# encoding: utf-8 require 'test_helper' class UserOrganizationControllerTest < ActionDispatch::IntegrationTest setup do # set accept header @headers = { 'ACCEPT' => 'application/json', 'CONTENT_TYPE' => 'application/json' } # create agent roles = Role.where(name: %w(Admin Agent)) groups = Group.all UserInfo.current_user_id = 1 @admin = User.create_or_update( login: 'rest-admin', firstname: 'Rest', lastname: 'Agent', email: 'rest-admin@example.com', password: 'adminpw', active: true, roles: roles, groups: groups, ) # create agent roles = Role.where(name: 'Agent') @agent = User.create_or_update( login: 'rest-agent@example.com', firstname: 'Rest', lastname: 'Agent', email: 'rest-agent@example.com', password: 'agentpw', active: true, roles: roles, groups: groups, ) # create customer without org roles = Role.where(name: 'Customer') @customer_without_org = User.create_or_update( login: 'rest-customer1@example.com', firstname: 'Rest', lastname: 'Customer1', email: 'rest-customer1@example.com', password: 'customer1pw', active: true, roles: roles, ) # create orgs @organization = Organization.create_or_update( name: 'Rest Org', ) @organization2 = Organization.create_or_update( name: 'Rest Org #2', ) @organization3 = Organization.create_or_update( name: 'Rest Org #3', ) # create customer with org @customer_with_org = User.create_or_update( login: 'rest-customer2@example.com', firstname: 'Rest', lastname: 'Customer2', email: 'rest-customer2@example.com', password: 'customer2pw', active: true, roles: roles, organization_id: @organization.id, ) end test 'user create tests - no user' do post '/api/v1/signshow', {}, @headers # create user with disabled feature Setting.set('user_create_account', false) token = @response.headers['CSRF-TOKEN'] # token based on form params = { email: 'some_new_customer@example.com', authenticity_token: token } post '/api/v1/users', params.to_json, @headers assert_response(422) result = JSON.parse(@response.body) assert(result['error']) assert_equal('Feature not enabled!', result['error']) # token based on headers headers = @headers.merge('X-CSRF-Token' => token) params = { email: 'some_new_customer@example.com' } post '/api/v1/users', params.to_json, headers assert_response(422) result = JSON.parse(@response.body) assert(result['error']) assert_equal('Feature not enabled!', result['error']) Setting.set('user_create_account', true) # no signup param with enabled feature params = { email: 'some_new_customer@example.com' } post '/api/v1/users', params.to_json, headers assert_response(422) result = JSON.parse(@response.body) assert(result['error']) assert_equal('Only signup with not authenticate user possible!', result['error']) # already existing user with enabled feature params = { email: 'rest-customer1@example.com', signup: true } post '/api/v1/users', params.to_json, headers assert_response(422) result = JSON.parse(@response.body) assert(result['error']) assert_equal('User already exists!', result['error']) # create user with enabled feature (take customer role) params = { firstname: 'Me First', lastname: 'Me Last', email: 'new_here@example.com', signup: true } post '/api/v1/users', params.to_json, headers assert_response(201) result = JSON.parse(@response.body) assert(result) assert_equal('Me First', result['firstname']) assert_equal('Me Last', result['lastname']) assert_equal('new_here@example.com', result['login']) assert_equal('new_here@example.com', result['email']) user = User.find(result['id']) assert_not(user.role?('Admin')) assert_not(user.role?('Agent')) assert(user.role?('Customer')) # create user with admin role (not allowed for signup, take customer role) role = Role.lookup(name: 'Admin') params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin@example.com', role_ids: [ role.id ], signup: true } post '/api/v1/users', params.to_json, headers assert_response(201) result = JSON.parse(@response.body) assert(result) user = User.find(result['id']) assert_not(user.role?('Admin')) assert_not(user.role?('Agent')) assert(user.role?('Customer')) # create user with agent role (not allowed for signup, take customer role) role = Role.lookup(name: 'Agent') params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent@example.com', role_ids: [ role.id ], signup: true } post '/api/v1/users', params.to_json, headers assert_response(201) result = JSON.parse(@response.body) assert(result) user = User.find(result['id']) assert_not(user.role?('Admin')) assert_not(user.role?('Agent')) assert(user.role?