user_spec.rb 69 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690
  1. # Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'User', type: :request do
  4. describe 'request handling', searchindex: true do
  5. let!(:admin) do
  6. create(
  7. :admin,
  8. groups: Group.all,
  9. login: 'rest-admin',
  10. firstname: 'Rest',
  11. lastname: 'Agent',
  12. email: 'rest-admin@example.com',
  13. )
  14. end
  15. let!(:admin_with_pw) do
  16. create(
  17. :admin,
  18. groups: Group.all,
  19. login: 'rest-admin-pw',
  20. firstname: 'Rest',
  21. lastname: 'Agent',
  22. email: 'rest-admin-pw@example.com',
  23. password: 'adminpw',
  24. )
  25. end
  26. let!(:agent) do
  27. create(
  28. :agent,
  29. groups: Group.all,
  30. login: 'rest-agent@example.com',
  31. firstname: 'Rest',
  32. lastname: 'Agent',
  33. email: 'rest-agent@example.com',
  34. )
  35. end
  36. let!(:customer) do
  37. create(
  38. :customer,
  39. login: 'rest-customer1@example.com',
  40. firstname: 'Rest',
  41. lastname: 'Customer1',
  42. email: 'rest-customer1@example.com',
  43. )
  44. end
  45. let!(:organization) do
  46. create(:organization, name: 'Rest Org')
  47. end
  48. let!(:organization2) do
  49. create(:organization, name: 'Rest Org #2')
  50. end
  51. let!(:organization3) do
  52. create(:organization, name: 'Rest Org #3')
  53. end
  54. let!(:customer2) do
  55. create(
  56. :customer,
  57. organization: organization,
  58. login: 'rest-customer2@example.com',
  59. firstname: 'Rest',
  60. lastname: 'Customer2',
  61. email: 'rest-customer2@example.com',
  62. )
  63. end
  64. let!(:customer_inactive) do
  65. create(
  66. :customer,
  67. organization: organization,
  68. login: 'rest-customer_inactive@example.com',
  69. firstname: 'Rest',
  70. lastname: 'CustomerInactive',
  71. email: 'rest-customer_inactive@example.com',
  72. active: false,
  73. )
  74. end
  75. before do |example|
  76. configure_elasticsearch(rebuild: true) if example.metadata[:searchindex]
  77. end
  78. it 'does user create tests - no user' do
  79. post '/api/v1/signshow', params: {}, as: :json
  80. # create user with disabled feature
  81. Setting.set('user_create_account', false)
  82. token = @response.headers['CSRF-TOKEN']
  83. # token based on form
  84. params = { email: 'some_new_customer@example.com', signup: true, authenticity_token: token }
  85. post '/api/v1/users', params: params, as: :json
  86. expect(response).to have_http_status(:unprocessable_entity)
  87. expect(json_response['error']).to be_truthy
  88. expect(json_response['error']).to eq('Feature not enabled!')
  89. # token based on headers
  90. headers = { 'X-CSRF-Token' => token }
  91. params = { email: 'some_new_customer@example.com', signup: true }
  92. post '/api/v1/users', params: params, headers: headers, as: :json
  93. expect(response).to have_http_status(:unprocessable_entity)
  94. expect(json_response['error']).to be_truthy
  95. expect(json_response['error']).to eq('Feature not enabled!')
  96. Setting.set('user_create_account', true)
  97. # no signup param without password
  98. params = { email: 'some_new_customer@example.com', signup: true }
  99. post '/api/v1/users', params: params, headers: headers, as: :json
  100. expect(response).to have_http_status(:unprocessable_entity)
  101. expect(json_response['error']).to be_truthy
  102. # already existing user with enabled feature, pretend signup is successful
  103. params = { email: 'rest-customer1@example.com', password: 'asd1ASDasd!', signup: true }
  104. post '/api/v1/users', params: params, headers: headers, as: :json
  105. expect(response).to have_http_status(:created)
  106. expect(json_response).to be_truthy
  107. # email missing with enabled feature
  108. params = { firstname: 'some firstname', signup: true }
  109. post '/api/v1/users', params: params, headers: headers, as: :json
  110. expect(response).to have_http_status(:unprocessable_entity)
  111. expect(json_response['error']).to be_truthy
  112. expect(json_response['error']).to eq('Attribute \'email\' required!')
  113. # email missing with enabled feature
  114. params = { firstname: 'some firstname', signup: true }
  115. post '/api/v1/users', params: params, headers: headers, as: :json
  116. expect(response).to have_http_status(:unprocessable_entity)
  117. expect(json_response['error']).to be_truthy
  118. expect(json_response['error']).to eq('Attribute \'email\' required!')
  119. # create user with enabled feature (take customer role)
  120. params = { firstname: 'Me First', lastname: 'Me Last', email: 'new_here@example.com', password: '1asdASDasd', signup: true }
  121. post '/api/v1/users', params: params, headers: headers, as: :json
  122. expect(response).to have_http_status(:created)
  123. expect(json_response).to be_truthy
  124. expect(json_response['message']).to eq('ok')
  125. user = User.find_by email: 'new_here@example.com'
  126. expect(user).not_to be_role('Admin')
  127. expect(user).not_to be_role('Agent')
  128. expect(user).to be_role('Customer')
  129. # create user with admin role (not allowed for signup, take customer role)
  130. role = Role.lookup(name: 'Admin')
  131. params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin@example.com', role_ids: [ role.id ], signup: true, password: '1asdASDasd' }
  132. post '/api/v1/users', params: params, headers: headers, as: :json
  133. expect(response).to have_http_status(:created)
  134. expect(json_response).to be_truthy
  135. user = User.find_by email: 'new_admin@example.com'
  136. expect(user).not_to be_role('Admin')
  137. expect(user).not_to be_role('Agent')
  138. expect(user).to be_role('Customer')
  139. # create user with agent role (not allowed for signup, take customer role)
  140. role = Role.lookup(name: 'Agent')
  141. params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent@example.com', role_ids: [ role.id ], signup: true, password: '1asdASDasd' }
  142. post '/api/v1/users', params: params, headers: headers, as: :json
  143. expect(response).to have_http_status(:created)
  144. expect(json_response).to be_truthy
  145. user = User.find_by email: 'new_agent@example.com'
  146. expect(user).not_to be_role('Admin')
  147. expect(user).not_to be_role('Agent')
  148. expect(user).to be_role('Customer')
  149. # no user (because of no session)
  150. get '/api/v1/users', params: {}, headers: headers, as: :json
  151. expect(response).to have_http_status(:forbidden)
  152. expect(json_response['error']).to eq('Authentication required')
  153. # me
  154. get '/api/v1/users/me', params: {}, headers: headers, as: :json
  155. expect(response).to have_http_status(:forbidden)
  156. expect(json_response['error']).to eq('Authentication required')
  157. end
  158. context 'password security' do
  159. it 'verified with no current user' do
  160. params = { email: 'some_new_customer@example.com', password: 'asdasdasdasd', signup: true }
  161. post '/api/v1/users', params: params, headers: headers, as: :json
  162. expect(response).to have_http_status(:unprocessable_entity)
  163. expect(json_response['error']).to be_a(Array).and(include(match(%r{Invalid password})))
  164. end
  165. it 'verified with no current user', authenticated_as: :admin do
  166. params = { email: 'some_new_customer@example.com', password: 'asd' }
  167. post '/api/v1/users', params: params, headers: headers, as: :json
  168. expect(response).to have_http_status(:created)
  169. end
  170. end
  171. it 'does auth tests - not existing user' do
  172. authenticated_as(nil, login: 'not_existing@example.com', password: 'adminpw')
  173. get '/api/v1/users/me', params: {}, as: :json
  174. expect(response).to have_http_status(:unauthorized)
  175. expect(json_response['error']).to eq('Invalid BasicAuth credentials')
  176. get '/api/v1/users', params: {}, as: :json
  177. expect(response).to have_http_status(:unauthorized)
  178. expect(json_response['error']).to eq('Invalid BasicAuth credentials')
  179. end
  180. it 'does auth tests - username auth, wrong pw' do
  181. authenticated_as(admin, password: 'not_existing')
  182. get '/api/v1/users', params: {}, as: :json
  183. expect(response).to have_http_status(:unauthorized)
  184. expect(json_response['error']).to eq('Invalid BasicAuth credentials')
  185. end
  186. it 'does auth tests - email auth, wrong pw' do
  187. authenticated_as(nil, login: 'rest-admin@example.com', password: 'not_existing')
  188. get '/api/v1/users', params: {}, as: :json
  189. expect(response).to have_http_status(:unauthorized)
  190. expect(json_response['error']).to eq('Invalid BasicAuth credentials')
  191. end
  192. it 'does auth tests - username auth' do
  193. authenticated_as(nil, login: 'rest-admin-pw', password: 'adminpw')
