were trashed * UX: Change modal title when editing invite * UX: Remove Get Link button Users can get it from the edit modal * FEATURE: Add limit for invite links generated by regular users * FEATURE: Add option to skip email * UX: Show better error messages * FIX: Show "Invited by" even if invite was trashed Follow up to 1fdfa13a099d8e46edd0c481b3aaaafe40455ced. * FEATURE: Add button to save without sending email Follow up to c86379a465f28a3cc64a4a8c939cf32cf2931659. * DEV: Use a buffer to hold all changed data * FEATURE: Close modal after save * FEATURE: Rate limit resend invite email * FEATURE: Make the save buttons smarter * FEATURE: Do not always send email even for new invites
2021-03-06 06:29:35 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "raises an error when id is missing" do
delete "/invites.json"
expect(response.status).to eq(400)
end
it "raises an error when invite does not exist" do
delete "/invites.json", params: { id: 848 }
expect(response.status).to eq(400)
end
it "raises an error when invite is not created by user" do
another_invite = Fabricate(:invite, email: "test2@example.com")
delete "/invites.json", params: { id: another_invite.id }
expect(response.status).to eq(400)
end
it "destroys the invite" do
delete "/invites.json", params: { id: invite.id }
expect(response.status).to eq(200)
expect(invite.reload.trashed?).to be_truthy
end
FEATURE: Various improvements to invite system (#12298) * FIX: Do not show expired invites under Pending tab * DEV: Controller action was renamed in previous commit * FEATURE: Add 'Expired' tab to invites * FEATURE: Refresh model after removing expired invites * FEATURE: Do not immediately add invite to the list Opening the 'create-invite' modal used to automatically generate an invite to reserve an invite link. If the user did not save it and closed the modal, the invite would be destroyed. This operations caused the invite list to change in the background and confuse users. * FEATURE: Sort redeemed users by creation time * UX: Improve show / hide advanced options link * FIX: Show redeemed users even if invites were trashed * UX: Change modal title when editing invite * UX: Remove Get Link button Users can get it from the edit modal * FEATURE: Add limit for invite links generated by regular users * FEATURE: Add option to skip email * UX: Show better error messages * FIX: Show "Invited by" even if invite was trashed Follow up to 1fdfa13a099d8e46edd0c481b3aaaafe40455ced. * FEATURE: Add button to save without sending email Follow up to c86379a465f28a3cc64a4a8c939cf32cf2931659. * DEV: Use a buffer to hold all changed data * FEATURE: Close modal after save * FEATURE: Rate limit resend invite email * FEATURE: Make the save buttons smarter * FEATURE: Do not always send email even for new invites
2021-03-06 06:29:35 -05:00
end
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe "#perform_accept_invitation" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
context "with an invalid invite" do
it "redirects to the root" do
put "/invites/show/doesntexist.json"
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
expect(response.status).to eq(404)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_found_json"))
FIX: include error message if the "accept invite" process fails
2019-02-06 08:49:00 -05:00
expect(session[:current_user_id]).to be_blank
end
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
context "with a deleted invite" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
fab!(:invite) { Fabricate(:invite) }
SECURITY: Require groups to be given when inviting to a restricted category. (#6715)
2018-12-05 10:43:07 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
before { invite.trash! }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "redirects to the root" do
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
put "/invites/show/#{invite.invite_key}.json"
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
expect(response.status).to eq(404)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_found_json"))
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(session[:current_user_id]).to be_blank
end
end
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
context "with an expired invite" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
fab!(:invite) { Fabricate(:invite, expires_at: 1.day.ago) }
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "response is not successful" do
put "/invites/show/#{invite.invite_key}.json"
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
expect(response.status).to eq(404)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_found_json"))
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
expect(session[:current_user_id]).to be_blank
end
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
context "with an email invite" do
let(:topic) { Fabricate(:topic) }
let(:invite) { Invite.generate(topic.user, email: "iceking@adventuretime.ooo", topic: topic) }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
it "redeems the invite" do
put "/invites/show/#{invite.invite_key}.json"
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(invite.reload.redeemed?).to be_truthy
end
it "logs in the user" do
events =
DiscourseEvent.track_events do
FEATURE: Auto-activate users invited by email (#12675) When invited by email, users will receive an invite URL which contains a token. If that token is present when the invite is redeemed, their account will be automatically activated.
2021-04-14 05:15:56 -04:00
put "/invites/show/#{invite.invite_key}.json",
params: {
email_token: invite.email_token,
}
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
end
expect(events.map { |event| event[:event_name] }).to include(
:user_logged_in,
:user_first_logged_in,
)
expect(response.status).to eq(200)
expect(session[:current_user_id]).to eq(invite.invited_users.first.user_id)
expect(invite.reload.redeemed?).to be_truthy
user = User.find(invite.invited_users.first.user_id)
expect(user.ip_address).to be_present
expect(user.registration_ip_address).to be_present
end
it "redirects to the first topic the user was invited to" do
FEATURE: Auto-activate users invited by email (#12675) When invited by email, users will receive an invite URL which contains a token. If that token is present when the invite is redeemed, their account will be automatically activated.
2021-04-14 05:15:56 -04:00
put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token }
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.status).to eq(200)
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
FEATURE: Create notification for redeemed invite (#14146) Users can invite people to topic and they will be automatically redirected to the topic when logging in after signing up. This commit ensures a "invited_to_topic" notification is created when the invite is redeemed. The same notification is used for the "Notify" sharing method that is found in share topic modal.
