zammad/test/controllers/settings_controller_test.rb

# encoding: utf-8
require 'test_helper'

class SettingsControllerTest < ActionDispatch::IntegrationTest
  setup do

    # set accept header
    @headers = { 'ACCEPT' => 'application/json', 'CONTENT_TYPE' => 'application/json' }

    # create agent
    roles  = Role.where(name: %w(Admin Agent))
    groups = Group.all

    UserInfo.current_user_id = 1
    @admin_full = User.create_or_update(
      login: 'setting-admin',
      firstname: 'Setting',
      lastname: 'Admin',
      email: 'setting-admin@example.com',
      password: 'adminpw',
      active: true,
      roles: roles,
      groups: groups,
    )

    role_api = Role.create_or_update(
      name: 'AdminApi',
      note: 'To configure your api.',
      preferences: {
        not: ['Customer'],
      },
      default_at_signup: false,
      updated_by_id: 1,
      created_by_id: 1
    )
    role_api.permission_grant('admin.api')
    @admin_api = User.create_or_update(
      login: 'setting-admin-api',
      firstname: 'Setting',
      lastname: 'Admin Api',
      email: 'setting-admin-api@example.com',
      password: 'adminpw',
      active: true,
      roles: [role_api],
      groups: groups,
    )

    # create agent
    roles = Role.where(name: 'Agent')
    @agent = User.create_or_update(
      login: 'setting-agent@example.com',
      firstname: 'Setting',
      lastname: 'Agent',
      email: 'setting-agent@example.com',
      password: 'agentpw',
      active: true,
      roles: roles,
      groups: groups,
    )

    # create customer without org
    roles = Role.where(name: 'Customer')
    @customer_without_org = User.create_or_update(
      login: 'setting-customer1@example.com',
      firstname: 'Setting',
      lastname: 'Customer1',
      email: 'setting-customer1@example.com',
      password: 'customer1pw',
      active: true,
      roles: roles,
    )

  end

  test 'settings index with nobody' do

    # index
    get '/api/v1/settings', {}, @headers
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_not(result['settings'])

    # show
    setting = Setting.find_by(name: 'product_name')
    get "/api/v1/settings/#{setting.id}", {}, @headers
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal('authentication failed', result['error'])
  end

  test 'settings index with admin' do

    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('setting-admin@example.com', 'adminpw')

    # index
    get '/api/v1/settings', {}, @headers.merge('Authorization' => credentials)
    assert_response(200)
    result = JSON.parse(@response.body)
    assert_equal(Array, result.class)
    assert(result)
    hit_api = false
    hit_product_name = false
    result.each { |setting|
      if setting['name'] == 'api_token_access'
        hit_api = true
      end
      if setting['name'] == 'product_name'
        hit_product_name = true
      end
    }
    assert_equal(true, hit_api)
    assert_equal(true, hit_product_name)

    # show
    setting = Setting.find_by(name: 'product_name')
    get "/api/v1/settings/#{setting.id}", {}, @headers.merge('Authorization' => credentials)
    assert_response(200)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal('product_name', result['name'])

    setting = Setting.find_by(name: 'api_token_access')
    get "/api/v1/settings/#{setting.id}", {}, @headers.merge('Authorization' => credentials)
    assert_response(200)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal('api_token_access', result['name'])

    # update
    setting = Setting.find_by(name: 'product_name')
    params = {
      id: setting.id,
      name: 'some_new_name',
      preferences: {
        permission: ['admin.branding', 'admin.some_new_permission'],
        some_new_key: true,
      }
    }
    put "/api/v1/settings/#{setting.id}", params.to_json, @headers.merge('Authorization' => credentials)
    assert_response(200)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal('product_name', result['name'])
    assert_equal(1, result['preferences']['permission'].length)
    assert_equal('admin.branding', result['preferences']['permission'][0])
    assert_equal(true, result['preferences']['some_new_key'])

    # update
    setting = Setting.find_by(name: 'api_token_access')
    params = {
      id: setting.id,
      name: 'some_new_name',
      preferences: {
        permission: ['admin.branding', 'admin.some_new_permission'],
        some_new_key: true,
      }
    }
    put "/api/v1/settings/#{setting.id}", params.to_json, @headers.merge('Authorization' => credentials)
    assert_response(200)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal('api_token_access', result['name'])
    assert_equal(1, result['preferences']['permission'].length)
    assert_equal('admin.api', result['preferences']['permission'][0])
    assert_equal(true, result['preferences']['some_new_key'])