  194. get '/api/v1/users', params: {}, as: :json
  195. expect(response).to have_http_status(:ok)
  196. expect(json_response).to be_truthy
  197. end
  198. it 'does auth tests - email auth' do
  199. authenticated_as(nil, login: 'rest-admin-pw@example.com', password: 'adminpw')
  200. get '/api/v1/users', params: {}, as: :json
  201. expect(response).to have_http_status(:ok)
  202. expect(json_response).to be_truthy
  203. end
  204. it 'does user index and create with admin' do
  205. authenticated_as(admin)
  206. get '/api/v1/users/me', params: {}, as: :json
  207. expect(response).to have_http_status(:ok)
  208. expect(json_response).to be_truthy
  209. expect(json_response['email']).to eq('rest-admin@example.com')
  210. # index
  211. get '/api/v1/users', params: {}, as: :json
  212. expect(response).to have_http_status(:ok)
  213. expect(json_response).to be_truthy
  214. # index
  215. get '/api/v1/users', params: {}, as: :json
  216. expect(response).to have_http_status(:ok)
  217. expect(json_response).to be_truthy
  218. expect(Array).to eq(json_response.class)
  219. expect(json_response.length >= 3).to be_truthy
  220. # show/:id
  221. get "/api/v1/users/#{agent.id}", params: {}, as: :json
  222. expect(response).to have_http_status(:ok)
  223. expect(json_response).to be_truthy
  224. expect(Hash).to eq(json_response.class)
  225. expect(json_response['email']).to eq('rest-agent@example.com')
  226. get "/api/v1/users/#{customer.id}", params: {}, as: :json
  227. expect(response).to have_http_status(:ok)
  228. expect(json_response).to be_truthy
  229. expect(Hash).to eq(json_response.class)
  230. expect(json_response['email']).to eq('rest-customer1@example.com')
  231. # create user with admin role
  232. role = Role.lookup(name: 'Admin')
  233. params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin_by_admin@example.com', role_ids: [ role.id ] }
  234. post '/api/v1/users', params: params, as: :json
  235. expect(response).to have_http_status(:created)
  236. expect(json_response).to be_truthy
  237. user = User.find(json_response['id'])
  238. expect(user).to be_role('Admin')
  239. expect(user).not_to be_role('Agent')
  240. expect(user).not_to be_role('Customer')
  241. expect(json_response['login']).to eq('new_admin_by_admin@example.com')
  242. expect(json_response['email']).to eq('new_admin_by_admin@example.com')
  243. # create user with agent role
  244. role = Role.lookup(name: 'Agent')
  245. params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent_by_admin1@example.com', role_ids: [ role.id ] }
  246. post '/api/v1/users', params: params, as: :json
  247. expect(response).to have_http_status(:created)
  248. expect(json_response).to be_truthy
  249. user = User.find(json_response['id'])
  250. expect(user).not_to be_role('Admin')
  251. expect(user).to be_role('Agent')
  252. expect(user).not_to be_role('Customer')
  253. expect(json_response['login']).to eq('new_agent_by_admin1@example.com')
  254. expect(json_response['email']).to eq('new_agent_by_admin1@example.com')
  255. role = Role.lookup(name: 'Agent')
  256. params = { firstname: 'Agent First', email: 'new_agent_by_admin2@example.com', role_ids: [ role.id ] }
  257. post '/api/v1/users', params: params, as: :json
  258. expect(response).to have_http_status(:created)
  259. expect(json_response).to be_truthy
  260. user = User.find(json_response['id'])
  261. expect(user).not_to be_role('Admin')
  262. expect(user).to be_role('Agent')
  263. expect(user).not_to be_role('Customer')
  264. expect(json_response['login']).to eq('new_agent_by_admin2@example.com')
  265. expect(json_response['email']).to eq('new_agent_by_admin2@example.com')
  266. expect(json_response['firstname']).to eq('Agent')
  267. expect(json_response['lastname']).to eq('First')
  268. role = Role.lookup(name: 'Agent')
  269. params = { firstname: 'Agent First', email: 'new_agent_by_admin2@example.com', role_ids: [ role.id ] }
  270. post '/api/v1/users', params: params, as: :json
  271. expect(response).to have_http_status(:unprocessable_entity)
  272. expect(json_response).to be_truthy
  273. expect(json_response['error']).to eq("Email address 'new_agent_by_admin2@example.com' is already used for other user.")
  274. # missing required attributes
  275. params = { note: 'some note' }
  276. post '/api/v1/users', params: params, as: :json
  277. expect(response).to have_http_status(:unprocessable_entity)
  278. expect(json_response).to be_truthy
  279. expect(json_response['error']).to eq('At least one identifier (firstname, lastname, phone or email) for user is required.')
  280. # invalid email
  281. params = { firstname: 'newfirstname123', email: 'some_what', note: 'some note' }
  282. post '/api/v1/users', params: params, as: :json
  283. expect(response).to have_http_status(:unprocessable_entity)
  284. expect(json_response).to be_truthy
  285. expect(json_response['error']).to eq("Invalid email 'some_what'")
  286. # with valid attributes
  287. params = { firstname: 'newfirstname123', note: 'some note' }
  288. post '/api/v1/users', params: params, as: :json
  289. expect(response).to have_http_status(:created)
  290. expect(json_response).to be_truthy
  291. user = User.find(json_response['id'])
  292. expect(user).not_to be_role('Admin')
  293. expect(user).not_to be_role('Agent')
  294. expect(user).to be_role('Customer')
  295. expect(json_response['login']).to be_start_with('auto-')
  296. expect(json_response['email']).to eq('')
  297. expect(json_response['firstname']).to eq('newfirstname123')
  298. expect(json_response['lastname']).to eq('')
  299. end
  300. it 'does user index and create with agent' do
  301. authenticated_as(agent)
  302. get '/api/v1/users/me', params: {}, as: :json
  303. expect(response).to have_http_status(:ok)
  304. expect(json_response).to be_truthy
  305. expect(json_response['email']).to eq('rest-agent@example.com')
  306. # index
  307. get '/api/v1/users', params: {}, as: :json
  308. expect(response).to have_http_status(:ok)
  309. expect(json_response).to be_truthy
  310. # index
  311. get '/api/v1/users', params: {}, as: :json
  312. expect(response).to have_http_status(:ok)
  313. expect(json_response).to be_truthy
  314. expect(Array).to eq(json_response.class)
  315. expect(json_response.length >= 3).to be_truthy
  316. get '/api/v1/users?limit=40&page=1&per_page=2', params: {}, as: :json
  317. expect(response).to have_http_status(:ok)
  318. expect(json_response).to be_a_kind_of(Array)
  319. users = User.order(:id).limit(2)
  320. expect(json_response[0]['id']).to eq(users[0].id)
  321. expect(json_response[1]['id']).to eq(users[1].id)
  322. expect(json_response.count).to eq(2)
  323. get '/api/v1/users?limit=40&page=2&per_page=2', params: {}, as: :json
  324. expect(response).to have_http_status(:ok)
  325. expect(json_response).to be_a_kind_of(Array)
  326. users = User.order(:id).limit(4)
  327. expect(json_response[0]['id']).to eq(users[2].id)
  328. expect(json_response[1]['id']).to eq(users[3].id)
  329. expect(json_response.count).to eq(2)
  330. # create user with admin role
  331. firstname = "First test#{SecureRandom.uuid}"
  332. role = Role.lookup(name: 'Admin')
  333. params = { firstname: "Admin#{firstname}", lastname: 'Admin Last', email: 'new_admin_by_agent@example.com', role_ids: [ role.id ] }
  334. post '/api/v1/users', params: params, as: :json
  335. expect(response).to have_http_status(:created)
  336. json_response1 = JSON.parse(@response.body)
  337. expect(json_response1).to be_truthy
  338. user = User.find(json_response1['id'])
  339. expect(user).not_to be_role('Admin')
  340. expect(user).not_to be_role('Agent')
  341. expect(user).to be_role('Customer')
  342. expect(json_response1['login']).to eq('new_admin_by_agent@example.com')
  343. expect(json_response1['email']).to eq('new_admin_by_agent@example.com')
  344. # create user with agent role
  345. role = Role.lookup(name: 'Agent')
  346. params = { firstname: "Agent#{firstname}", lastname: 'Agent Last', email: 'new_agent_by_agent@example.com', role_ids: [ role.id ] }
  347. post '/api/v1/users', params: params, as: :json
  348. expect(response).to have_http_status(:created)
  349. json_response1 = JSON.parse(@response.body)
  350. expect(json_response1).to be_truthy
  351. user = User.find(json_response1['id'])
  352. expect(user).not_to be_role('Admin')
  353. expect(user).not_to be_role('Agent')
  354. expect(user).to be_role('Customer')
  355. expect(json_response1['login']).to eq('new_agent_by_agent@example.com')
  356. expect(json_response1['email']).to eq('new_agent_by_agent@example.com')
  357. # create user with customer role
  358. role = Role.lookup(name: 'Customer')