2021-08-26 03:43:56 -04:00
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
end
it "sets the timezone of the user in user_options" do
put "/invites/show/#{invite.invite_key}.json", params: { timezone: "Australia/Melbourne" }
expect(response.status).to eq(200)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
invite.reload
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
user = User.find(invite.invited_users.first.user_id)
expect(user.user_option.timezone).to eq("Australia/Melbourne")
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "does not log in the user if there are validation errors" do
put "/invites/show/#{invite.invite_key}.json", params: { password: "password" }
DEV: Add missing assertion for InvitesController test (#18755)
2022-10-26 08:04:55 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.status).to eq(412)
DEV: Add missing assertion for InvitesController test (#18755)
2022-10-26 08:04:55 -04:00
expect(session[:current_user_id]).to eq(nil)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
end
SECURITY: Do not sign in unapproved users (#15552)
2022-01-12 15:24:54 -05:00
it "does not log in the user if they were not approved" do
SiteSetting.must_approve_users = true
put "/invites/show/#{invite.invite_key}.json",
params: {
password: SecureRandom.hex,
email_token: invite.email_token,
}
expect(session[:current_user_id]).to eq(nil)
expect(response.parsed_body["message"]).to eq(I18n.t("activation.approval_required"))
end
it "does not log in the user if they were not activated" do
put "/invites/show/#{invite.invite_key}.json", params: { password: SecureRandom.hex }
expect(session[:current_user_id]).to eq(nil)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email"))
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails when local login is disabled and no external auth is configured" do
FEATURE: Allow invites redemption with Omniauth providers.
2021-03-02 02:13:04 -05:00
SiteSetting.enable_local_logins = false
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(404)
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
context "with OmniAuth provider" do
fab!(:authenticated_email) { "test@example.com" }
FEATURE: Allow invites redemption with Omniauth providers.
2021-03-02 02:13:04 -05:00
before do
OmniAuth.config.test_mode = true
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
provider: "google_oauth2",
uid: "12345",
info: OmniAuth::AuthHash::InfoHash.new(email: authenticated_email, name: "First Last"),
extra: {
raw_info:
OmniAuth::AuthHash.new(
email_verified: true,
email: authenticated_email,
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
family_name: "Last",
given_name: "First",
gender: "male",
name: "First Last",
FEATURE: Allow invites redemption with Omniauth providers.
2021-03-02 02:13:04 -05:00
),
},
)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
FEATURE: Allow invites redemption with Omniauth providers.
2021-03-02 02:13:04 -05:00
SiteSetting.enable_google_oauth2_logins = true
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
get "/auth/google_oauth2/callback.json"
FEATURE: Allow invites redemption with Omniauth providers.
2021-03-02 02:13:04 -05:00
expect(response.status).to eq(302)
end
after do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[
:google_oauth2
] = nil
FEATURE: Allow invites redemption with Omniauth providers.
2021-03-02 02:13:04 -05:00
OmniAuth.config.test_mode = false
end
it "should associate the invited user with authenticator records" do
SiteSetting.auth_overrides_name = true
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
invite.update!(email: authenticated_email)
FEATURE: Allow invites redemption with Omniauth providers.
2021-03-02 02:13:04 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect {
put "/invites/show/#{invite.invite_key}.json", params: { name: "somename" }
}.to change { User.with_email(authenticated_email).exists? }.to(true)
expect(response.status).to eq(200)
FEATURE: Allow invites redemption with Omniauth providers.
2021-03-02 02:13:04 -05:00
user = User.find_by_email(authenticated_email)
expect(user.name).to eq("First Last")
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(user.user_associated_accounts.first.provider_name).to eq("google_oauth2")
FEATURE: Allow invites redemption with Omniauth providers.
2021-03-02 02:13:04 -05:00
end
it "returns the right response even if local logins has been disabled" do
SiteSetting.enable_local_logins = false
invite.update!(email: authenticated_email)
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(200)
end
it "returns the right response if authenticated email does not match invite email" do
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(412)
end
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe ".post_process_invite" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "sends a welcome message if set" do
SiteSetting.send_welcome_message = true
user.send_welcome_message = true
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(200)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(Jobs::SendSystemMessage.jobs.size).to eq(1)
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "refreshes automatic groups if staff" do
topic.user.grant_admin!
invite.update!(moderator: true)
FEATURE: Add timezone to core user_options (#8380) * Add timezone to user_options table * Also migrate existing timezone values from UserCustomField, which is where the discourse-calendar plugin is storing them * Allow user to change their core timezone from Profile * Auto guess & set timezone on login & invite accept & signup * Serialize user_options.timezone for group members. this is so discourse-group-timezones can access the core user timezone, as it is being removed in discourse-calendar. * Annotate user_option with timezone * Validate timezone values
2019-11-24 19:49:27 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(200)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(invite.invited_users.first.user.groups.pluck(:name)).to contain_exactly(
"moderators",
"staff",
)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
context "without password" do
it "sends password reset email" do
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
put "/invites/show/#{invite.invite_key}.json"
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 04:11:09 -04:00
expect(response.status).to eq(200)
DEV: Improve specs and handle invalid email token Follow-up to 7977b09025751973f7ae1271f68aaab2716e01fa
2018-12-11 12:04:07 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(1)
expect(Jobs::CriticalUserEmail.jobs.size).to eq(0)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
context "with password" do
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "when user was invited via email" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
before { invite.update_column(:emailed_status, Invite.emailed_status_types[:pending]) }
FIX: Refresh automatic groups after inviting moderators.
2019-05-10 08:49:12 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "does not send an activation email and activates the user" do
expect do
FEATURE: Auto-activate users invited by email (#12675) When invited by email, users will receive an invite URL which contains a token. If that token is present when the invite is redeemed, their account will be automatically activated.
2021-04-14 05:15:56 -04:00
put "/invites/show/#{invite.invite_key}.json",
params: {
password: "verystrongpassword",
email_token: invite.email_token,
}
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
end.to change { UserAuthToken.count }.by(1)
FIX: Refresh automatic groups after inviting moderators.
2019-05-10 08:49:12 -04:00
FEATURE: Activate users invited via email when invite is redeemed Do not send an activation email to users invited via email. They already confirmed their email address by clicking the invite link. Users invited via link will need to confirm their email address before they can login.
2018-12-10 17:24:02 -05:00
expect(response.status).to eq(200)
DEV: Improve specs and handle invalid email token Follow-up to 7977b09025751973f7ae1271f68aaab2716e01fa
2018-12-11 12:04:07 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0)
FEATURE: Activate users invited via email when invite is redeemed Do not send an activation email to users invited via email. They already confirmed their email address by clicking the invite link. Users invited via link will need to confirm their email address before they can login.
