Home Explore Help
Sign In
SMusatov
/
zammad
mirror of https://github.com/zammad/zammad.git
1
0
Fork 0
Files
Branch: stable-4.1
Branches Tags
zammad
/
spec
/
requests
/
settings_spec.rb

settings_spec.rb 8.9 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253 
  1. require 'rails_helper'
    2. 

  2. 

  3. RSpec.describe 'Settings', type: :request do
    4. 

  4. 

  5.   let(:admin) do
    6. 

  6.     create(:admin)
    7. 

  7.   end
    8. 

  8.   let(:admin_api) do
    9. 

  9.     role_api = create(:role)
    10. 

  10.     role_api.permission_grant('admin.api')
    11. 

  11. 

  12.     create(:admin, roles: [role_api])
    13. 

  13.   end
    14. 

  14.   let(:agent) do
    15. 

  15.     create(:agent)
    16. 

  16.   end
    17. 

  17.   let(:customer) do
    18. 

  18.     create(:customer)
    19. 

  19.   end
    20. 

  20. 

  21.   describe 'request handling' do
    22. 

  22. 

  23.     it 'does settings index with nobody' do
    24. 

  24. 

  25.       # index
    26. 

  26.       get '/api/v1/settings', params: {}, as: :json
    27. 

  27.       expect(response).to have_http_status(:forbidden)
    28. 

  28.       expect(json_response).to be_a_kind_of(Hash)
    29. 

  29.       expect(json_response['settings']).to be_falsey
    30. 

  30. 

  31.       # show
    32. 

  32.       setting = Setting.find_by(name: 'product_name')
    33. 

  33.       get "/api/v1/settings/#{setting.id}", params: {}, as: :json
    34. 

  34.       expect(response).to have_http_status(:forbidden)
    35. 

  35.       expect(json_response['error']).to eq('Authentication required')
    36. 

  36.     end
    37. 

  37. 

  38.     it 'does settings index with admin' do
    39. 

  39. 

  40.       # index
    41. 

  41.       authenticated_as(admin)
    42. 

  42.       get '/api/v1/settings', params: {}, as: :json
    43. 

  43.       expect(response).to have_http_status(:ok)
    44. 

  44.       expect(json_response).to be_a_kind_of(Array)
    45. 

  45.       expect(json_response).to be_truthy
    46. 

  46.       hit_api = false
    47. 

  47.       hit_product_name = false
    48. 

  48.       json_response.each do |setting|
    49. 

  49.         if setting['name'] == 'api_token_access'
    50. 

  50.           hit_api = true
    51. 

  51.         end
    52. 

  52.         if setting['name'] == 'product_name'
    53. 

  53.           hit_product_name = true
    54. 

  54.         end
    55. 

  55.       end
    56. 

  56.       expect(hit_api).to eq(true)
    57. 

  57.       expect(hit_product_name).to eq(true)
    58. 

  58. 

  59.       # show
    60. 

  60.       setting = Setting.find_by(name: 'product_name')
    61. 

  61.       get "/api/v1/settings/#{setting.id}", params: {}, as: :json
    62. 

  62.       expect(response).to have_http_status(:ok)
    63. 

  63.       expect(json_response).to be_a_kind_of(Hash)
    64. 

  64.       expect(json_response['name']).to eq('product_name')
    65. 

  65. 

  66.       setting = Setting.find_by(name: 'api_token_access')
    67. 

  67.       get "/api/v1/settings/#{setting.id}", params: {}, as: :json
    68. 

  68.       expect(response).to have_http_status(:ok)
    69. 

  69.       expect(json_response).to be_a_kind_of(Hash)
    70. 

  70.       expect(json_response['name']).to eq('api_token_access')
    71. 

  71. 

  72.       # update
    73. 

  73.       setting = Setting.find_by(name: 'product_name')
    74. 

  74.       params = {
    75. 

  75.         id:          setting.id,
    76. 

  76.         name:        'some_new_name',
    77. 

  77.         preferences: {
    78. 

  78.           permission:   ['admin.branding', 'admin.some_new_permission'],
    79. 

  79.           some_new_key: true,
    80. 

  80.         }
    81. 

  81.       }
    82. 

  82.       put "/api/v1/settings/#{setting.id}", params: params, as: :json
    83. 

  83.       expect(response).to have_http_status(:ok)
    84. 

  84.       expect(json_response).to be_a_kind_of(Hash)
    85. 

  85.       expect(json_response['name']).to eq('product_name')
    86. 

  86.       expect(json_response['preferences']['permission'].length).to eq(1)
    87. 

  87.       expect(json_response['preferences']['permission'][0]).to eq('admin.branding')
    88. 