  359. params = { firstname: "Customer#{firstname}", lastname: 'Customer Last', email: 'new_customer_by_agent@example.com', role_ids: [ role.id ] }
  360. post '/api/v1/users', params: params, as: :json
  361. expect(response).to have_http_status(:created)
  362. json_response1 = JSON.parse(@response.body)
  363. expect(json_response1).to be_truthy
  364. user = User.find(json_response1['id'])
  365. expect(user).not_to be_role('Admin')
  366. expect(user).not_to be_role('Agent')
  367. expect(user).to be_role('Customer')
  368. expect(json_response1['login']).to eq('new_customer_by_agent@example.com')
  369. expect(json_response1['email']).to eq('new_customer_by_agent@example.com')
  370. # search as agent
  371. Scheduler.worker(true)
  372. sleep 2 # let es time to come ready
  373. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}", params: {}, as: :json
  374. expect(response).to have_http_status(:ok)
  375. expect(json_response).to be_a_kind_of(Array)
  376. expect(json_response[0]['id']).to eq(json_response1['id'])
  377. expect(json_response[0]['firstname']).to eq("Customer#{firstname}")
  378. expect(json_response[0]['lastname']).to eq('Customer Last')
  379. expect(json_response[0]['role_ids']).to be_truthy
  380. expect(json_response[0]['roles']).to be_falsey
  381. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&expand=true", params: {}, as: :json
  382. expect(response).to have_http_status(:ok)
  383. expect(json_response).to be_a_kind_of(Array)
  384. expect(json_response[0]['id']).to eq(json_response1['id'])
  385. expect(json_response[0]['firstname']).to eq("Customer#{firstname}")
  386. expect(json_response[0]['lastname']).to eq('Customer Last')
  387. expect(json_response[0]['role_ids']).to be_truthy
  388. expect(json_response[0]['roles']).to be_truthy
  389. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&label=true", params: {}, as: :json
  390. expect(response).to have_http_status(:ok)
  391. expect(json_response).to be_a_kind_of(Array)
  392. expect(json_response[0]['id']).to eq(json_response1['id'])
  393. expect(json_response[0]['label']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  394. expect(json_response[0]['value']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  395. expect(json_response[0]['role_ids']).to be_falsey
  396. expect(json_response[0]['roles']).to be_falsey
  397. get "/api/v1/users/search?term=#{CGI.escape("Customer#{firstname}")}", params: {}, as: :json
  398. expect(response).to have_http_status(:ok)
  399. expect(json_response).to be_a_kind_of(Array)
  400. expect(json_response[0]['id']).to eq(json_response1['id'])
  401. expect(json_response[0]['label']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  402. expect(json_response[0]['value']).to eq('new_customer_by_agent@example.com')
  403. expect(json_response[0]['inactive']).to be(false)
  404. expect(json_response[0]['role_ids']).to be_falsey
  405. expect(json_response[0]['roles']).to be_falsey
  406. get "/api/v1/users/search?term=#{CGI.escape('CustomerInactive')}", params: {}, as: :json
  407. expect(response).to have_http_status(:ok)
  408. expect(json_response).to be_a_kind_of(Array)
  409. expect(json_response[0]['inactive']).to be(true)
  410. # Regression test for issue #2539 - search pagination broken in users_controller.rb
  411. # Get the total number of users N, then search with one result per page, so there should N pages with one result each
  412. get '/api/v1/users/search', params: { query: '*' }, as: :json
  413. total_number = json_response.count
  414. (1..total_number).each do |i|
  415. get '/api/v1/users/search', params: { query: '*', per_page: 1, page: i }, as: :json
  416. expect(response).to have_http_status(:ok)
  417. expect(json_response).to be_a_kind_of(Array)
  418. expect(json_response.count).to eq(1), "Page #{i}/#{total_number} of the user search pagination test have the wrong result!"
  419. end
  420. role = Role.find_by(name: 'Agent')
  421. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&role_ids=#{role.id}&label=true", params: {}, as: :json
  422. expect(response).to have_http_status(:ok)
  423. expect(json_response).to be_a_kind_of(Array)
  424. expect(json_response.count).to eq(0)
  425. role = Role.find_by(name: 'Customer')
  426. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&role_ids=#{role.id}&label=true", params: {}, as: :json
  427. expect(response).to have_http_status(:ok)
  428. expect(json_response).to be_a_kind_of(Array)
  429. expect(json_response[0]['id']).to eq(json_response1['id'])
  430. expect(json_response[0]['label']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  431. expect(json_response[0]['value']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  432. expect(json_response[0]['role_ids']).to be_falsey
  433. expect(json_response[0]['roles']).to be_falsey
  434. permission = Permission.find_by(name: 'ticket.agent')
  435. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&permissions=#{permission.name}&label=true", params: {}, as: :json
  436. expect(response).to have_http_status(:ok)
  437. expect(json_response).to be_a_kind_of(Array)
  438. expect(json_response.count).to eq(0)
  439. permission = Permission.find_by(name: 'ticket.customer')
  440. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&permissions=#{permission.name}&label=true", params: {}, as: :json
  441. expect(response).to have_http_status(:ok)
  442. expect(json_response).to be_a_kind_of(Array)
  443. expect(json_response[0]['id']).to eq(json_response1['id'])
  444. expect(json_response[0]['label']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  445. expect(json_response[0]['value']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  446. expect(json_response[0]['role_ids']).to be_falsey
  447. expect(json_response[0]['roles']).to be_falsey
  448. end
  449. it 'does user index and create with customer1' do
  450. authenticated_as(customer)
  451. get '/api/v1/users/me', params: {}, as: :json
  452. expect(response).to have_http_status(:ok)
  453. expect(json_response).to be_truthy
  454. expect(json_response['email']).to eq('rest-customer1@example.com')
  455. # index
  456. get '/api/v1/users', params: {}, as: :json
  457. expect(response).to have_http_status(:ok)
  458. expect(Array).to eq(json_response.class)
  459. expect(json_response.length).to eq(1)
  460. # show/:id
  461. get "/api/v1/users/#{customer.id}", params: {}, as: :json
  462. expect(response).to have_http_status(:ok)
  463. expect(Hash).to eq(json_response.class)
  464. expect(json_response['email']).to eq('rest-customer1@example.com')
  465. get "/api/v1/users/#{customer2.id}", params: {}, as: :json
  466. expect(response).to have_http_status(:forbidden)
  467. expect(Hash).to eq(json_response.class)
  468. expect(json_response['error']).to be_truthy
  469. # create user with admin role
  470. role = Role.lookup(name: 'Admin')
  471. params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin_by_customer1@example.com', role_ids: [ role.id ] }
  472. post '/api/v1/users', params: params, as: :json
  473. expect(response).to have_http_status(:forbidden)
  474. # create user with agent role
  475. role = Role.lookup(name: 'Agent')
  476. params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent_by_customer1@example.com', role_ids: [ role.id ] }
  477. post '/api/v1/users', params: params, as: :json
  478. expect(response).to have_http_status(:forbidden)
  479. # search
  480. Scheduler.worker(true)
  481. get "/api/v1/users/search?query=#{CGI.escape('First')}", params: {}, as: :json
  482. expect(response).to have_http_status(:forbidden)
  483. end
  484. it 'does user index with customer2' do
  485. authenticated_as(customer2)
  486. get '/api/v1/users/me', params: {}, as: :json
  487. expect(response).to have_http_status(:ok)
  488. expect(json_response).to be_truthy
  489. expect(json_response['email']).to eq('rest-customer2@example.com')
  490. # index
  491. get '/api/v1/users', params: {}, as: :json
  492. expect(response).to have_http_status(:ok)
  493. expect(Array).to eq(json_response.class)
  494. expect(json_response.length).to eq(1)
  495. # show/:id
  496. get "/api/v1/users/#{customer2.id}", params: {}, as: :json
  497. expect(response).to have_http_status(:ok)
  498. expect(Hash).to eq(json_response.class)
  499. expect(json_response['email']).to eq('rest-customer2@example.com')
  500. get "/api/v1/users/#{customer.id}", params: {}, as: :json
  501. expect(response).to have_http_status(:forbidden)
  502. expect(Hash).to eq(json_response.class)
  503. expect(json_response['error']).to be_truthy
  504. # search
  505. Scheduler.worker(true)
  506. get "/api/v1/users/search?query=#{CGI.escape('First')}", params: {}, as: :json
