123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275 |
- # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
- require 'rails_helper'
- RSpec.describe 'Settings', type: :request do
- let(:admin) do
- create(:admin)
- end
- let(:admin_api) do
- role_api = create(:role)
- role_api.permission_grant('admin.api')
- create(:admin, roles: [role_api])
- end
- let(:agent) do
- create(:agent)
- end
- let(:customer) do
- create(:customer)
- end
- describe 'request handling' do
- it 'does settings index with nobody' do
- # index
- get '/api/v1/settings', params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response).to be_a(Hash)
- expect(json_response['settings']).to be_falsey
- # show
- setting = Setting.find_by(name: 'product_name')
- get "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response['error']).to eq('Authentication required')
- end
- it 'does settings index with admin' do
- # index
- authenticated_as(admin)
- get '/api/v1/settings', params: {}, as: :json
- expect(response).to have_http_status(:ok)
- expect(json_response).to be_a(Array)
- expect(json_response).to be_truthy
- hit_api = false
- hit_product_name = false
- json_response.each do |setting|
- if setting['name'] == 'api_token_access'
- hit_api = true
- end
- if setting['name'] == 'product_name'
- hit_product_name = true
- end
- end
- expect(hit_api).to be(true)
- expect(hit_product_name).to be(true)
- # show
- setting = Setting.find_by(name: 'product_name')
- get "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:ok)
- expect(json_response).to be_a(Hash)
- expect(json_response['name']).to eq('product_name')
- setting = Setting.find_by(name: 'api_token_access')
- get "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:ok)
- expect(json_response).to be_a(Hash)
- expect(json_response['name']).to eq('api_token_access')
- # update
- setting = Setting.find_by(name: 'product_name')
- params = {
- id: setting.id,
- name: 'some_new_name',
- preferences: {
- permission: ['admin.branding', 'admin.some_new_permission'],
- some_new_key: true,
- }
- }
- put "/api/v1/settings/#{setting.id}", params: params, as: :json
- expect(response).to have_http_status(:ok)
- expect(json_response).to be_a(Hash)
- expect(json_response['name']).to eq('product_name')
- expect(json_response['preferences']['permission'].length).to eq(1)
- expect(json_response['preferences']['permission'][0]).to eq('admin.branding')
- expect(json_response['preferences']['some_new_key']).to be(true)
- # update
- setting = Setting.find_by(name: 'api_token_access')
- params = {
- id: setting.id,
- name: 'some_new_name',
- preferences: {
- permission: ['admin.branding', 'admin.some_new_permission'],
- some_new_key: true,
- }
- }
- put "/api/v1/settings/#{setting.id}", params: params, as: :json
- expect(response).to have_http_status(:ok)
- expect(json_response).to be_a(Hash)
- expect(json_response['name']).to eq('api_token_access')
- expect(json_response['preferences']['permission'].length).to eq(1)
- expect(json_response['preferences']['permission'][0]).to eq('admin.api')
- expect(json_response['preferences']['some_new_key']).to be(true)
- # delete
- setting = Setting.find_by(name: 'product_name')
- delete "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response['error']).to eq('Not authorized (feature not possible)')
- end
- it 'does settings index with admin-api' do
- # index
- authenticated_as(admin_api)
- get '/api/v1/settings', params: {}, as: :json
- expect(response).to have_http_status(:ok)
- expect(json_response).to be_a(Array)
- expect(json_response).to be_truthy
- hit_api = false
- hit_product_name = false
- json_response.each do |setting|
- if setting['name'] == 'api_token_access'
- hit_api = true
- end
- if setting['name'] == 'product_name'
- hit_product_name = true
- end
- end
- expect(hit_api).to be(true)
- expect(hit_product_name).to be(false)
- # show
- setting = Setting.find_by(name: 'product_name')
- get "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response['error']).to eq('Not authorized (required ["admin.branding"])!')
- setting = Setting.find_by(name: 'api_token_access')
- get "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:ok)
- expect(json_response).to be_a(Hash)
- expect(json_response['name']).to eq('api_token_access')
- # update
- setting = Setting.find_by(name: 'product_name')
- params = {
- id: setting.id,
- name: 'some_new_name',
- preferences: {
- permission: ['admin.branding', 'admin.some_new_permission'],
- some_new_key: true,
- }
- }
- put "/api/v1/settings/#{setting.id}", params: params, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response['error']).to eq('Not authorized (required ["admin.branding"])!')
- # update
- setting = Setting.find_by(name: 'api_token_access')
- params = {
- id: setting.id,
- name: 'some_new_name',
- preferences: {
- permission: ['admin.branding', 'admin.some_new_permission'],
- some_new_key: true,
- }
- }
- put "/api/v1/settings/#{setting.id}", params: params, as: :json
- expect(response).to have_http_status(:ok)
- expect(json_response).to be_a(Hash)
- expect(json_response['name']).to eq('api_token_access')
- expect(json_response['preferences']['permission'].length).to eq(1)
- expect(json_response['preferences']['permission'][0]).to eq('admin.api')
- expect(json_response['preferences']['some_new_key']).to be(true)
- # delete
- setting = Setting.find_by(name: 'product_name')
- delete "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response['error']).to eq('Not authorized (feature not possible)')
- end
- it 'does settings index with agent' do
- # index
- authenticated_as(agent)
- get '/api/v1/settings', params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response).to be_a(Hash)
- expect(json_response['settings']).to be_falsey
- expect(json_response['error']).to eq('User authorization failed.')
- # show
- setting = Setting.find_by(name: 'product_name')
- get "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response['error']).to eq('User authorization failed.')
- end
- it 'does settings index with customer' do
- # index
- authenticated_as(customer)
- get '/api/v1/settings', params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response).to be_a(Hash)
- expect(json_response['settings']).to be_falsey
- expect(json_response['error']).to eq('User authorization failed.')
- # show
- setting = Setting.find_by(name: 'product_name')
- get "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response['error']).to eq('User authorization failed.')
- # delete
- setting = Setting.find_by(name: 'product_name')
- delete "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- expect(json_response['error']).to eq('User authorization failed.')
- end
- it 'protected setting not existing in list' do
- authenticated_as(admin)
- get '/api/v1/settings', params: {}, as: :json
- expect(json_response.detect { |setting| setting['name'] == 'application_secret' }).to be_nil
- end
- it 'can not show protected setting' do
- setting = Setting.find_by(name: 'application_secret')
- authenticated_as(admin)
- get "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- end
- it 'can not update protected setting' do
- setting = Setting.find_by(name: 'application_secret')
- params = {
- id: setting.id,
- state: 'Examaple'
- }
- put "/api/v1/settings/#{setting.id}", params: params, as: :json
- authenticated_as(admin)
- put "/api/v1/settings/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- end
- context 'when reset is used', authenticated_as: :admin do
- it 'can not reset protected setting' do
- setting = Setting.find_by(name: 'application_secret')
- post "/api/v1/settings/reset/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:forbidden)
- end
- it 'reset a setting', :aggregate_failures do
- setting = Setting.find_by(name: 'product_name')
- setting.update(state_current: { value: 'Other name' })
- post "/api/v1/settings/reset/#{setting.id}", params: {}, as: :json
- expect(response).to have_http_status(:ok)
- expect(json_response).to be_a(Hash)
- expect(json_response['state_current']).to eq(setting[:state_initial])
- end
- end
- end
- end
|