2018-12-10 17:24:02 -05:00
expect(Jobs::CriticalUserEmail.jobs.size).to eq(0)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
invited_user = User.find_by_email(invite.email)
expect(invited_user.active).to eq(true)
expect(invited_user.email_confirmed?).to eq(true)
FEATURE: Activate users invited via email when invite is redeemed Do not send an activation email to users invited via email. They already confirmed their email address by clicking the invite link. Users invited via link will need to confirm their email address before they can login.
2018-12-10 17:24:02 -05:00
end
FEATURE: Auto-activate users invited by email (#12675) When invited by email, users will receive an invite URL which contains a token. If that token is present when the invite is redeemed, their account will be automatically activated.
2021-04-14 05:15:56 -04:00
it "does not activate user if email token is missing" do
expect do
put "/invites/show/#{invite.invite_key}.json",
params: {
password: "verystrongpassword",
}
DEV: Don’t use `change { … }.by(0)` in specs
2022-07-19 10:03:03 -04:00
end.not_to change { UserAuthToken.count }
FEATURE: Auto-activate users invited by email (#12675) When invited by email, users will receive an invite URL which contains a token. If that token is present when the invite is redeemed, their account will be automatically activated.
2021-04-14 05:15:56 -04:00
expect(response.status).to eq(200)
expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0)
expect(Jobs::CriticalUserEmail.jobs.size).to eq(1)
invited_user = User.find_by_email(invite.email)
expect(invited_user.active).to eq(false)
expect(invited_user.email_confirmed?).to eq(false)
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
end
FEATURE: Activate users invited via email when invite is redeemed Do not send an activation email to users invited via email. They already confirmed their email address by clicking the invite link. Users invited via link will need to confirm their email address before they can login.
2018-12-10 17:24:02 -05:00
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "when user was invited via link" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
before do
invite.update_column(:emailed_status, Invite.emailed_status_types[:not_required])
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
end
FEATURE: Activate users invited via email when invite is redeemed Do not send an activation email to users invited via email. They already confirmed their email address by clicking the invite link. Users invited via link will need to confirm their email address before they can login.
2018-12-10 17:24:02 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "sends an activation email and does not activate the user" do
expect do
put "/invites/show/#{invite.invite_key}.json",
params: {
password: "verystrongpassword",
}
end.not_to change { UserAuthToken.count }
DEV: add a spec for "accept invite" log_on_user behaviour
2019-01-08 02:10:20 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email"))
FEATURE: Activate users invited via email when invite is redeemed Do not send an activation email to users invited via email. They already confirmed their email address by clicking the invite link. Users invited via link will need to confirm their email address before they can login.
2018-12-10 17:24:02 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
invited_user = User.find_by_email(invite.email)
expect(invited_user.active).to eq(false)
expect(invited_user.email_confirmed?).to eq(false)
DEV: Improve specs and handle invalid email token Follow-up to 7977b09025751973f7ae1271f68aaab2716e01fa
2018-12-11 12:04:07 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0)
expect(Jobs::CriticalUserEmail.jobs.size).to eq(1)
DEV: Improve specs and handle invalid email token Follow-up to 7977b09025751973f7ae1271f68aaab2716e01fa
2018-12-11 12:04:07 -05:00
DEV: Drop unused column email_tokens.token (#15203)
2021-12-13 00:29:47 -05:00
tokens = EmailToken.where(user_id: invited_user.id, confirmed: false, expired: false)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(tokens.size).to eq(1)
DEV: Improve specs and handle invalid email token Follow-up to 7977b09025751973f7ae1271f68aaab2716e01fa
2018-12-11 12:04:07 -05:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
job_args = Jobs::CriticalUserEmail.jobs.first["args"].first
expect(job_args["type"]).to eq("signup")
expect(job_args["user_id"]).to eq(invited_user.id)
DEV: Drop unused column email_tokens.token (#15203)
2021-12-13 00:29:47 -05:00
expect(EmailToken.hash_token(job_args["email_token"])).to eq(tokens.first.token_hash)
FEATURE: Activate users invited via email when invite is redeemed Do not send an activation email to users invited via email. They already confirmed their email address by clicking the invite link. Users invited via link will need to confirm their email address before they can login.
2018-12-10 17:24:02 -05:00
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
end
end
end
FEATURE: Restrict link invites to email domain (#15211) Allow multiple emails to redeem a link invite only if the email domain name matches the one specified in the link invite.
2021-12-08 10:06:57 -05:00
context "with a domain invite" do
fab!(:invite) do
Fabricate(
:invite,
email: nil,
emailed_status: Invite.emailed_status_types[:not_required],
domain: "example.com",
)
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
end
FEATURE: Restrict link invites to email domain (#15211) Allow multiple emails to redeem a link invite only if the email domain name matches the one specified in the link invite.
