settings_spec.rb 8.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255
  1. # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'Settings', type: :request do
  4. let(:admin) do
  5. create(:admin)
  6. end
  7. let(:admin_api) do
  8. role_api = create(:role)
  9. role_api.permission_grant('admin.api')
  10. create(:admin, roles: [role_api])
  11. end
  12. let(:agent) do
  13. create(:agent)
  14. end
  15. let(:customer) do
  16. create(:customer)
  17. end
  18. describe 'request handling' do
  19. it 'does settings index with nobody' do
  20. # index
  21. get '/api/v1/settings', params: {}, as: :json
  22. expect(response).to have_http_status(:forbidden)
  23. expect(json_response).to be_a(Hash)
  24. expect(json_response['settings']).to be_falsey
  25. # show
  26. setting = Setting.find_by(name: 'product_name')
  27. get "/api/v1/settings/#{setting.id}", params: {}, as: :json
  28. expect(response).to have_http_status(:forbidden)
  29. expect(json_response['error']).to eq('Authentication required')
  30. end
  31. it 'does settings index with admin' do
  32. # index
  33. authenticated_as(admin)
  34. get '/api/v1/settings', params: {}, as: :json
  35. expect(response).to have_http_status(:ok)
  36. expect(json_response).to be_a(Array)
  37. expect(json_response).to be_truthy
  38. hit_api = false
  39. hit_product_name = false
  40. json_response.each do |setting|
  41. if setting['name'] == 'api_token_access'
  42. hit_api = true
  43. end
  44. if setting['name'] == 'product_name'
  45. hit_product_name = true
  46. end
  47. end
  48. expect(hit_api).to be(true)
  49. expect(hit_product_name).to be(true)
  50. # show
  51. setting = Setting.find_by(name: 'product_name')
  52. get "/api/v1/settings/#{setting.id}", params: {}, as: :json
  53. expect(response).to have_http_status(:ok)
  54. expect(json_response).to be_a(Hash)
  55. expect(json_response['name']).to eq('product_name')
  56. setting = Setting.find_by(name: 'api_token_access')
  57. get "/api/v1/settings/#{setting.id}", params: {}, as: :json
  58. expect(response).to have_http_status(:ok)
  59. expect(json_response).to be_a(Hash)
  60. expect(json_response['name']).to eq('api_token_access')
  61. # update
  62. setting = Setting.find_by(name: 'product_name')
  63. params = {
  64. id: setting.id,
  65. name: 'some_new_name',
  66. preferences: {
  67. permission: ['admin.branding', 'admin.some_new_permission'],
  68. some_new_key: true,
  69. }
  70. }
  71. put "/api/v1/settings/#{setting.id}", params: params, as: :json
  72. expect(response).to have_http_status(:ok)
  73. expect(json_response).to be_a(Hash)
  74. expect(json_response['name']).to eq('product_name')
  75. expect(json_response['preferences']['permission'].length).to eq(1)
  76. expect(json_response['preferences']['permission'][0]).to eq('admin.branding')
  77. expect(json_response['preferences']['some_new_key']).to be(true)
  78. # update
  79. setting = Setting.find_by(name: 'api_token_access')
  80. params = {
  81. id: setting.id,
  82. name: 'some_new_name',
  83. preferences: {
  84. permission: ['admin.branding', 'admin.some_new_permission'],
  85. some_new_key: true,
  86. }
  87. }
  88. put "/api/v1/settings/#{setting.id}", params: params, as: :json
  89. expect(response).to have_http_status(:ok)
  90. expect(json_response).to be_a(Hash)
  91. expect(json_response['name']).to eq('api_token_access')
  92. expect(json_response['preferences']['permission'].length).to eq(1)
  93. expect(json_response['preferences']['permission'][0]).to eq('admin.api')
  94. expect(json_response['preferences']['some_new_key']).to be(true)
  95. # delete
  96. setting = Setting.find_by(name: 'product_name')
  97. delete "/api/v1/settings/#{setting.id}", params: {}, as: :json
  98. expect(response).to have_http_status(:forbidden)
  99. expect(json_response['error']).to eq('Not authorized (feature not possible)')
  100. end
  101. it 'does settings index with admin-api' do
  102. # index
  103. authenticated_as(admin_api)
  104. get '/api/v1/settings', params: {}, as: :json
  105. expect(response).to have_http_status(:ok)
  106. expect(json_response).to be_a(Array)
  107. expect(json_response).to be_truthy
  108. hit_api = false
  109. hit_product_name = false
  110. json_response.each do |setting|
  111. if setting['name'] == 'api_token_access'
  112. hit_api = true
  113. end
  114. if setting['name'] == 'product_name'
  115. hit_product_name = true
  116. end
  117. end
  118. expect(hit_api).to be(true)
  119. expect(hit_product_name).to be(false)
  120. # show
  121. setting = Setting.find_by(name: 'product_name')
  122. get "/api/v1/settings/#{setting.id}", params: {}, as: :json
  123. expect(response).to have_http_status(:forbidden)
  124. expect(json_response['error']).to eq('Not authorized (required ["admin.branding"])!')