  507. expect(response).to have_http_status(:forbidden)
  508. end
  509. it 'does users show and response format (04.01)' do
  510. user = create(
  511. :customer,
  512. login: 'rest-customer3@example.com',
  513. firstname: 'Rest',
  514. lastname: 'Customer3',
  515. email: 'rest-customer3@example.com',
  516. password: 'customer3pw',
  517. active: true,
  518. organization: organization,
  519. updated_by_id: admin.id,
  520. created_by_id: admin.id,
  521. )
  522. authenticated_as(admin)
  523. get "/api/v1/users/#{user.id}", params: {}, as: :json
  524. expect(response).to have_http_status(:ok)
  525. expect(json_response).to be_a_kind_of(Hash)
  526. expect(json_response['id']).to eq(user.id)
  527. expect(json_response['firstname']).to eq(user.firstname)
  528. expect(json_response['organization']).to be_falsey
  529. expect(json_response['organization_id']).to eq(user.organization_id)
  530. expect(json_response['password']).to be_falsey
  531. expect(json_response['role_ids']).to eq(user.role_ids)
  532. expect(json_response['updated_by_id']).to eq(admin.id)
  533. expect(json_response['created_by_id']).to eq(admin.id)
  534. get "/api/v1/users/#{user.id}?expand=true", params: {}, as: :json
  535. expect(response).to have_http_status(:ok)
  536. expect(json_response).to be_a_kind_of(Hash)
  537. expect(json_response['id']).to eq(user.id)
  538. expect(json_response['firstname']).to eq(user.firstname)
  539. expect(json_response['organization_id']).to eq(user.organization_id)
  540. expect(json_response['organization']).to eq(user.organization.name)
  541. expect(json_response['role_ids']).to eq(user.role_ids)
  542. expect(json_response['password']).to be_falsey
  543. expect(json_response['updated_by_id']).to eq(admin.id)
  544. expect(json_response['created_by_id']).to eq(admin.id)
  545. get "/api/v1/users/#{user.id}?expand=false", params: {}, as: :json
  546. expect(response).to have_http_status(:ok)
  547. expect(json_response).to be_a_kind_of(Hash)
  548. expect(json_response['id']).to eq(user.id)
  549. expect(json_response['firstname']).to eq(user.firstname)
  550. expect(json_response['organization']).to be_falsey
  551. expect(json_response['organization_id']).to eq(user.organization_id)
  552. expect(json_response['password']).to be_falsey
  553. expect(json_response['role_ids']).to eq(user.role_ids)
  554. expect(json_response['updated_by_id']).to eq(admin.id)
  555. expect(json_response['created_by_id']).to eq(admin.id)
  556. get "/api/v1/users/#{user.id}?full=true", params: {}, as: :json
  557. expect(response).to have_http_status(:ok)
  558. expect(json_response).to be_a_kind_of(Hash)
  559. expect(json_response['id']).to eq(user.id)
  560. expect(json_response['assets']).to be_truthy
  561. expect(json_response['assets']['User']).to be_truthy
  562. expect(json_response['assets']['User'][user.id.to_s]).to be_truthy
  563. expect(json_response['assets']['User'][user.id.to_s]['id']).to eq(user.id)
  564. expect(json_response['assets']['User'][user.id.to_s]['firstname']).to eq(user.firstname)
  565. expect(json_response['assets']['User'][user.id.to_s]['organization_id']).to eq(user.organization_id)
  566. expect(json_response['assets']['User'][user.id.to_s]['role_ids']).to eq(user.role_ids)
  567. get "/api/v1/users/#{user.id}?full=false", params: {}, as: :json
  568. expect(response).to have_http_status(:ok)
  569. expect(json_response).to be_a_kind_of(Hash)
  570. expect(json_response['id']).to eq(user.id)
  571. expect(json_response['firstname']).to eq(user.firstname)
  572. expect(json_response['organization']).to be_falsey
  573. expect(json_response['organization_id']).to eq(user.organization_id)
  574. expect(json_response['password']).to be_falsey
  575. expect(json_response['role_ids']).to eq(user.role_ids)
  576. expect(json_response['updated_by_id']).to eq(admin.id)
  577. expect(json_response['created_by_id']).to eq(admin.id)
  578. end
  579. it 'does user index and response format (04.02)' do
  580. user = create(
  581. :customer,
  582. login: 'rest-customer3@example.com',
  583. firstname: 'Rest',
  584. lastname: 'Customer3',
  585. email: 'rest-customer3@example.com',
  586. password: 'customer3pw',
  587. active: true,
  588. organization: organization,
  589. updated_by_id: admin.id,
  590. created_by_id: admin.id,
  591. )
  592. authenticated_as(admin)
  593. get '/api/v1/users', params: {}, as: :json
  594. expect(response).to have_http_status(:ok)
  595. expect(json_response).to be_a_kind_of(Array)
  596. expect(json_response[0].class).to eq(Hash)
  597. expect(json_response.last['id']).to eq(user.id)
  598. expect(json_response.last['lastname']).to eq(user.lastname)
  599. expect(json_response.last['organization']).to be_falsey
  600. expect(json_response.last['role_ids']).to eq(user.role_ids)
  601. expect(json_response.last['organization_id']).to eq(user.organization_id)
  602. expect(json_response.last['password']).to be_falsey
  603. expect(json_response.last['updated_by_id']).to eq(admin.id)
  604. expect(json_response.last['created_by_id']).to eq(admin.id)
  605. get '/api/v1/users?expand=true', params: {}, as: :json
  606. expect(response).to have_http_status(:ok)
  607. expect(json_response).to be_a_kind_of(Array)
  608. expect(json_response[0].class).to eq(Hash)
  609. expect(json_response.last['id']).to eq(user.id)
  610. expect(json_response.last['lastname']).to eq(user.lastname)
  611. expect(json_response.last['organization_id']).to eq(user.organization_id)
  612. expect(json_response.last['organization']).to eq(user.organization.name)
  613. expect(json_response.last['password']).to be_falsey
  614. expect(json_response.last['updated_by_id']).to eq(admin.id)
  615. expect(json_response.last['created_by_id']).to eq(admin.id)
  616. get '/api/v1/users?expand=false', params: {}, as: :json
  617. expect(response).to have_http_status(:ok)
  618. expect(json_response).to be_a_kind_of(Array)
  619. expect(json_response[0].class).to eq(Hash)
  620. expect(json_response.last['id']).to eq(user.id)
  621. expect(json_response.last['lastname']).to eq(user.lastname)
  622. expect(json_response.last['organization']).to be_falsey
  623. expect(json_response.last['role_ids']).to eq(user.role_ids)
  624. expect(json_response.last['organization_id']).to eq(user.organization_id)
  625. expect(json_response.last['password']).to be_falsey
  626. expect(json_response.last['updated_by_id']).to eq(admin.id)
  627. expect(json_response.last['created_by_id']).to eq(admin.id)
  628. get '/api/v1/users?full=true', params: {}, as: :json
  629. expect(response).to have_http_status(:ok)
  630. expect(json_response).to be_a_kind_of(Hash)
  631. expect(json_response['record_ids'].class).to eq(Array)
  632. expect(json_response['record_ids'][0]).to eq(1)
  633. expect(json_response['record_ids'].last).to eq(user.id)
  634. expect(json_response['assets']).to be_truthy
  635. expect(json_response['assets']['User']).to be_truthy
  636. expect(json_response['assets']['User'][user.id.to_s]).to be_truthy
  637. expect(json_response['assets']['User'][user.id.to_s]['id']).to eq(user.id)
  638. expect(json_response['assets']['User'][user.id.to_s]['lastname']).to eq(user.lastname)
  639. expect(json_response['assets']['User'][user.id.to_s]['organization_id']).to eq(user.organization_id)
  640. expect(json_response['assets']['User'][user.id.to_s]['password']).to be_falsey
  641. get '/api/v1/users?full=false', params: {}, as: :json
  642. expect(response).to have_http_status(:ok)
  643. expect(json_response).to be_a_kind_of(Array)
  644. expect(json_response[0].class).to eq(Hash)
  645. expect(json_response.last['id']).to eq(user.id)
  646. expect(json_response.last['lastname']).to eq(user.lastname)
  647. expect(json_response.last['organization']).to be_falsey
  648. expect(json_response.last['role_ids']).to eq(user.role_ids)
  649. expect(json_response.last['organization_id']).to eq(user.organization_id)
  650. expect(json_response.last['password']).to be_falsey
  651. expect(json_response.last['updated_by_id']).to eq(admin.id)
  652. expect(json_response.last['created_by_id']).to eq(admin.id)
  653. end
  654. it 'does ticket create and response format (04.03)' do
  655. organization = Organization.first
  656. params = {
  657. firstname: 'newfirstname123',
  658. note: 'some note',
  659. organization: organization.name,
  660. }
  661. authenticated_as(admin)
  662. post '/api/v1/users', params: params, as: :json
  663. expect(response).to have_http_status(:created)
  664. expect(json_response).to be_a_kind_of(Hash)
  665. user = User.find(json_response['id'])
  666. expect(json_response['firstname']).to eq(user.firstname)
  667. expect(json_response['organization_id']).to eq(user.organization_id)