2021-12-08 10:06:57 -05:00
it "creates an user if email matches domain" do
expect {
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example.com",
password: "verystrongpassword",
}
}.to change { User.count }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email"))
expect(invite.reload.redemption_count).to eq(1)
invited_user = User.find_by_email("test@example.com")
expect(invited_user).to be_present
end
it "does not create an user if email does not match domain" do
expect {
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example2.com",
password: "verystrongpassword",
}
}.not_to change { User.count }
expect(response.status).to eq(412)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.domain_not_allowed"))
expect(invite.reload.redemption_count).to eq(0)
end
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
context "with an invite link" do
fab!(:invite) do
Fabricate(:invite, email: nil, emailed_status: Invite.emailed_status_types[:not_required])
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
end
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "sends an activation email and does not activate the user" do
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
expect {
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example.com",
password: "verystrongpassword",
}
}.not_to change { UserAuthToken.count }
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
expect(response.status).to eq(200)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.parsed_body["message"]).to eq(I18n.t("invite.confirm_email"))
expect(invite.reload.redemption_count).to eq(1)
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
invited_user = User.find_by_email("test@example.com")
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
expect(invited_user.active).to eq(false)
expect(invited_user.email_confirmed?).to eq(false)
expect(Jobs::InvitePasswordInstructionsEmail.jobs.size).to eq(0)
expect(Jobs::CriticalUserEmail.jobs.size).to eq(1)
DEV: Drop unused column email_tokens.token (#15203)
2021-12-13 00:29:47 -05:00
tokens = EmailToken.where(user_id: invited_user.id, confirmed: false, expired: false)
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
expect(tokens.size).to eq(1)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
job_args = Jobs::CriticalUserEmail.jobs.first["args"].first
expect(job_args["type"]).to eq("signup")
expect(job_args["user_id"]).to eq(invited_user.id)
DEV: Drop unused column email_tokens.token (#15203)
2021-12-13 00:29:47 -05:00
expect(EmailToken.hash_token(job_args["email_token"])).to eq(tokens.first.token_hash)
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
end
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
it "does not automatically log in the user if their email matches an existing user's and shows an error" do
Fabricate(:user, email: "test@example.com")
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example.com",
password: "verystrongpassword",
}
expect(session[:current_user_id]).to be_blank
expect(response.status).to eq(412)
expect(response.parsed_body["message"]).to include("Primary email has already been taken")
expect(invite.reload.redemption_count).to eq(0)
end
it "does not automatically log in the user if their email matches an existing admin's and shows an error" do
Fabricate(:admin, email: "test@example.com")
put "/invites/show/#{invite.invite_key}.json",
params: {
email: "test@example.com",
password: "verystrongpassword",
}
expect(session[:current_user_id]).to be_blank
expect(response.status).to eq(412)
expect(response.parsed_body["message"]).to include("Primary email has already been taken")
expect(invite.reload.redemption_count).to eq(0)
end
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
end
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "when new registrations are disabled" do
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:topic) { Fabricate(:topic) }
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
fab!(:invite) { Invite.generate(topic.user, email: "test@example.com", topic: topic) }
SECURITY: Require groups to be given when inviting to a restricted category. (#6715)
2018-12-05 10:43:07 -05:00
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
before { SiteSetting.allow_new_registrations = false }
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "does not redeem the invite" do
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
put "/invites/show/#{invite.invite_key}.json"
expect(response.status).to eq(200)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(invite.reload.invited_users).to be_blank
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(invite.redeemed?).to be_falsey
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.body).to include(I18n.t("login.new_registrations_disabled"))
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
end
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "when user is already logged in" do
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
before { sign_in(user) }
SECURITY: Prevent email from being nil in InviteRedeemer (#19004) This commit adds some protections in InviteRedeemer to ensure that email can never be nil, which could cause issues with inviting the invited person to private topics since there was an incorrect inner join. If the email is nil and the invite is scoped to an email, we just use that invite.email unconditionally. If a redeeming_user (an existing user) is passed in when redeeming an email, we use their email to override the passed in email. Otherwise we just use the passed in email. We now raise an error after all this if the email is still nil. This commit also adds some tests to catch the private topic fix, and some general improvements and comments around the invite code. This commit also includes a migration to delete TopicAllowedUser records for users who were mistakenly added to topics as part of the invite redemption process.
2022-11-13 21:02:06 -05:00
context "for an email invite" do
fab!(:invite) { Fabricate(:invite, email: "test@example.com") }
fab!(:user) { Fabricate(:user, email: "test@example.com") }
fab!(:group) { Fabricate(:group) }
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
SECURITY: Prevent email from being nil in InviteRedeemer (#19004) This commit adds some protections in InviteRedeemer to ensure that email can never be nil, which could cause issues with inviting the invited person to private topics since there was an incorrect inner join. If the email is nil and the invite is scoped to an email, we just use that invite.email unconditionally. If a redeeming_user (an existing user) is passed in when redeeming an email, we use their email to override the passed in email. Otherwise we just use the passed in email. We now raise an error after all this if the email is still nil. This commit also adds some tests to catch the private topic fix, and some general improvements and comments around the invite code. This commit also includes a migration to delete TopicAllowedUser records for users who were mistakenly added to topics as part of the invite redemption process.
2022-11-13 21:02:06 -05:00
it "redeems the invitation and creates the invite accepted notification" do
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
invite.reload
expect(invite.invited_users.first.user).to eq(user)
expect(invite.redeemed?).to be_truthy
expect(
Notification.exists?(
user: invite.invited_by,
notification_type: Notification.types[:invitee_accepted],
),
).to eq(true)
end
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
SECURITY: Prevent email from being nil in InviteRedeemer (#19004) This commit adds some protections in InviteRedeemer to ensure that email can never be nil, which could cause issues with inviting the invited person to private topics since there was an incorrect inner join. If the email is nil and the invite is scoped to an email, we just use that invite.email unconditionally. If a redeeming_user (an existing user) is passed in when redeeming an email, we use their email to override the passed in email. Otherwise we just use the passed in email. We now raise an error after all this if the email is still nil. This commit also adds some tests to catch the private topic fix, and some general improvements and comments around the invite code. This commit also includes a migration to delete TopicAllowedUser records for users who were mistakenly added to topics as part of the invite redemption process.
2022-11-13 21:02:06 -05:00
it "redirects to the first topic the user was invited to and creates the topic notification" do
topic = Fabricate(:topic)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
SECURITY: Prevent email from being nil in InviteRedeemer (#19004) This commit adds some protections in InviteRedeemer to ensure that email can never be nil, which could cause issues with inviting the invited person to private topics since there was an incorrect inner join. If the email is nil and the invite is scoped to an email, we just use that invite.email unconditionally. If a redeeming_user (an existing user) is passed in when redeeming an email, we use their email to override the passed in email. Otherwise we just use the passed in email. We now raise an error after all this if the email is still nil. This commit also adds some tests to catch the private topic fix, and some general improvements and comments around the invite code. This commit also includes a migration to delete TopicAllowedUser records for users who were mistakenly added to topics as part of the invite redemption process.