  88.       expect(json_response['preferences']['some_new_key']).to eq(true)
    89. 

  89. 

  90.       # update
    91. 

  91.       setting = Setting.find_by(name: 'api_token_access')
    92. 

  92.       params = {
    93. 

  93.         id:          setting.id,
    94. 

  94.         name:        'some_new_name',
    95. 

  95.         preferences: {
    96. 

  96.           permission:   ['admin.branding', 'admin.some_new_permission'],
    97. 

  97.           some_new_key: true,
    98. 

  98.         }
    99. 

  99.       }
    100. 

  100.       put "/api/v1/settings/#{setting.id}", params: params, as: :json
    101. 

  101.       expect(response).to have_http_status(:ok)
    102. 

  102.       expect(json_response).to be_a_kind_of(Hash)
    103. 

  103.       expect(json_response['name']).to eq('api_token_access')
    104. 

  104.       expect(json_response['preferences']['permission'].length).to eq(1)
    105. 

  105.       expect(json_response['preferences']['permission'][0]).to eq('admin.api')
    106. 

  106.       expect(json_response['preferences']['some_new_key']).to eq(true)
    107. 

  107. 

  108.       # delete
    109. 

  109.       setting = Setting.find_by(name: 'product_name')
    110. 

  110.       delete "/api/v1/settings/#{setting.id}", params: {}, as: :json
    111. 

  111.       expect(response).to have_http_status(:forbidden)
    112. 

  112.       expect(json_response['error']).to eq('Not authorized (feature not possible)')
    113. 

  113.     end
    114. 

  114. 

  115.     it 'does settings index with admin-api' do
    116. 

  116. 

  117.       # index
    118. 

  118.       authenticated_as(admin_api)
    119. 

  119.       get '/api/v1/settings', params: {}, as: :json
    120. 

  120.       expect(response).to have_http_status(:ok)
    121. 

  121.       expect(json_response).to be_a_kind_of(Array)
    122. 

  122.       expect(json_response).to be_truthy
    123. 

  123.       hit_api = false
    124. 

  124.       hit_product_name = false
    125. 

  125.       json_response.each do |setting|
    126. 

  126.         if setting['name'] == 'api_token_access'
    127. 

  127.           hit_api = true
    128. 

  128.         end
    129. 

  129.         if setting['name'] == 'product_name'
    130. 

  130.           hit_product_name = true
    131. 

  131.         end
    132. 

  132.       end
    133. 

  133.       expect(hit_api).to eq(true)
    134. 

  134.       expect(hit_product_name).to eq(false)
    135. 

  135. 

  136.       # show
    137. 

  137.       setting = Setting.find_by(name: 'product_name')
    138. 

  138.       get "/api/v1/settings/#{setting.id}", params: {}, as: :json
    139. 

  139.       expect(response).to have_http_status(:forbidden)
    140. 

  140.       expect(json_response['error']).to eq('Not authorized (required ["admin.branding"])!')
    141. 

  141. 

  142.       setting = Setting.find_by(name: 'api_token_access')
    143. 

  143.       get "/api/v1/settings/#{setting.id}", params: {}, as: :json
    144. 

  144.       expect(response).to have_http_status(:ok)
    145. 

  145.       expect(json_response).to be_a_kind_of(Hash)
    146. 

  146.       expect(json_response['name']).to eq('api_token_access')
    147. 

  147. 

  148.       # update
    149. 

  149.       setting = Setting.find_by(name: 'product_name')
    150. 

  150.       params = {
    151. 

  151.         id:          setting.id,
    152. 

  152.         name:        'some_new_name',
    153. 

  153.         preferences: {
    154. 

  154.           permission:   ['admin.branding', 'admin.some_new_permission'],
    155. 

  155.           some_new_key: true,
    156. 

  156.         }
    157. 

  157.       }
    158. 

  158.       put "/api/v1/settings/#{setting.id}", params: params, as: :json
    159. 

  159.       expect(response).to have_http_status(:forbidden)
    160. 

  160.       expect(json_response['error']).to eq('Not authorized (required ["admin.branding"])!')
    161. 

  161. 

  162.       # update
    163. 

  163.       setting = Setting.find_by(name: 'api_token_access')
    164. 

  164.       params = {
    165. 

  165.         id:          setting.id,
    166. 

  166.         name:        'some_new_name',
    167. 

  167.         preferences: {
    168. 

  168.           permission:   ['admin.branding', 'admin.some_new_permission'],
    169. 

  169.           some_new_key: true,
    170. 

  170.         }
    171. 

  171.       }
    172. 