  668. expect(json_response['organization']).to be_falsey
  669. expect(json_response['password']).to be_falsey
  670. expect(json_response['updated_by_id']).to eq(admin.id)
  671. expect(json_response['created_by_id']).to eq(admin.id)
  672. post '/api/v1/users?expand=true', params: params, as: :json
  673. expect(response).to have_http_status(:created)
  674. expect(json_response).to be_a_kind_of(Hash)
  675. user = User.find(json_response['id'])
  676. expect(json_response['firstname']).to eq(user.firstname)
  677. expect(json_response['organization_id']).to eq(user.organization_id)
  678. expect(json_response['organization']).to eq(user.organization.name)
  679. expect(json_response['password']).to be_falsey
  680. expect(json_response['updated_by_id']).to eq(admin.id)
  681. expect(json_response['created_by_id']).to eq(admin.id)
  682. post '/api/v1/users?full=true', params: params, as: :json
  683. expect(response).to have_http_status(:created)
  684. expect(json_response).to be_a_kind_of(Hash)
  685. user = User.find(json_response['id'])
  686. expect(json_response['assets']).to be_truthy
  687. expect(json_response['assets']['User']).to be_truthy
  688. expect(json_response['assets']['User'][user.id.to_s]).to be_truthy
  689. expect(json_response['assets']['User'][user.id.to_s]['id']).to eq(user.id)
  690. expect(json_response['assets']['User'][user.id.to_s]['firstname']).to eq(user.firstname)
  691. expect(json_response['assets']['User'][user.id.to_s]['lastname']).to eq(user.lastname)
  692. expect(json_response['assets']['User'][user.id.to_s]['password']).to be_falsey
  693. expect(json_response['assets']['User'][admin.id.to_s]).to be_truthy
  694. expect(json_response['assets']['User'][admin.id.to_s]['id']).to eq(admin.id)
  695. expect(json_response['assets']['User'][admin.id.to_s]['firstname']).to eq(admin.firstname)
  696. expect(json_response['assets']['User'][admin.id.to_s]['lastname']).to eq(admin.lastname)
  697. expect(json_response['assets']['User'][admin.id.to_s]['password']).to be_falsey
  698. end
  699. it 'does ticket update and response formats (04.04)' do
  700. user = create(
  701. :customer,
  702. login: 'rest-customer3@example.com',
  703. firstname: 'Rest',
  704. lastname: 'Customer3',
  705. email: 'rest-customer3@example.com',
  706. password: 'customer3pw',
  707. active: true,
  708. organization: organization,
  709. updated_by_id: admin.id,
  710. created_by_id: admin.id,
  711. )
  712. authenticated_as(admin)
  713. params = {
  714. firstname: 'a update firstname #1',
  715. }
  716. put "/api/v1/users/#{user.id}", params: params, as: :json
  717. expect(response).to have_http_status(:ok)
  718. expect(json_response).to be_a_kind_of(Hash)
  719. user = User.find(json_response['id'])
  720. expect(json_response['lastname']).to eq(user.lastname)
  721. expect(json_response['firstname']).to eq(params[:firstname])
  722. expect(json_response['organization_id']).to eq(user.organization_id)
  723. expect(json_response['organization']).to be_falsey
  724. expect(json_response['password']).to be_falsey
  725. expect(json_response['updated_by_id']).to eq(admin.id)
  726. expect(json_response['created_by_id']).to eq(admin.id)
  727. params = {
  728. firstname: 'a update firstname #2',
  729. }
  730. put "/api/v1/users/#{user.id}?expand=true", params: params, as: :json
  731. expect(response).to have_http_status(:ok)
  732. expect(json_response).to be_a_kind_of(Hash)
  733. user = User.find(json_response['id'])
  734. expect(json_response['lastname']).to eq(user.lastname)
  735. expect(json_response['firstname']).to eq(params[:firstname])
  736. expect(json_response['organization_id']).to eq(user.organization_id)
  737. expect(json_response['organization']).to eq(user.organization.name)
  738. expect(json_response['password']).to be_falsey
  739. expect(json_response['updated_by_id']).to eq(admin.id)
  740. expect(json_response['created_by_id']).to eq(admin.id)
  741. params = {
  742. firstname: 'a update firstname #3',
  743. }
  744. put "/api/v1/users/#{user.id}?full=true", params: params, as: :json
  745. expect(response).to have_http_status(:ok)
  746. expect(json_response).to be_a_kind_of(Hash)
  747. user = User.find(json_response['id'])
  748. expect(json_response['assets']).to be_truthy
  749. expect(json_response['assets']['User']).to be_truthy
  750. expect(json_response['assets']['User'][user.id.to_s]).to be_truthy
  751. expect(json_response['assets']['User'][user.id.to_s]['id']).to eq(user.id)
  752. expect(json_response['assets']['User'][user.id.to_s]['firstname']).to eq(params[:firstname])
  753. expect(json_response['assets']['User'][user.id.to_s]['lastname']).to eq(user.lastname)
  754. expect(json_response['assets']['User'][user.id.to_s]['password']).to be_falsey
  755. expect(json_response['assets']['User'][admin.id.to_s]).to be_truthy
  756. expect(json_response['assets']['User'][admin.id.to_s]['id']).to eq(admin.id)
  757. expect(json_response['assets']['User'][admin.id.to_s]['firstname']).to eq(admin.firstname)
  758. expect(json_response['assets']['User'][admin.id.to_s]['lastname']).to eq(admin.lastname)
  759. expect(json_response['assets']['User'][admin.id.to_s]['password']).to be_falsey
  760. end
  761. it 'does csv example - customer no access (05.01)' do
  762. authenticated_as(customer)
  763. get '/api/v1/users/import_example', params: {}, as: :json
  764. expect(response).to have_http_status(:forbidden)
  765. expect(json_response['error']).to eq('Not authorized (user)!')
  766. end
  767. it 'does csv example - admin access (05.02)' do
  768. authenticated_as(admin)
  769. get '/api/v1/users/import_example', params: {}, as: :json
  770. expect(response).to have_http_status(:ok)
  771. rows = CSV.parse(@response.body)
  772. header = rows.shift
  773. expect(header[0]).to eq('id')
  774. expect(header[1]).to eq('login')
  775. expect(header[2]).to eq('firstname')
  776. expect(header[3]).to eq('lastname')
  777. expect(header[4]).to eq('email')
  778. expect(header).to include('organization')
  779. end
  780. it 'does csv import - admin access (05.03)' do
  781. # invalid file
  782. csv_file = fixture_file_upload('csv_import/user/simple_col_not_existing.csv', 'text/csv')
  783. authenticated_as(admin)
  784. post '/api/v1/users/import?try=true', params: { file: csv_file, col_sep: ';' }
  785. expect(response).to have_http_status(:ok)
  786. expect(json_response).to be_a_kind_of(Hash)
  787. expect(json_response['try']).to be(true)
  788. expect(json_response['records']).to be_empty
  789. expect(json_response['result']).to eq('failed')
  790. expect(json_response['errors'].count).to eq(2)
  791. expect(json_response['errors'][0]).to eq("Line 1: Unable to create record - unknown attribute 'firstname2' for User.")
  792. expect(json_response['errors'][1]).to eq("Line 2: Unable to create record - unknown attribute 'firstname2' for User.")
  793. # valid file try
  794. csv_file = fixture_file_upload('csv_import/user/simple.csv', 'text/csv')
  795. post '/api/v1/users/import?try=true', params: { file: csv_file, col_sep: ';' }
  796. expect(response).to have_http_status(:ok)
  797. expect(json_response).to be_a_kind_of(Hash)
  798. expect(json_response['try']).to be(true)
  799. expect(json_response['records'].count).to eq(2)
  800. expect(json_response['result']).to eq('success')
  801. expect(User.find_by(login: 'user-simple-import1')).to be_nil
  802. expect(User.find_by(login: 'user-simple-import2')).to be_nil
  803. # valid file
  804. csv_file = fixture_file_upload('csv_import/user/simple.csv', 'text/csv')
  805. post '/api/v1/users/import', params: { file: csv_file, col_sep: ';' }
  806. expect(response).to have_http_status(:ok)
  807. expect(json_response).to be_a_kind_of(Hash)
  808. expect(json_response['try']).to be(false)
  809. expect(json_response['records'].count).to eq(2)
  810. expect(json_response['result']).to eq('success')
  811. user1 = User.find_by(login: 'user-simple-import1')
  812. expect(user1).to be_truthy
  813. expect(user1.login).to eq('user-simple-import1')
  814. expect(user1.firstname).to eq('firstname-simple-import1')
  815. expect(user1.lastname).to eq('lastname-simple-import1')
  816. expect(user1.email).to eq('user-simple-import1@example.com')
  817. expect(user1.active).to be(true)
  818. user2 = User.find_by(login: 'user-simple-import2')
  819. expect(user2).to be_truthy
  820. expect(user2.login).to eq('user-simple-import2')
  821. expect(user2.firstname).to eq('firstname-simple-import2')
  822. expect(user2.lastname).to eq('lastname-simple-import2')
  823. expect(user2.email).to eq('user-simple-import2@example.com')
  824. expect(user2.active).to be(false)
  825. user1.destroy!
  826. user2.destroy!