2022-11-13 21:02:06 -05:00
it "adds the user to the private topic" do
topic = Fabricate(:private_message_topic)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
expect(TopicAllowedUser.exists?(user: user, topic: topic)).to eq(true)
end
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
SECURITY: Prevent email from being nil in InviteRedeemer (#19004) This commit adds some protections in InviteRedeemer to ensure that email can never be nil, which could cause issues with inviting the invited person to private topics since there was an incorrect inner join. If the email is nil and the invite is scoped to an email, we just use that invite.email unconditionally. If a redeeming_user (an existing user) is passed in when redeeming an email, we use their email to override the passed in email. Otherwise we just use the passed in email. We now raise an error after all this if the email is still nil. This commit also adds some tests to catch the private topic fix, and some general improvements and comments around the invite code. This commit also includes a migration to delete TopicAllowedUser records for users who were mistakenly added to topics as part of the invite redemption process.
2022-11-13 21:02:06 -05:00
it "adds the user to the groups specified on the invite and allows them to access the secure topic" do
group.add_owner(invite.invited_by)
secured_category = Fabricate(:category)
secured_category.permissions = { group.name => :full }
secured_category.save!
topic = Fabricate(:topic, category: secured_category)
TopicInvite.create!(invite: invite, topic: topic)
InvitedGroup.create!(invite: invite, group: group)
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
SECURITY: Prevent email from being nil in InviteRedeemer (#19004) This commit adds some protections in InviteRedeemer to ensure that email can never be nil, which could cause issues with inviting the invited person to private topics since there was an incorrect inner join. If the email is nil and the invite is scoped to an email, we just use that invite.email unconditionally. If a redeeming_user (an existing user) is passed in when redeeming an email, we use their email to override the passed in email. Otherwise we just use the passed in email. We now raise an error after all this if the email is still nil. This commit also adds some tests to catch the private topic fix, and some general improvements and comments around the invite code. This commit also includes a migration to delete TopicAllowedUser records for users who were mistakenly added to topics as part of the invite redemption process.
2022-11-13 21:02:06 -05:00
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
invite.reload
expect(invite.redeemed?).to be_truthy
expect(user.reload.groups).to include(group)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
SECURITY: Prevent email from being nil in InviteRedeemer (#19004) This commit adds some protections in InviteRedeemer to ensure that email can never be nil, which could cause issues with inviting the invited person to private topics since there was an incorrect inner join. If the email is nil and the invite is scoped to an email, we just use that invite.email unconditionally. If a redeeming_user (an existing user) is passed in when redeeming an email, we use their email to override the passed in email. Otherwise we just use the passed in email. We now raise an error after all this if the email is still nil. This commit also adds some tests to catch the private topic fix, and some general improvements and comments around the invite code. This commit also includes a migration to delete TopicAllowedUser records for users who were mistakenly added to topics as part of the invite redemption process.
2022-11-13 21:02:06 -05:00
it "does not try to log in the user automatically" do
expect do
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
end.not_to change { UserAuthToken.count }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
end
it "errors if the user's email doesn't match the invite email" do
user.update!(email: "blah@test.com")
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(412)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.not_matching_email"))
end
it "errors if the user's email domain doesn't match the invite domain" do
user.update!(email: "blah@test.com")
invite.update!(email: nil, domain: "example.com")
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(412)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.domain_not_allowed"))
end
SECURITY: Fix invite link email validation (#18817) See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278 Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 12:33:32 -04:00
end
SECURITY: Prevent email from being nil in InviteRedeemer (#19004) This commit adds some protections in InviteRedeemer to ensure that email can never be nil, which could cause issues with inviting the invited person to private topics since there was an incorrect inner join. If the email is nil and the invite is scoped to an email, we just use that invite.email unconditionally. If a redeeming_user (an existing user) is passed in when redeeming an email, we use their email to override the passed in email. Otherwise we just use the passed in email. We now raise an error after all this if the email is still nil. This commit also adds some tests to catch the private topic fix, and some general improvements and comments around the invite code. This commit also includes a migration to delete TopicAllowedUser records for users who were mistakenly added to topics as part of the invite redemption process.
2022-11-13 21:02:06 -05:00
context "for an invite link" do
fab!(:invite) { Fabricate(:invite, email: nil) }
fab!(:user) { Fabricate(:user, email: "test@example.com") }
fab!(:group) { Fabricate(:group) }
it "redeems the invitation and creates the invite accepted notification" do
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
invite.reload
expect(invite.invited_users.first.user).to eq(user)
expect(invite.redeemed?).to be_truthy
expect(
Notification.exists?(
user: invite.invited_by,
notification_type: Notification.types[:invitee_accepted],
),
).to eq(true)
end
it "redirects to the first topic the user was invited to and creates the topic notification" do
topic = Fabricate(:topic)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
it "adds the user to the groups specified on the invite and allows them to access the secure topic" do
group.add_owner(invite.invited_by)
secured_category = Fabricate(:category)
secured_category.permissions = { group.name => :full }
secured_category.save!
topic = Fabricate(:topic, category: secured_category)
TopicInvite.create!(invite: invite, topic: topic)
InvitedGroup.create!(invite: invite, group: group)
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
invite.reload
expect(invite.redeemed?).to be_truthy
expect(user.reload.groups).to include(group)
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
end
it "does not try to log in the user automatically" do
expect do
put "/invites/show/#{invite.invite_key}.json", params: { id: invite.invite_key }
end.not_to change { UserAuthToken.count }
expect(response.status).to eq(200)
expect(response.parsed_body["message"]).to eq(I18n.t("invite.existing_user_success"))
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
end
FIX: Do not redirect to a topic user cannot see (#13550) Inviting a user to a private topic used to redirect them to a 404 page immediately after sign up.
2021-06-30 05:00:47 -04:00
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "with topic invites" do
FIX: Do not redirect to a topic user cannot see (#13550) Inviting a user to a private topic used to redirect them to a 404 page immediately after sign up.