  125. setting = Setting.find_by(name: 'api_token_access')
  126. get "/api/v1/settings/#{setting.id}", params: {}, as: :json
  127. expect(response).to have_http_status(:ok)
  128. expect(json_response).to be_a(Hash)
  129. expect(json_response['name']).to eq('api_token_access')
  130. # update
  131. setting = Setting.find_by(name: 'product_name')
  132. params = {
  133. id: setting.id,
  134. name: 'some_new_name',
  135. preferences: {
  136. permission: ['admin.branding', 'admin.some_new_permission'],
  137. some_new_key: true,
  138. }
  139. }
  140. put "/api/v1/settings/#{setting.id}", params: params, as: :json
  141. expect(response).to have_http_status(:forbidden)
  142. expect(json_response['error']).to eq('Not authorized (required ["admin.branding"])!')
  143. # update
  144. setting = Setting.find_by(name: 'api_token_access')
  145. params = {
  146. id: setting.id,
  147. name: 'some_new_name',
  148. preferences: {
  149. permission: ['admin.branding', 'admin.some_new_permission'],
  150. some_new_key: true,
  151. }
  152. }
  153. put "/api/v1/settings/#{setting.id}", params: params, as: :json
  154. expect(response).to have_http_status(:ok)
  155. expect(json_response).to be_a(Hash)
  156. expect(json_response['name']).to eq('api_token_access')
  157. expect(json_response['preferences']['permission'].length).to eq(1)
  158. expect(json_response['preferences']['permission'][0]).to eq('admin.api')
  159. expect(json_response['preferences']['some_new_key']).to be(true)
  160. # delete
  161. setting = Setting.find_by(name: 'product_name')
  162. delete "/api/v1/settings/#{setting.id}", params: {}, as: :json
  163. expect(response).to have_http_status(:forbidden)
  164. expect(json_response['error']).to eq('Not authorized (feature not possible)')
  165. end
  166. it 'does settings index with agent' do
  167. # index
  168. authenticated_as(agent)
  169. get '/api/v1/settings', params: {}, as: :json
  170. expect(response).to have_http_status(:forbidden)
  171. expect(json_response).to be_a(Hash)
  172. expect(json_response['settings']).to be_falsey
  173. expect(json_response['error']).to eq('Not authorized (user)!')
  174. # show
  175. setting = Setting.find_by(name: 'product_name')
  176. get "/api/v1/settings/#{setting.id}", params: {}, as: :json
  177. expect(response).to have_http_status(:forbidden)
  178. expect(json_response['error']).to eq('Not authorized (user)!')
  179. end
  180. it 'does settings index with customer' do
  181. # index
  182. authenticated_as(customer)
  183. get '/api/v1/settings', params: {}, as: :json
  184. expect(response).to have_http_status(:forbidden)
  185. expect(json_response).to be_a(Hash)
  186. expect(json_response['settings']).to be_falsey
  187. expect(json_response['error']).to eq('Not authorized (user)!')
  188. # show
  189. setting = Setting.find_by(name: 'product_name')
  190. get "/api/v1/settings/#{setting.id}", params: {}, as: :json
  191. expect(response).to have_http_status(:forbidden)
  192. expect(json_response['error']).to eq('Not authorized (user)!')
  193. # delete
  194. setting = Setting.find_by(name: 'product_name')
  195. delete "/api/v1/settings/#{setting.id}", params: {}, as: :json
  196. expect(response).to have_http_status(:forbidden)
  197. expect(json_response['error']).to eq('Not authorized (user)!')
  198. end
  199. it 'protected setting not existing in list' do
  200. authenticated_as(admin)
  201. get '/api/v1/settings', params: {}, as: :json
  202. expect(json_response.detect { |setting| setting['name'] == 'application_secret' }).to be_nil
  203. end
  204. it 'can not show protected setting' do
  205. setting = Setting.find_by(name: 'application_secret')
  206. authenticated_as(admin)
  207. get "/api/v1/settings/#{setting.id}", params: {}, as: :json
  208. expect(response).to have_http_status(:forbidden)
  209. end
  210. it 'can not update protected setting' do
  211. setting = Setting.find_by(name: 'application_secret')
  212. params = {
  213. id: setting.id,
  214. state: 'Examaple'
  215. }
  216. put "/api/v1/settings/#{setting.id}", params: params, as: :json
  217. authenticated_as(admin)
  218. put "/api/v1/settings/#{setting.id}", params: {}, as: :json
  219. expect(response).to have_http_status(:forbidden)
  220. end
  221. end
  222. end