  827. end
  828. it 'does user history' do
  829. user1 = create(
  830. :customer,
  831. login: 'history@example.com',
  832. firstname: 'History',
  833. lastname: 'Customer1',
  834. email: 'history@example.com',
  835. )
  836. authenticated_as(agent)
  837. get "/api/v1/users/history/#{user1.id}", params: {}, as: :json
  838. expect(response).to have_http_status(:ok)
  839. expect(json_response).to be_a_kind_of(Hash)
  840. expect(json_response['history'].class).to eq(Array)
  841. expect(json_response['assets'].class).to eq(Hash)
  842. expect(json_response['assets']['Ticket']).to be_nil
  843. expect(json_response['assets']['User'][user1.id.to_s]).not_to be_nil
  844. end
  845. it 'does user search sortable' do
  846. firstname = "user_search_sortable #{SecureRandom.uuid}"
  847. user1 = create(
  848. :customer,
  849. login: 'rest-user_search_sortableA@example.com',
  850. firstname: "#{firstname} A",
  851. lastname: 'user_search_sortableA',
  852. email: 'rest-user_search_sortableA@example.com',
  853. password: 'user_search_sortableA',
  854. active: true,
  855. organization_id: organization.id,
  856. out_of_office: false,
  857. created_at: '2016-02-05 17:42:00',
  858. )
  859. user2 = create(
  860. :customer,
  861. login: 'rest-user_search_sortableB@example.com',
  862. firstname: "#{firstname} B",
  863. lastname: 'user_search_sortableB',
  864. email: 'rest-user_search_sortableB@example.com',
  865. password: 'user_search_sortableB',
  866. active: true,
  867. organization_id: organization.id,
  868. out_of_office_start_at: '2016-02-06 19:42:00',
  869. out_of_office_end_at: '2016-02-07 19:42:00',
  870. out_of_office_replacement_id: 1,
  871. out_of_office: true,
  872. created_at: '2016-02-05 19:42:00',
  873. )
  874. Scheduler.worker(true)
  875. sleep 2 # let es time to come ready
  876. authenticated_as(admin)
  877. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: 'created_at', order_by: 'asc' }, as: :json
  878. expect(response).to have_http_status(:ok)
  879. expect(json_response).to be_a_kind_of(Array)
  880. result = json_response
  881. result.collect! { |v| v['id'] }
  882. expect(result).to eq([user1.id, user2.id])
  883. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: 'firstname', order_by: 'asc' }, as: :json
  884. expect(response).to have_http_status(:ok)
  885. expect(json_response).to be_a_kind_of(Array)
  886. result = json_response
  887. result.collect! { |v| v['id'] }
  888. expect(result).to eq([user1.id, user2.id])
  889. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: 'firstname', order_by: 'desc' }, as: :json
  890. expect(response).to have_http_status(:ok)
  891. expect(json_response).to be_a_kind_of(Array)
  892. result = json_response
  893. result.collect! { |v| v['id'] }
  894. expect(result).to eq([user2.id, user1.id])
  895. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: %w[firstname created_at], order_by: %w[desc asc] }, as: :json
  896. expect(response).to have_http_status(:ok)
  897. expect(json_response).to be_a_kind_of(Array)
  898. result = json_response
  899. result.collect! { |v| v['id'] }
  900. expect(result).to eq([user2.id, user1.id])
  901. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: %w[firstname created_at], order_by: %w[desc asc] }, as: :json
  902. expect(response).to have_http_status(:ok)
  903. expect(json_response).to be_a_kind_of(Array)
  904. result = json_response
  905. result.collect! { |v| v['id'] }
  906. expect(result).to eq([user2.id, user1.id])
  907. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: 'out_of_office', order_by: 'asc' }, as: :json
  908. expect(response).to have_http_status(:ok)
  909. expect(json_response).to be_a_kind_of(Array)
  910. result = json_response
  911. result.collect! { |v| v['id'] }
  912. expect(result).to eq([user1.id, user2.id])
  913. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: 'out_of_office', order_by: 'desc' }, as: :json
  914. expect(response).to have_http_status(:ok)
  915. expect(json_response).to be_a_kind_of(Array)
  916. result = json_response
  917. result.collect! { |v| v['id'] }
  918. expect(result).to eq([user2.id, user1.id])
  919. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: %w[created_by_id created_at], order_by: %w[asc asc] }, as: :json
  920. expect(response).to have_http_status(:ok)
  921. expect(json_response).to be_a_kind_of(Array)
  922. result = json_response
  923. result.collect! { |v| v['id'] }
  924. expect(result).to eq([user1.id, user2.id])
  925. end
  926. context 'does password reset send work' do
  927. let(:user) { create(:customer, login: 'somebody', email: 'somebody@example.com') }
  928. context 'for user without email address' do
  929. let(:user) { create(:customer, login: 'somebody', email: '') }
  930. it 'return failed' do
  931. post '/api/v1/users/password_reset', params: { username: user.login }, as: :json
  932. expect(response).to have_http_status(:ok)
  933. expect(json_response).to be_a_kind_of(Hash)
  934. expect(json_response['message']).to eq('failed')
  935. end
  936. end
  937. context 'for user with email address' do
  938. it 'return ok' do
  939. post '/api/v1/users/password_reset', params: { username: user.login }, as: :json
  940. expect(response).to have_http_status(:ok)
  941. expect(json_response).to be_a_kind_of(Hash)
  942. expect(json_response['message']).to eq('ok')
  943. end
  944. end
  945. context 'for user with email address but disabled feature' do
  946. before { Setting.set('user_lost_password', false) }
  947. it 'raise 422' do
  948. post '/api/v1/users/password_reset', params: { username: user.login }, as: :json
  949. expect(response).to have_http_status(:unprocessable_entity)
  950. expect(json_response['error']).to be_truthy
  951. expect(json_response['error']).to eq('Feature not enabled!')
  952. end
  953. end
  954. end
  955. context 'does password reset by token work' do
  956. let(:user) { create(:customer, login: 'somebody', email: 'somebody@example.com') }
  957. let(:token) { create(:token, action: 'PasswordReset', user_id: user.id) }
  958. context 'for user without email address' do
  959. let(:user) { create(:customer, login: 'somebody', email: '') }
  960. it 'return failed' do
  961. post '/api/v1/users/password_reset_verify', params: { username: user.login, token: token.name, password: 'Test1234#.' }, as: :json
  962. expect(response).to have_http_status(:ok)
  963. expect(json_response).to be_a_kind_of(Hash)
  964. expect(json_response['message']).to eq('failed')
  965. end
  966. end
  967. context 'for user with email address' do
  968. it 'return ok' do
  969. post '/api/v1/users/password_reset_verify', params: { username: user.login, token: token.name, password: 'TEst1234#.' }, as: :json
  970. expect(response).to have_http_status(:ok)
  971. expect(json_response).to be_a_kind_of(Hash)
  972. expect(json_response['message']).to eq('ok')
  973. end
  974. end
  975. context 'for user with email address but disabled feature' do
  976. before { Setting.set('user_lost_password', false) }
  977. it 'raise 422' do
  978. post '/api/v1/users/password_reset_verify', params: { username: user.login, token: token.name, password: 'Test1234#.' }, as: :json
  979. expect(response).to have_http_status(:unprocessable_entity)
  980. expect(json_response['error']).to be_truthy
  981. expect(json_response['error']).to eq('Feature not enabled!')