2021-06-30 05:00:47 -04:00
fab!(:invite) { Fabricate(:invite, email: "test@example.com") }
fab!(:secured_category) do
secured_category = Fabricate(:category)
secured_category.permissions = { staff: :full }
secured_category.save!
secured_category
end
it "redirects user to topic if activated" do
topic = Fabricate(:topic)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token }
expect(response.parsed_body["redirect_to"]).to eq(topic.relative_url)
FEATURE: Create notification for redeemed invite (#14146) Users can invite people to topic and they will be automatically redirected to the topic when logging in after signing up. This commit ensures a "invited_to_topic" notification is created when the invite is redeemed. The same notification is used for the "Notify" sharing method that is found in share topic modal.
2021-08-26 03:43:56 -04:00
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
FIX: Do not redirect to a topic user cannot see (#13550) Inviting a user to a private topic used to redirect them to a 404 page immediately after sign up.
2021-06-30 05:00:47 -04:00
end
it "sets destination_url cookie if user is not activated" do
topic = Fabricate(:topic)
TopicInvite.create!(invite: invite, topic: topic)
put "/invites/show/#{invite.invite_key}.json"
expect(cookies["destination_url"]).to eq(topic.relative_url)
FEATURE: Create notification for redeemed invite (#14146) Users can invite people to topic and they will be automatically redirected to the topic when logging in after signing up. This commit ensures a "invited_to_topic" notification is created when the invite is redeemed. The same notification is used for the "Notify" sharing method that is found in share topic modal.
2021-08-26 03:43:56 -04:00
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(1)
FIX: Do not redirect to a topic user cannot see (#13550) Inviting a user to a private topic used to redirect them to a 404 page immediately after sign up.
2021-06-30 05:00:47 -04:00
end
it "does not redirect user if they cannot see topic" do
FEATURE: Create notification for redeemed invite (#14146) Users can invite people to topic and they will be automatically redirected to the topic when logging in after signing up. This commit ensures a "invited_to_topic" notification is created when the invite is redeemed. The same notification is used for the "Notify" sharing method that is found in share topic modal.
2021-08-26 03:43:56 -04:00
topic = Fabricate(:topic, category: secured_category)
TopicInvite.create!(invite: invite, topic: topic)
FIX: Do not redirect to a topic user cannot see (#13550) Inviting a user to a private topic used to redirect them to a 404 page immediately after sign up.
2021-06-30 05:00:47 -04:00
put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token }
expect(response.parsed_body["redirect_to"]).to eq("/")
FEATURE: Create notification for redeemed invite (#14146) Users can invite people to topic and they will be automatically redirected to the topic when logging in after signing up. This commit ensures a "invited_to_topic" notification is created when the invite is redeemed. The same notification is used for the "Notify" sharing method that is found in share topic modal.
2021-08-26 03:43:56 -04:00
expect(
Notification.where(
notification_type: Notification.types[:invited_to_topic],
topic: topic,
).count,
).to eq(0)
FIX: Do not redirect to a topic user cannot see (#13550) Inviting a user to a private topic used to redirect them to a 404 page immediately after sign up.
2021-06-30 05:00:47 -04:00
end
end
FIX: Let staged users choose their username (#13678) When a staged user tried to redeem an invite, a different username was suggested and manually typing the staged username failed because the username was not available.
2021-07-11 17:57:38 -04:00
DEV: Use proper wording for contexts in specs
2022-07-27 12:14:14 -04:00
context "with staged user" do
FIX: Let staged users choose their username (#13678) When a staged user tried to redeem an invite, a different username was suggested and manually typing the staged username failed because the username was not available.
2021-07-11 17:57:38 -04:00
fab!(:invite) { Fabricate(:invite) }
fab!(:staged_user) { Fabricate(:user, staged: true, email: invite.email) }
it "can keep the old username" do
old_username = staged_user.username
put "/invites/show/#{invite.invite_key}.json",
params: {
username: staged_user.username,
password: "Password123456",
email_token: invite.email_token,
}
expect(response.status).to eq(200)
expect(invite.reload.redeemed?).to be_truthy
user = invite.invited_users.first.user
expect(user.username).to eq(old_username)
end
it "can change the username" do
put "/invites/show/#{invite.invite_key}.json",
params: {
username: "new_username",
password: "Password123456",
email_token: invite.email_token,
}
expect(response.status).to eq(200)
expect(invite.reload.redeemed?).to be_truthy
user = invite.invited_users.first.user
expect(user.username).to eq("new_username")
end
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe "#destroy_all_expired" do
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
it "removes all expired invites sent by a user" do
SiteSetting.invite_expiry_days = 1
user = Fabricate(:admin)
invite_1 = Fabricate(:invite, invited_by: user)
invite_2 = Fabricate(:invite, invited_by: user)
expired_invite = Fabricate(:invite, invited_by: user)
expired_invite.update!(expires_at: 2.days.ago)
sign_in(user)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites/destroy-all-expired"
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
expect(response.status).to eq(200)
expect(invite_1.reload.deleted_at).to eq(nil)
expect(invite_2.reload.deleted_at).to eq(nil)
expect(expired_invite.reload.deleted_at).to be_present
end
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe "#resend_invite" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "requires to be logged in" do
post "/invites/reinvite.json", params: { email: "first_name@example.com" }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(response.status).to eq(403)
end
context "while logged in" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
fab!(:user) { sign_in(Fabricate(:user)) }
fab!(:invite) { Fabricate(:invite, invited_by: user) }
DEV: Prefabrication (test optimization) (#7414) * Introduced fab!, a helper that creates database state for a group It's almost identical to let_it_be, except: 1. It creates a new object for each test by default, 2. You can disable it using PREFABRICATION=0
2019-05-06 23:12:20 -04:00
fab!(:another_invite) { Fabricate(:invite, email: "last_name@example.com") }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
it "raises an error when the email is missing" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites/reinvite.json"
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(response.status).to eq(400)
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "raises an error when the email cannot be found" do
post "/invites/reinvite.json", params: { email: "first_name@example.com" }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(response.status).to eq(400)
end
it "raises an error when the invite is not yours" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites/reinvite.json", params: { email: another_invite.email }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(response.status).to eq(400)
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "resends the invite" do
post "/invites/reinvite.json", params: { email: invite.email }
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 04:11:09 -04:00
expect(response.status).to eq(200)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(Jobs::InviteEmail.jobs.size).to eq(1)
end
end
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe "#resend_all_invites" do
FIX: Fix bulk_invite flaky tests (#17256)
2022-06-27 15:50:20 -04:00
let(:admin) { Fabricate(:admin) }
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
before { SiteSetting.invite_expiry_days = 30 }
FIX: Fix bulk_invite flaky tests (#17256)
2022-06-27 15:50:20 -04:00
it "resends all non-redeemed invites by a user" do
FIX: Resend only pending invites (#13403) The Resend Invites button used to resend expired invites too, which was unexpected because the button was on the Pending Invites page.