  172.       put "/api/v1/settings/#{setting.id}", params: params, as: :json
    173. 

  173.       expect(response).to have_http_status(:ok)
    174. 

  174.       expect(json_response).to be_a_kind_of(Hash)
    175. 

  175.       expect(json_response['name']).to eq('api_token_access')
    176. 

  176.       expect(json_response['preferences']['permission'].length).to eq(1)
    177. 

  177.       expect(json_response['preferences']['permission'][0]).to eq('admin.api')
    178. 

  178.       expect(json_response['preferences']['some_new_key']).to eq(true)
    179. 

  179. 

  180.       # delete
    181. 

  181.       setting = Setting.find_by(name: 'product_name')
    182. 

  182.       delete "/api/v1/settings/#{setting.id}", params: {}, as: :json
    183. 

  183.       expect(response).to have_http_status(:forbidden)
    184. 

  184.       expect(json_response['error']).to eq('Not authorized (feature not possible)')
    185. 

  185.     end
    186. 

  186. 

  187.     it 'does settings index with agent' do
    188. 

  188. 

  189.       # index
    190. 

  190.       authenticated_as(agent)
    191. 

  191.       get '/api/v1/settings', params: {}, as: :json
    192. 

  192.       expect(response).to have_http_status(:forbidden)
    193. 

  193.       expect(json_response).to be_a_kind_of(Hash)
    194. 

  194.       expect(json_response['settings']).to be_falsey
    195. 

  195.       expect(json_response['error']).to eq('Not authorized (user)!')
    196. 

  196. 

  197.       # show
    198. 

  198.       setting = Setting.find_by(name: 'product_name')
    199. 

  199.       get "/api/v1/settings/#{setting.id}", params: {}, as: :json
    200. 

  200.       expect(response).to have_http_status(:forbidden)
    201. 

  201.       expect(json_response['error']).to eq('Not authorized (user)!')
    202. 

  202.     end
    203. 

  203. 

  204.     it 'does settings index with customer' do
    205. 

  205. 

  206.       # index
    207. 

  207.       authenticated_as(customer)
    208. 

  208.       get '/api/v1/settings', params: {}, as: :json
    209. 

  209.       expect(response).to have_http_status(:forbidden)
    210. 

  210.       expect(json_response).to be_a_kind_of(Hash)
    211. 

  211.       expect(json_response['settings']).to be_falsey
    212. 

  212.       expect(json_response['error']).to eq('Not authorized (user)!')
    213. 

  213. 

  214.       # show
    215. 

  215.       setting = Setting.find_by(name: 'product_name')
    216. 

  216.       get "/api/v1/settings/#{setting.id}", params: {}, as: :json
    217. 

  217.       expect(response).to have_http_status(:forbidden)
    218. 

  218.       expect(json_response['error']).to eq('Not authorized (user)!')
    219. 

  219. 

  220.       # delete
    221. 

  221.       setting = Setting.find_by(name: 'product_name')
    222. 

  222.       delete "/api/v1/settings/#{setting.id}", params: {}, as: :json
    223. 

  223.       expect(response).to have_http_status(:forbidden)
    224. 

  224.       expect(json_response['error']).to eq('Not authorized (user)!')
    225. 

  225.     end
    226. 

  226. 

  227.     it 'protected setting not existing in list' do
    228. 

  228.       authenticated_as(admin)
    229. 

  229.       get '/api/v1/settings', params: {}, as: :json
    230. 

  230.       expect(json_response.detect { |setting| setting['name'] == 'application_secret' }).to eq(nil)
    231. 

  231.     end
    232. 

  232. 

  233.     it 'can not show protected setting' do
    234. 

  234.       setting = Setting.find_by(name: 'application_secret')
    235. 

  235.       authenticated_as(admin)
    236. 

  236.       get "/api/v1/settings/#{setting.id}", params: {}, as: :json
    237. 

  237.       expect(response).to have_http_status(:forbidden)
    238. 

  238.     end
    239. 

  239. 

  240.     it 'can not update protected setting' do
    241. 

  241.       setting = Setting.find_by(name: 'application_secret')
    242. 

  242.       params = {
    243. 

  243.         id:    setting.id,
    244. 

  244.         state: 'Examaple'
    245. 

  245.       }
    246. 

  246.       put "/api/v1/settings/#{setting.id}", params: params, as: :json
    247. 

  247. 

  248.       authenticated_as(admin)
    249. 

  249.       put "/api/v1/settings/#{setting.id}", params: {}, as: :json
    250. 

  250.       expect(response).to have_http_status(:forbidden)
    251. 

  251.     end
    252. 

  252.   end
    253. 

  253. end
    254.