  982. end
  983. end
  984. end
  985. context 'password change' do
  986. let(:user) { create(:customer, login: 'somebody', email: 'somebody@example.com', password: 'Test1234#.') }
  987. before { authenticated_as(user, login: 'somebody', password: 'Test1234#.') }
  988. context 'user without email address' do
  989. let(:user) { create(:customer, login: 'somebody', email: '', password: 'Test1234#.') }
  990. it 'return ok' do
  991. post '/api/v1/users/password_change', params: { password_old: 'Test1234#.', password_new: 'TEst12345#.' }, as: :json
  992. expect(response).to have_http_status(:ok)
  993. expect(json_response).to be_a_kind_of(Hash)
  994. expect(json_response['message']).to eq('ok')
  995. end
  996. end
  997. context 'user with email address' do
  998. it 'return ok' do
  999. post '/api/v1/users/password_change', params: { password_old: 'Test1234#.', password_new: 'TEst12345#.' }, as: :json
  1000. expect(response).to have_http_status(:ok)
  1001. expect(json_response).to be_a_kind_of(Hash)
  1002. expect(json_response['message']).to eq('ok')
  1003. end
  1004. end
  1005. end
  1006. context 'ultra long password', authenticated_as: :user, searchindex: false do
  1007. let(:user) { create :agent, :with_valid_password }
  1008. let(:long_string) { "asd1ASDasd!#{Faker::Lorem.characters(number: 1_000)}" }
  1009. it 'does not reach verifying when old password is too long' do
  1010. allow(PasswordHash).to receive(:verified?).and_call_original
  1011. post '/api/v1/users/password_change', params: { password_old: long_string, password_new: long_string }, as: :json
  1012. expect(PasswordHash).not_to have_received(:verified?).with(any_args, long_string)
  1013. expect(response).to have_http_status(:unprocessable_entity)
  1014. expect(json_response['message']).to eq('failed')
  1015. end
  1016. it 'does not reach hashing when saving' do
  1017. allow(PasswordHash).to receive(:crypt).and_call_original
  1018. post '/api/v1/users/password_change', params: { password_old: user.password_plain, password_new: long_string }, as: :json
  1019. expect(PasswordHash).not_to have_received(:crypt)
  1020. expect(response).to have_http_status(:unprocessable_entity)
  1021. expect(json_response['message']).to eq('failed')
  1022. end
  1023. end
  1024. end
  1025. describe 'POST /api/v1/users', authenticated_as: -> { create(:admin) }, searchindex: false do
  1026. def make_request(params)
  1027. post '/api/v1/users', params: params, as: :json
  1028. end
  1029. let(:successful_params) { { email: attributes_for(:admin)[:email] } }
  1030. let(:params_with_role) { successful_params.merge({ role_ids: [Role.find_by(name: 'Admin').id] }) }
  1031. let(:params_with_invite) { successful_params.merge({ invite: true }) }
  1032. it 'succeeds' do
  1033. make_request successful_params
  1034. expect(response).to have_http_status(:created)
  1035. end
  1036. it 'returns user data' do
  1037. make_request successful_params
  1038. expect(json_response).to have_key('email').and(have_value(successful_params[:email]))
  1039. end
  1040. it 'no session treated as signup', authenticated_as: false do
  1041. make_request successful_params
  1042. expect(response).to have_http_status(:unprocessable_entity)
  1043. end
  1044. it 'does not accept requests from customers', authenticated_as: -> { create(:customer) } do
  1045. make_request successful_params
  1046. expect(response).to have_http_status(:forbidden)
  1047. end
  1048. it 'admins can give any role', authenticated_as: -> { create(:admin) } do
  1049. make_request params_with_role
  1050. expect(User.last).to be_role 'Admin'
  1051. end
  1052. it 'agents can not give roles', authenticated_as: -> { create(:agent) } do
  1053. make_request params_with_role
  1054. expect(User.last).not_to be_role 'Admin'
  1055. end
  1056. it 'does not send email verification notifications' do
  1057. allow(NotificationFactory::Mailer).to receive(:notification)
  1058. make_request successful_params
  1059. expect(NotificationFactory::Mailer).not_to have_received(:notification) { |arguments| arguments[:template] == 'signup' }
  1060. end
  1061. it 'does not send invitation notification by default' do
  1062. allow(NotificationFactory::Mailer).to receive(:notification)
  1063. make_request successful_params
  1064. expect(NotificationFactory::Mailer).not_to have_received(:notification) { |arguments| arguments[:template] == 'user_invite' }
  1065. end
  1066. it 'sends invitation notification when required' do
  1067. allow(NotificationFactory::Mailer).to receive(:notification)
  1068. make_request params_with_invite
  1069. expect(NotificationFactory::Mailer).to have_received(:notification) { |arguments| arguments[:template] == 'user_invite' }
  1070. end
  1071. it 'requires at least one identifier' do
  1072. make_request({ web: 'example.com' })
  1073. expect(json_response['error']).to start_with('At least one identifier')
  1074. end
  1075. it 'takes first name as identifier' do
  1076. make_request({ firstname: 'name' })
  1077. expect(response).to have_http_status(:created)
  1078. end
  1079. it 'takes last name as identifier' do
  1080. make_request({ lastname: 'name' })
  1081. expect(response).to have_http_status(:created)
  1082. end
  1083. it 'takes login as identifier' do
  1084. make_request({ login: 'name' })
  1085. expect(response).to have_http_status(:created)
  1086. end
  1087. it 'requires valid email if present' do
  1088. make_request({ email: 'not_valid_email' })
  1089. expect(response).to have_http_status(:unprocessable_entity)
  1090. end
  1091. end
  1092. describe 'POST /api/v1/users processed by #create_admin', authenticated_as: false do
  1093. before do
  1094. User.all[2...].each(&:destroy) # destroy previously created users
  1095. end
  1096. def make_request(params)
  1097. post '/api/v1/users', params: params, as: :json
  1098. end
  1099. let(:successful_params) do
  1100. email = attributes_for(:admin)[:email]
  1101. { firstname: 'Admin First', lastname: 'Admin Last', email: email, password: 'asd1ASDasd!' }
  1102. end
  1103. it 'succeds' do
  1104. make_request successful_params
  1105. expect(response).to have_http_status(:created)
  1106. end
  1107. it 'returns success message' do
  1108. make_request successful_params
  1109. expect(json_response).to have_key('message').and(have_value('ok'))
  1110. end
  1111. it 'does not allow to create 2nd administrator account' do
  1112. create(:admin)
  1113. make_request successful_params
  1114. expect(response).to have_http_status(:unprocessable_entity)
  1115. end
  1116. it 'requires email' do
  1117. make_request successful_params.merge(email: nil)
  1118. expect(response).to have_http_status(:unprocessable_entity)
  1119. end
  1120. it 'requires valid email' do
  1121. make_request successful_params.merge(email: 'invalid_email')
  1122. expect(response).to have_http_status(:unprocessable_entity)
  1123. end
  1124. it 'loads calendar' do
  1125. allow(Calendar).to receive(:init_setup)
  1126. make_request successful_params
  1127. expect(Calendar).to have_received(:init_setup)
  1128. end
  1129. it 'loads text module' do
  1130. allow(TextModule).to receive(:load)
  1131. make_request successful_params
  1132. expect(TextModule).to have_received(:load)
  1133. end
  1134. it 'does not send any notifications' do
  1135. allow(NotificationFactory::Mailer).to receive(:notification)
  1136. make_request successful_params
  1137. expect(NotificationFactory::Mailer).not_to have_received(:notification)
  1138. end
  1139. end
  1140. describe 'POST /api/v1/users processed by #create_signup', authenticated_as: false do
  1141. def make_request(params)
  1142. post '/api/v1/users', params: params, as: :json
  1143. end
  1144. let(:successful_params) do
  1145. email = attributes_for(:admin)[:email]
  1146. { firstname: 'Customer First', lastname: 'Customer Last', email: email, password: 'gsd1ASDasd!', signup: true }
  1147. end
  1148. before do
  1149. create(:admin) # simulate functional system with admin created
  1150. end
  1151. it 'succeeds' do
  1152. make_request successful_params
  1153. expect(response).to have_http_status(:created)
  1154. end
  1155. it 'requires csrf', allow_forgery_protection: true do
  1156. make_request successful_params
  1157. expect(response).to have_http_status(:unauthorized)
  1158. end
  1159. it 'requires honeypot attribute' do
  1160. params = successful_params.clone
  1161. params.delete :signup
  1162. make_request params
  1163. expect(response).to have_http_status(:unprocessable_entity)
  1164. end
  1165. it 'requires signup to be enabled' do
  1166. Setting.set('user_create_account', false)
  1167. make_request successful_params
  1168. expect(response).to have_http_status(:unprocessable_entity)
  1169. end
  1170. it 'requires email' do
  1171. make_request successful_params.merge(email: nil)
  1172. expect(response).to have_http_status(:unprocessable_entity)
  1173. end
  1174. it 'requires valid email' do
  1175. make_request successful_params.merge(email: 'not_valid_email')
  1176. expect(response).to have_http_status(:unprocessable_entity)
  1177. end
  1178. it 'returns false positive when email already used' do
  1179. create(:customer, email: successful_params[:email])
  1180. make_request successful_params
  1181. expect(response).to have_http_status(:created)
  1182. end
  1183. it 'sends email verification notifications' do
  1184. allow(NotificationFactory::Mailer).to receive(:notification)
  1185. make_request successful_params
  1186. expect(NotificationFactory::Mailer).to have_received(:notification) { |arguments| arguments[:template] == 'signup' }
  1187. end
  1188. it 'sends password reset notification when email already used' do
  1189. create(:customer, email: successful_params[:email])