2021-06-17 03:45:53 -04:00
freeze_time
DEV: Don't allow users to immediately reinvite (#15722) - Limit bulk re-invite to 1 time per day - Move bulk invite by csv behind a site setting (hidden by default) - Bump invite expiry from 30 -> 90 days ## Updates to rate_limiter When limiting reinvites I found that **staff** are never limited in any way. So I updated the **rate_limiter** model to allow for a few things: - add an optional param of `staff_limit`, which (when included and passed values, and the user passes `.staff?`) will override the default `max` & `secs` values and apply them to the user. - in the case you **do** pass values to `staff_limit` but the user **does not** pass `staff?` the standard `max` & `secs` values will be applied to the user. This should give us enough flexibility to 1. continue to apply a strict rate limit to a standard user 2. but also apply a secondary (less strict) limit to staff
2022-02-03 14:07:40 -05:00
new_invite = Fabricate(:invite, invited_by: admin)
expired_invite = Fabricate(:invite, invited_by: admin)
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
expired_invite.update!(expires_at: 2.days.ago)
DEV: Don't allow users to immediately reinvite (#15722) - Limit bulk re-invite to 1 time per day - Move bulk invite by csv behind a site setting (hidden by default) - Bump invite expiry from 30 -> 90 days ## Updates to rate_limiter When limiting reinvites I found that **staff** are never limited in any way. So I updated the **rate_limiter** model to allow for a few things: - add an optional param of `staff_limit`, which (when included and passed values, and the user passes `.staff?`) will override the default `max` & `secs` values and apply them to the user. - in the case you **do** pass values to `staff_limit` but the user **does not** pass `staff?` the standard `max` & `secs` values will be applied to the user. This should give us enough flexibility to 1. continue to apply a strict rate limit to a standard user 2. but also apply a secondary (less strict) limit to staff
2022-02-03 14:07:40 -05:00
redeemed_invite = Fabricate(:invite, invited_by: admin)
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
Fabricate(:invited_user, invite: redeemed_invite, user: Fabricate(:user))
redeemed_invite.update!(expires_at: 5.days.ago)
DEV: Don't allow users to immediately reinvite (#15722) - Limit bulk re-invite to 1 time per day - Move bulk invite by csv behind a site setting (hidden by default) - Bump invite expiry from 30 -> 90 days ## Updates to rate_limiter When limiting reinvites I found that **staff** are never limited in any way. So I updated the **rate_limiter** model to allow for a few things: - add an optional param of `staff_limit`, which (when included and passed values, and the user passes `.staff?`) will override the default `max` & `secs` values and apply them to the user. - in the case you **do** pass values to `staff_limit` but the user **does not** pass `staff?` the standard `max` & `secs` values will be applied to the user. This should give us enough flexibility to 1. continue to apply a strict rate limit to a standard user 2. but also apply a secondary (less strict) limit to staff
2022-02-03 14:07:40 -05:00
sign_in(admin)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites/reinvite-all"
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
expect(response.status).to eq(200)
FIX: Resend only pending invites (#13403) The Resend Invites button used to resend expired invites too, which was unexpected because the button was on the Pending Invites page.
2021-06-17 03:45:53 -04:00
expect(new_invite.reload.expires_at).to eq_time(30.days.from_now)
expect(expired_invite.reload.expires_at).to eq_time(2.days.ago)
expect(redeemed_invite.reload.expires_at).to eq_time(5.days.ago)
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
end
FIX: Fix bulk_invite flaky tests (#17256)
2022-06-27 15:50:20 -04:00
it "errors if admins try to exceed limit of one bulk invite per day" do
sign_in(admin)
FIX: update flaky bulk invite spec (#17425)
2022-07-11 12:58:23 -04:00
RateLimiter.enable
RateLimiter.clear_all!
start = Time.now
FIX: Fix bulk_invite flaky tests (#17256)
2022-06-27 15:50:20 -04:00
FIX: update flaky bulk invite spec (#17425)
2022-07-11 12:58:23 -04:00
freeze_time(start)
FIX: Fix bulk_invite flaky tests (#17256)
2022-06-27 15:50:20 -04:00
post "/invites/reinvite-all"
FIX: update flaky bulk invite spec (#17425)
2022-07-11 12:58:23 -04:00
expect(response.parsed_body["errors"]).to_not be_present
FIX: Fix bulk_invite flaky tests (#17256)
2022-06-27 15:50:20 -04:00
FIX: update flaky bulk invite spec (#17425)
2022-07-11 12:58:23 -04:00
freeze_time(start + 10.minutes)
FIX: Fix bulk_invite flaky tests (#17256)
2022-06-27 15:50:20 -04:00
post "/invites/reinvite-all"
expect(response.parsed_body["errors"][0]).to eq(I18n.t("rate_limiter.slow_down"))
end
FEATURE: Various improvements to invite system (#12023) The user interface has been reorganized to show email and link invites in the same screen. Staff has more control over creating and updating invites. Bulk invite has also been improved with better explanations. On the server side, many code paths for email and link invites have been merged to avoid duplicated logic. The API returns better responses with more appropriate HTTP status codes.