    # delete
    setting = Setting.find_by(name: 'product_name')
    delete "/api/v1/settings/#{setting.id}", {}.to_json, @headers.merge('Authorization' => credentials)
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal('Not authorized (feature not possible)', result['error'])
  end

  test 'settings index with admin-api' do

    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('setting-admin-api@example.com', 'adminpw')

    # index
    get '/api/v1/settings', {}, @headers.merge('Authorization' => credentials)
    assert_response(200)
    result = JSON.parse(@response.body)
    assert_equal(Array, result.class)
    assert(result)
    hit_api = false
    hit_product_name = false
    result.each { |setting|
      if setting['name'] == 'api_token_access'
        hit_api = true
      end
      if setting['name'] == 'product_name'
        hit_product_name = true
      end
    }
    assert_equal(true, hit_api)
    assert_equal(false, hit_product_name)

    # show
    setting = Setting.find_by(name: 'product_name')
    get "/api/v1/settings/#{setting.id}", {}, @headers.merge('Authorization' => credentials)
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal('Not authorized (required ["admin.branding"])', result['error'])

    setting = Setting.find_by(name: 'api_token_access')
    get "/api/v1/settings/#{setting.id}", {}, @headers.merge('Authorization' => credentials)
    assert_response(200)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal('api_token_access', result['name'])

    # update
    setting = Setting.find_by(name: 'product_name')
    params = {
      id: setting.id,
      name: 'some_new_name',
      preferences: {
        permission: ['admin.branding', 'admin.some_new_permission'],
        some_new_key: true,
      }
    }
    put "/api/v1/settings/#{setting.id}", params.to_json, @headers.merge('Authorization' => credentials)
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal('Not authorized (required ["admin.branding"])', result['error'])

    # update
    setting = Setting.find_by(name: 'api_token_access')
    params = {
      id: setting.id,
      name: 'some_new_name',
      preferences: {
        permission: ['admin.branding', 'admin.some_new_permission'],
        some_new_key: true,
      }
    }
    put "/api/v1/settings/#{setting.id}", params.to_json, @headers.merge('Authorization' => credentials)
    assert_response(200)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_equal('api_token_access', result['name'])
    assert_equal(1, result['preferences']['permission'].length)
    assert_equal('admin.api', result['preferences']['permission'][0])
    assert_equal(true, result['preferences']['some_new_key'])

    # delete
    setting = Setting.find_by(name: 'product_name')
    delete "/api/v1/settings/#{setting.id}", {}.to_json, @headers.merge('Authorization' => credentials)
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal('Not authorized (feature not possible)', result['error'])
  end

  test 'settings index with agent' do

    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('setting-agent@example.com', 'agentpw')

    # index
    get '/api/v1/settings', {}, @headers.merge('Authorization' => credentials)
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_not(result['settings'])
    assert_equal('Not authorized (user)!', result['error'])

    # show
    setting = Setting.find_by(name: 'product_name')
    get "/api/v1/settings/#{setting.id}", {}, @headers.merge('Authorization' => credentials)
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal('Not authorized (user)!', result['error'])
  end

  test 'settings index with customer' do

    credentials = ActionController::HttpAuthentication::Basic.encode_credentials('setting-customer1@example.com', 'customer1pw')

    # index
    get '/api/v1/settings', {}, @headers.merge('Authorization' => credentials)
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal(Hash, result.class)
    assert_not(result['settings'])
    assert_equal('Not authorized (user)!', result['error'])

    # show
    setting = Setting.find_by(name: 'product_name')
    get "/api/v1/settings/#{setting.id}", {}, @headers.merge('Authorization' => credentials)
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal('Not authorized (user)!', result['error'])

    # delete
    setting = Setting.find_by(name: 'product_name')
    delete "/api/v1/settings/#{setting.id}", {}.to_json, @headers.merge('Authorization' => credentials)
    assert_response(401)
    result = JSON.parse(@response.body)
    assert_equal('Not authorized (user)!', result['error'])
  end

end