  1190. allow(NotificationFactory::Mailer).to receive(:notification)
  1191. make_request successful_params
  1192. expect(NotificationFactory::Mailer).to have_received(:notification) { |arguments| arguments[:template] == 'signup_taken_reset' }
  1193. end
  1194. it 'sets role to Customer' do
  1195. make_request successful_params
  1196. expect(User.last).to be_role('Customer')
  1197. end
  1198. it 'ignores given Agent role' do
  1199. make_request successful_params.merge(role_ids: [Role.find_by(name: 'Agent').id])
  1200. expect(User.last).not_to be_role('Agent')
  1201. end
  1202. end
  1203. describe 'GET /api/v1/users/search group ids' do
  1204. let(:group1) { create(:group) }
  1205. let(:group2) { create(:group) }
  1206. let!(:agent1) { create(:agent, firstname: '9U7Z-agent1', groups: [group1]) }
  1207. let!(:agent2) { create(:agent, firstname: '9U7Z-agent2', groups: [group2]) }
  1208. def make_request(params)
  1209. authenticated_as(agent1)
  1210. get '/api/v1/users/search', params: params, as: :json
  1211. end
  1212. describe 'without searchindex' do
  1213. it 'does find both users' do
  1214. make_request(query: '9U7Z')
  1215. expect(json_response.count).to eq(2)
  1216. end
  1217. it 'does find only agent 1' do
  1218. make_request(query: '9U7Z', group_ids: { group1.id => 'read' })
  1219. expect(json_response[0]['firstname']).to eq(agent1.firstname)
  1220. expect(json_response.count).to eq(1)
  1221. end
  1222. it 'does find only agent 2' do
  1223. make_request(query: '9U7Z', group_ids: { group2.id => 'read' })
  1224. expect(json_response[0]['firstname']).to eq(agent2.firstname)
  1225. expect(json_response.count).to eq(1)
  1226. end
  1227. it 'does find none' do
  1228. make_request(query: '9U7Z', group_ids: { 999 => 'read' })
  1229. expect(json_response.count).to eq(0)
  1230. end
  1231. it 'does not list user with id 1' do
  1232. make_request(query: '')
  1233. not_in_response = json_response.none? { |item| item['id'] == 1 }
  1234. expect(not_in_response).to be(true)
  1235. end
  1236. end
  1237. describe 'with searchindex', searchindex: true do
  1238. before do
  1239. configure_elasticsearch(rebuild: true)
  1240. end
  1241. it 'does find both users' do
  1242. make_request(query: '9U7Z')
  1243. expect(json_response.count).to eq(2)
  1244. end
  1245. it 'does find only agent 1' do
  1246. make_request(query: '9U7Z', group_ids: { group1.id => 'read' })
  1247. expect(json_response[0]['firstname']).to eq(agent1.firstname)
  1248. expect(json_response.count).to eq(1)
  1249. end
  1250. it 'does find only agent 2' do
  1251. make_request(query: '9U7Z', group_ids: { group2.id => 'read' })
  1252. expect(json_response[0]['firstname']).to eq(agent2.firstname)
  1253. expect(json_response.count).to eq(1)
  1254. end
  1255. it 'does find none' do
  1256. make_request(query: '9U7Z', group_ids: { 999 => 'read' })
  1257. expect(json_response.count).to eq(0)
  1258. end
  1259. it 'does not list user with id 1' do
  1260. make_request(query: '')
  1261. not_in_response = json_response.none? { |item| item['id'] == 1 }
  1262. expect(not_in_response).to be(true)
  1263. end
  1264. end
  1265. end
  1266. describe 'GET /api/v1/users/search, checks ES Usage', searchindex: true, authenticated_as: :agent do
  1267. let!(:agent) { create(:agent) }
  1268. def make_request(params)
  1269. get '/api/v1/users/search', params: params, as: :json
  1270. end
  1271. before do
  1272. # create some users that can be found
  1273. create(:agent, firstname: 'Test-Agent1')
  1274. create(:agent, firstname: 'Test-Agent2')
  1275. configure_elasticsearch(rebuild: true)
  1276. end
  1277. it 'uses elasticsearch when query is non empty' do
  1278. # Check if ES is used
  1279. allow(SearchIndexBackend).to receive(:search)
  1280. make_request(query: 'Test')
  1281. expect(SearchIndexBackend).to have_received(:search)
  1282. end
  1283. it 'does not uses elasticsearch when query is empty' do
  1284. allow(SearchIndexBackend).to receive(:search)
  1285. make_request(query: '')
  1286. expect(SearchIndexBackend).not_to have_received(:search)
  1287. end
  1288. end
  1289. describe 'POST /api/v1/users/avatar', authenticated_as: :user do
  1290. let(:user) { create(:user) }
  1291. let(:base64) { 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==' }
  1292. def make_request(params)
  1293. post '/api/v1/users/avatar', params: params, as: :json
  1294. end
  1295. it 'returns verbose error when full image is missing' do
  1296. make_request(avatar_full: '')
  1297. expect(json_response).to include('error' => match(%r{full}).and(match(%r{is invalid})))
  1298. end
  1299. it 'returns verbose error when resized image is missing' do
  1300. make_request(avatar_full: base64)
  1301. expect(json_response).to include('error' => match(%r{resized}).and(match(%r{is invalid})))
  1302. end
  1303. it 'successfully changes avatar' do
  1304. expect { make_request(avatar_full: base64, avatar_resize: base64) }
  1305. .to change { Avatar.list('User', user.id) }
  1306. end
  1307. context 'with a not allowed mime-type' do
  1308. let(:base64) { 'data:image/svg+xml;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==' }
  1309. it 'returns verbose error for a not allowed mime-type' do
  1310. make_request(avatar_full: base64)
  1311. expect(json_response).to include('error' => 'The MIME type of the full-size image is invalid.')
  1312. end
  1313. end
  1314. context 'with a not allowed resized image mime-type' do
  1315. let(:resized_base64) { 'data:image/svg+xml;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==' }
  1316. it 'returns verbose error for a not allowed mime-type' do
  1317. make_request(avatar_full: base64, avatar_resize: resized_base64)
  1318. expect(json_response).to include('error' => 'The MIME type of the resized image is invalid.')
  1319. end
  1320. end
  1321. end
  1322. describe 'GET /api/v1/users/image/:hash', authenticated_as: :user do
  1323. let(:user) { create(:user) }
  1324. let(:avatar_mime_type) { 'image/png' }
  1325. let(:avatar) do
  1326. file = File.open('test/data/image/1000x1000.png', 'rb')
  1327. contents = file.read
  1328. Avatar.add(
  1329. object: 'User',
  1330. o_id: user.id,
  1331. default: true,
  1332. resize: {
  1333. content: contents,
  1334. mime_type: avatar_mime_type,
  1335. },
  1336. source: 'web',
  1337. deletable: true,
  1338. updated_by_id: 1,
  1339. created_by_id: 1,
  1340. )
  1341. end
  1342. let(:avatar_content) { Avatar.get_by_hash(avatar.store_hash).content }
  1343. before do
  1344. user.update!(image: avatar.store_hash)
  1345. end
  1346. def make_request(image_hash, params: {})
  1347. get "/api/v1/users/image/#{image_hash}", params: params, as: :json
  1348. end
  1349. it 'returns verbose error when full image is missing' do
  1350. make_request(avatar.store_hash)
  1351. expect(response.body).to eq(avatar_content)
  1352. end
  1353. context 'with a not allowed inline mime-type' do
  1354. let(:avatar_mime_type) { 'image/svg+xml' }
  1355. it 'returns the default image' do
  1356. make_request(avatar.store_hash)
  1357. expect(response.headers['Content-Type']).to include('image/gif')
  1358. end
  1359. end
  1360. end
  1361. describe 'GET /api/v1/users/search, checks usage of the ids parameter', authenticated_as: :agent do
  1362. let(:agent) { create(:agent) }
  1363. let(:search_agents) { create_list(:agent, 3, firstname: 'Nick') }
  1364. shared_examples 'ids requests' do
  1365. before do
  1366. post '/api/v1/users/search', params: { query: 'Nick', ids: search_ids, sort_by: ['created_at'], order_by: ['ASC'] }, as: :json
  1367. end
  1368. shared_examples 'result check' do
  1369. it 'returns only agents matching search parameter ids' do
  1370. expect(json_response.map { |row| row['id'] }).to eq(search_ids)
  1371. end
  1372. end
  1373. context 'when searching for first two agents' do
  1374. let(:search_ids) { search_agents.first(2).map(&:id) }
  1375. include_examples 'result check'
  1376. end
  1377. context 'when searching for last two agents' do
  1378. let(:search_ids) { search_agents.last(2).map(&:id) }
  1379. include_examples 'result check'
  1380. end
  1381. end
  1382. context 'with elasticsearch', searchindex: true do
  1383. include_examples 'ids requests' do
  1384. before do
  1385. configure_elasticsearch(required: true, rebuild: true)
  1386. end
  1387. end
  1388. end
  1389. context 'without elasticsearch' do
  1390. include_examples 'ids requests'
  1391. end
  1392. end
  1393. describe 'PUT /api/v1/users/unlock/{id}' do
  1394. let(:admin) { create(:admin) }
  1395. let(:agent) { create(:agent) }
  1396. let(:customer) { create(:customer, login_failed: 2) }
  1397. def make_request(id)
  1398. put "/api/v1/users/unlock/#{id}", params: {}, as: :json
  1399. end
  1400. context 'with authenticated admin user', authenticated_as: :admin do
  1401. it 'returns success' do
  1402. make_request(customer.id)
  1403. expect(response).to have_http_status(:ok)
  1404. end
  1405. it 'check that login failed was reseted' do
  1406. expect { make_request(customer.id) }.to change { customer.reload.login_failed }.from(2).to(0)
  1407. end
  1408. it 'fail with not existing user id' do
  1409. make_request(99_999)
  1410. expect(response).to have_http_status(:not_found)
  1411. end
  1412. end
  1413. context 'with authenticated agent user', authenticated_as: :agent do
  1414. it 'fail without admin permission' do
  1415. make_request(customer.id)
  1416. expect(response).to have_http_status(:forbidden)
  1417. end
  1418. it 'check that login failed was not changed' do
  1419. expect { make_request(customer.id) }.not_to change { customer.reload.login_failed }
  1420. end
  1421. end
  1422. end
  1423. end