2021-03-03 04:45:29 -05:00
end
DEV: Use `describe` for methods in specs
2022-07-27 06:21:10 -04:00
describe "#upload_csv" do
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "requires to be logged in" do
post "/invites/upload_csv.json"
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(response.status).to eq(403)
end
context "while logged in" do
let(:csv_file) { File.new("#{Rails.root}/spec/fixtures/csv/discourse.csv") }
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
let(:file) { Rack::Test::UploadedFile.new(File.open(csv_file)) }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
FEATURE: Allow admins to pre-populate user fields (#12361) Admins can use bulk invites to pre-populate user fields. The imported CSV file must have a header with "email" column (first position) and names of the user fields (exact match). Under the hood, the bulk invite will create staged users and populate the user fields of those.
2021-03-29 07:03:19 -04:00
let(:csv_file_with_headers) do
File.new("#{Rails.root}/spec/fixtures/csv/discourse_headers.csv")
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
end
FEATURE: Allow admins to pre-populate user fields (#12361) Admins can use bulk invites to pre-populate user fields. The imported CSV file must have a header with "email" column (first position) and names of the user fields (exact match). Under the hood, the bulk invite will create staged users and populate the user fields of those.
2021-03-29 07:03:19 -04:00
let(:file_with_headers) { Rack::Test::UploadedFile.new(File.open(csv_file_with_headers)) }
FEATURE: Pre-setting user locale via bulk invite (#15195)
2021-12-05 20:08:21 -05:00
let(:csv_file_with_locales) do
File.new("#{Rails.root}/spec/fixtures/csv/invites_with_locales.csv")
DEV: Apply syntax_tree formatting to `spec/*`
2023-01-09 06:18:21 -05:00
end
FEATURE: Pre-setting user locale via bulk invite (#15195)
2021-12-05 20:08:21 -05:00
let(:file_with_locales) { Rack::Test::UploadedFile.new(File.open(csv_file_with_locales)) }
FEATURE: Allow admins to pre-populate user fields (#12361) Admins can use bulk invites to pre-populate user fields. The imported CSV file must have a header with "email" column (first position) and names of the user fields (exact match). Under the hood, the bulk invite will create staged users and populate the user fields of those.
2021-03-29 07:03:19 -04:00
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "fails if you cannot bulk invite to the forum" do
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
sign_in(Fabricate(:user))
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" }
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(response.status).to eq(403)
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "allows admin to bulk invite" do
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
sign_in(admin)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" }
DEV: Assert for 200 response code to avoid changing magic helper in the future.
2018-06-07 04:11:09 -04:00
expect(response.status).to eq(200)
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
expect(Jobs::BulkInvite.jobs.size).to eq(1)
end
DEV: optimize bulk invite process
2019-06-12 05:05:21 -04:00
FIX: Allow bulk invites to be used with DiscourseConnect (#14862) Support for invites alongside DiscourseConnect was added in 355d51af. This commit fixes the guardian method so that the bulk invite button functionality also works.
2021-11-09 12:43:23 -05:00
it "allows admin to bulk invite when DiscourseConnect enabled" do
SiteSetting.discourse_connect_url = "https://example.com"
SiteSetting.enable_discourse_connect = true
sign_in(admin)
post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" }
expect(response.status).to eq(200)
expect(Jobs::BulkInvite.jobs.size).to eq(1)
end
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
it "sends limited invites at a time" do
DEV: optimize bulk invite process
2019-06-12 05:05:21 -04:00
SiteSetting.max_bulk_invites = 3
FEATURE: multiple use invite links (#9813)
2020-06-09 11:19:32 -04:00
sign_in(admin)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
post "/invites/upload_csv.json", params: { file: file, name: "discourse.csv" }
DEV: optimize bulk invite process
2019-06-12 05:05:21 -04:00
expect(response.status).to eq(422)
expect(Jobs::BulkInvite.jobs.size).to eq(1)
DEV: Add tests for invite system (#12524)
2021-03-25 12:26:22 -04:00
expect(response.parsed_body["errors"][0]).to eq(
I18n.t("bulk_invite.max_rows", max_bulk_invites: SiteSetting.max_bulk_invites),
)
DEV: optimize bulk invite process
2019-06-12 05:05:21 -04:00
end
FEATURE: Allow admins to pre-populate user fields (#12361) Admins can use bulk invites to pre-populate user fields. The imported CSV file must have a header with "email" column (first position) and names of the user fields (exact match). Under the hood, the bulk invite will create staged users and populate the user fields of those.
2021-03-29 07:03:19 -04:00
it "can import user fields" do
Jobs.run_immediately!
user_field = Fabricate(:user_field, name: "location")
Fabricate(:group, name: "discourse")
Fabricate(:group, name: "ubuntu")
sign_in(admin)
post "/invites/upload_csv.json",
params: {
file: file_with_headers,
name: "discourse_headers.csv",
}
expect(response.status).to eq(200)
user = User.where(staged: true).find_by_email("test@example.com")
expect(user.user_fields[user_field.id.to_s]).to eq("usa")
user2 = User.where(staged: true).find_by_email("test2@example.com")
expect(user2.user_fields[user_field.id.to_s]).to eq("europe")
end
FEATURE: Pre-setting user locale via bulk invite (#15195)
2021-12-05 20:08:21 -05:00
it "can pre-set user locales" do
Jobs.run_immediately!
sign_in(admin)
post "/invites/upload_csv.json",
params: {
file: file_with_locales,
name: "discourse_headers.csv",
}
expect(response.status).to eq(200)
user = User.where(staged: true).find_by_email("test@example.com")
expect(user.locale).to eq("de")
user2 = User.where(staged: true).find_by_email("test2@example.com")
expect(user2.locale).to eq("pl")
end
REFACTOR: convert invites controller specs to requests (#5898) REFACTOR: convert invites controller specs to requests
2018-06-01 01:06:08 -04:00
end
end
FIX: better handling of invite links after they are redeemed FIX: deprecate invite_passthrough_hours setting
2018-05-08 10:42:58 -04:00
end