('Customer')) # no user (because of no session) get '/api/v1/users', {}, headers assert_response(401) result = JSON.parse(@response.body) assert_equal('authentication failed', result['error']) # me get '/api/v1/users/me', {}, headers assert_response(401) result = JSON.parse(@response.body) assert_equal('authentication failed', result['error']) end test 'auth tests - not existing user' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('not_existing@example.com', 'adminpw') # me get '/api/v1/users/me', {}, @headers.merge('Authorization' => credentials) assert_response(401) result = JSON.parse(@response.body) assert_equal('authentication failed', result['error']) get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(401) result = JSON.parse(@response.body) assert_equal('authentication failed', result['error']) end test 'auth tests - username auth, wrong pw' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin', 'not_existing') get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(401) result = JSON.parse(@response.body) assert_equal('authentication failed', result['error']) end test 'auth tests - email auth, wrong pw' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'not_existing') get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(401) result = JSON.parse(@response.body) assert_equal('authentication failed', result['error']) end test 'auth tests - username auth' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin', 'adminpw') get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) end test 'auth tests - email auth' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw') get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) end test 'user index and create with admin' do # email auth credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-admin@example.com', 'adminpw') # me get '/api/v1/users/me', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) assert_equal(result['email'], 'rest-admin@example.com') # index get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) # index get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) assert_equal(result.class, Array) assert(result.length >= 3) # show/:id get "/api/v1/users/#{@agent.id}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) assert_equal(result.class, Hash) assert_equal(result['email'], 'rest-agent@example.com') get "/api/v1/users/#{@customer_without_org.id}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) assert_equal(result.class, Hash) assert_equal(result['email'], 'rest-customer1@example.com') # create user with admin role role = Role.lookup(name: 'Admin') params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin_by_admin@example.com', role_ids: [ role.id ] } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(201) result = JSON.parse(@response.body) assert(result) user = User.find(result['id']) assert(user.role?('Admin')) assert_not(user.role?('Agent')) assert_not(user.role?('Customer')) assert_equal('new_admin_by_admin@example.com', result['login']) assert_equal('new_admin_by_admin@example.com', result['email']) # create user with agent role role = Role.lookup(name: 'Agent') params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent_by_admin1@example.com', role_ids: [ role.id ] } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(201) result = JSON.parse(@response.body) assert(result) user = User.find(result['id']) assert_not(user.role?('Admin')) assert(user.role?('Agent')) assert_not(user.role?('Customer')) assert_equal('new_agent_by_admin1@example.com', result['login']) assert_equal('new_agent_by_admin1@example.com', result['email']) role = Role.lookup(name: 'Agent') params = { firstname: 'Agent First', email: 'new_agent_by_admin2@example.com', role_ids: [ role.id ] } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(201) result = JSON.parse(@response.body) assert(result) user = User.find(result['id']) assert_not(user.role?('Admin')) assert(user.role?('Agent')) assert_not(user.role?('Customer')) assert_equal('new_agent_by_admin2@example.com', result['login']) assert_equal('new_agent_by_admin2@example.com', result['email']) assert_equal('Agent', result['firstname']) assert_equal('First', result['lastname']) role = Role.lookup(name: 'Agent') params = { firstname: 'Agent First', email: 'new_agent_by_admin2@example.com', role_ids: [ role.id ] } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(422) result = JSON.parse(@response.body) assert(result) assert_equal('User already exists!', result['error']) # missing required attributes params = { note: 'some note' } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(422) result = JSON.parse(@response.body) assert(result) assert_equal('Attribute \'login\' required!', result['error']) params = { firstname: 'newfirstname123', note: 'some note' } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(422) result = JSON.parse(@response.body) assert(result) assert_equal('Attribute \'login\' required!', result['error']) params = { firstname: 'newfirstname123', email: 'some_what', note: 'some note' } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(422) result = JSON.parse(@response.body) assert(result) assert_equal('Invalid email', result['error']) end test 'user index and create with agent' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-agent@example.com', 'agentpw') # me get '/api/v1/users/me', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) assert_equal(result['email'], 'rest-agent@example.com') # index get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) # index get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) assert_equal(result.class, Array) assert(result.length >= 3) get '/api/v1/users?limit=40&page=1&per_page=2', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(Array, result.class) users = User.order(:id).limit(2) assert_equal(users[0].id, result[0]['id']) assert_equal(users[1].id, result[1]['id']) assert_equal(2, result.count) get '/api/v1/users?limit=40&page=2&per_page=2', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(Array, result.class) users = User.order(:id).limit(4) assert_equal(users[2].id, result[0]['id']) assert_equal(users[3].id, result[1]['id']) assert_equal(2, result.count) # create user with admin role firstname = "First test#{rand(999_999_999)}" role = Role.lookup(name: 'Admin') params = { firstname: "Admin#{firstname}", lastname: 'Admin Last', email: 'new_admin_by_agent@example.com', role_ids: [ role.id ] } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(401) result = JSON.parse(@response.body) assert(result) # create user with agent role role = Role.lookup(name: 'Agent') params = { firstname: "Agent#{firstname}", lastname: 'Agent Last', email: 'new_agent_by_agent@example.com', role_ids: [ role.id ] } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(401) result = JSON.parse(@response.body) assert(result) # create user with customer role role = Role.lookup(name: 'Customer') params = { firstname: "Customer#{firstname}", lastname: 'Customer Last', email: 'new_customer_by_agent@example.com', role_ids: [ role.id ] } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(201) result_user1 = JSON.parse(@response.body) assert(result_user1) user = User.find(result_user1['id']) assert_not(user.role?('Admin')) assert_not(user.role?('Agent')) assert(user.role?('Customer')) assert_equal('new_customer_by_agent@example.com', result_user1['login']) assert_equal('new_customer_by_agent@example.com', result_user1['email']) # search as agent Scheduler.worker(true) get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(Array, result.class) assert_equal(result_user1['id'], result[0]['id']) assert_equal("Customer#{firstname}", result[0]['firstname']) assert_equal('Customer Last', result[0]['lastname']) assert_not(result[0]['role_ids']) assert_not(result[0]['roles']) get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&expand=true", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(Array, result.class) assert_equal(result_user1['id'], result[0]['id']) assert_equal("Customer#{firstname}", result[0]['firstname']) assert_equal('Customer Last', result[0]['lastname']) assert(result[0]['role_ids']) assert(result[0]['roles']) get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&label=true", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(Array, result.class) assert_equal(result_user1['id'], result[0]['id']) assert_equal("Customer#{firstname} Customer Last ", result[0]['label']) assert_equal("Customer#{firstname} Customer Last ", result[0]['value']) assert_not(result[0]['role_ids']) assert_not(result[0]['roles']) end test 'user index and create with customer1' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-customer1@example.com', 'customer1pw') # me get '/api/v1/users/me', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) assert_equal(result['email'], 'rest-customer1@example.com') # index get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Array) assert_equal(result.length, 1) # show/:id get "/api/v1/users/#{@customer_without_org.id}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Hash) assert_equal(result['email'], 'rest-customer1@example.com') get "/api/v1/users/#{@customer_with_org.id}", {}, @headers.merge('Authorization' => credentials) assert_response(401) result = JSON.parse(@response.body) assert_equal(result.class, Hash) assert(result['error']) # create user with admin role role = Role.lookup(name: 'Admin') params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin_by_customer1@example.com', role_ids: [ role.id ] } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(401) # create user with agent role role = Role.lookup(name: 'Agent') params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent_by_customer1@example.com', role_ids: [ role.id ] } post '/api/v1/users', params.to_json, @headers.merge('Authorization' => credentials) assert_response(401) # search Scheduler.worker(true) get "/api/v1/users/search?query=#{CGI.escape('First')}", {}, @headers.merge('Authorization' => credentials) assert_response(401) end test 'user index with customer2' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-customer2@example.com', 'customer2pw') # me get '/api/v1/users/me', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert(result) assert_equal(result['email'], 'rest-customer2@example.com') # index get '/api/v1/users', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Array) assert_equal(result.length, 1) # show/:id get "/api/v1/users/#{@customer_with_org.id}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Hash) assert_equal(result['email'], 'rest-customer2@example.com') get "/api/v1/users/#{@customer_without_org.id}", {}, @headers.merge('Authorization' => credentials) assert_response(401) result = JSON.parse(@response.body) assert_equal(result.class, Hash) assert(result['error']) # search Scheduler.worker(true) get "/api/v1/users/search?query=#{CGI.escape('First')}", {}, @headers.merge('Authorization' => credentials) assert_response(401) end test 'organization index with agent' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-agent@example.com', 'agentpw') # index get '/api/v1/organizations', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Array) assert(result.length >= 3) get '/api/v1/organizations?limit=40&page=1&per_page=2', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(Array, result.class) organizations = Organization.order(:id).limit(2) assert_equal(organizations[0].id, result[0]['id']) assert_equal(organizations[1].id, result[1]['id']) assert_equal(2, result.count) get '/api/v1/organizations?limit=40&page=2&per_page=2', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(Array, result.class) organizations = Organization.order(:id).limit(4) assert_equal(organizations[2].id, result[0]['id']) assert_equal(organizations[3].id, result[1]['id']) assert_equal(2, result.count) # show/:id get "/api/v1/organizations/#{@organization.id}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Hash) assert_equal(result['name'], 'Rest Org') get "/api/v1/organizations/#{@organization2.id}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Hash) assert_equal(result['name'], 'Rest Org #2') # search as agent Scheduler.worker(true) get "/api/v1/organizations/search?query=#{CGI.escape('Zammad')}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(Array, result.class) assert_equal('Zammad Foundation', result[0]['name']) assert_not(result[0]['member_ids']) assert_not(result[0]['members']) get "/api/v1/organizations/search?query=#{CGI.escape('Zammad')}&expand=true", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(Array, result.class) assert_equal('Zammad Foundation', result[0]['name']) assert(result[0]['member_ids']) assert(result[0]['members']) get "/api/v1/organizations/search?query=#{CGI.escape('Zammad')}&label=true", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(Array, result.class) assert_equal('Zammad Foundation', result[0]['label']) assert_equal('Zammad Foundation', result[0]['value']) assert_not(result[0]['member_ids']) assert_not(result[0]['members']) end test 'organization index with customer1' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-customer1@example.com', 'customer1pw') # index get '/api/v1/organizations', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Array) assert_equal(result.length, 0) # show/:id get "/api/v1/organizations/#{@organization.id}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Hash) assert_equal(result['name'], nil) get "/api/v1/organizations/#{@organization2.id}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Hash) assert_equal(result['name'], nil) # search Scheduler.worker(true) get "/api/v1/organizations/search?query=#{CGI.escape('Zammad')}", {}, @headers.merge('Authorization' => credentials) assert_response(401) end test 'organization index with customer2' do credentials = ActionController::HttpAuthentication::Basic.encode_credentials('rest-customer2@example.com', 'customer2pw') # index get '/api/v1/organizations', {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Array) assert_equal(result.length, 1) # show/:id get "/api/v1/organizations/#{@organization.id}", {}, @headers.merge('Authorization' => credentials) assert_response(200) result = JSON.parse(@response.body) assert_equal(result.class, Hash) assert_equal(result['name'], 'Rest Org') get "/api/v1/organizations/#{@organization2.id}", {}, @headers.merge('Authorization' => credentials) assert_response(401) result = JSON.parse(@response.body) assert_equal(result.class, Hash) assert_equal(result['name'], nil) # search Scheduler.worker(true) get "/api/v1/organizations/search?query=#{CGI.escape('Zammad')}", {}, @headers.merge('Authorization' => credentials) assert_response(401) end end