user_spec.rb 71 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763
  1. # Copyright (C) 2012-2023 Zammad Foundation, https://zammad-foundation.org/
  2. require 'rails_helper'
  3. RSpec.describe 'User', performs_jobs: true, type: :request do
  4. describe 'request handling' do
  5. let!(:admin) do
  6. create(
  7. :admin,
  8. groups: Group.all,
  9. login: 'rest-admin',
  10. firstname: 'Rest',
  11. lastname: 'Agent',
  12. email: 'rest-admin@example.com',
  13. )
  14. end
  15. let!(:admin_with_pw) do
  16. create(
  17. :admin,
  18. groups: Group.all,
  19. login: 'rest-admin-pw',
  20. firstname: 'Rest',
  21. lastname: 'Agent',
  22. email: 'rest-admin-pw@example.com',
  23. password: 'adminpw',
  24. )
  25. end
  26. let!(:agent) do
  27. create(
  28. :agent,
  29. groups: Group.all,
  30. login: 'rest-agent@example.com',
  31. firstname: 'Rest',
  32. lastname: 'Agent',
  33. email: 'rest-agent@example.com',
  34. )
  35. end
  36. let!(:customer) do
  37. create(
  38. :customer,
  39. login: 'rest-customer1@example.com',
  40. firstname: 'Rest',
  41. lastname: 'Customer1',
  42. email: 'rest-customer1@example.com',
  43. )
  44. end
  45. let!(:organization) do
  46. create(:organization, name: 'Rest Org')
  47. end
  48. let!(:organization2) do
  49. create(:organization, name: 'Rest Org #2')
  50. end
  51. let!(:organization3) do
  52. create(:organization, name: 'Rest Org #3')
  53. end
  54. let!(:customer2) do
  55. create(
  56. :customer,
  57. organization: organization,
  58. login: 'rest-customer2@example.com',
  59. firstname: 'Rest',
  60. lastname: 'Customer2',
  61. email: 'rest-customer2@example.com',
  62. )
  63. end
  64. let!(:customer_inactive) do
  65. create(
  66. :customer,
  67. organization: organization,
  68. login: 'rest-customer_inactive@example.com',
  69. firstname: 'Rest',
  70. lastname: 'CustomerInactive',
  71. email: 'rest-customer_inactive@example.com',
  72. active: false,
  73. )
  74. end
  75. it 'does user create tests - no user' do
  76. post '/api/v1/signshow', params: {}, as: :json
  77. # create user with disabled feature
  78. Setting.set('user_create_account', false)
  79. token = @response.headers['CSRF-TOKEN']
  80. # token based on form
  81. params = { email: 'some_new_customer@example.com', signup: true, authenticity_token: token }
  82. post '/api/v1/users', params: params, as: :json
  83. expect(response).to have_http_status(:unprocessable_entity)
  84. expect(json_response['error']).to be_truthy
  85. expect(json_response['error']).to eq('Feature not enabled!')
  86. # token based on headers
  87. headers = { 'X-CSRF-Token' => token }
  88. params = { email: 'some_new_customer@example.com', signup: true }
  89. post '/api/v1/users', params: params, headers: headers, as: :json
  90. expect(response).to have_http_status(:unprocessable_entity)
  91. expect(json_response['error']).to be_truthy
  92. expect(json_response['error']).to eq('Feature not enabled!')
  93. Setting.set('user_create_account', true)
  94. # no signup param without password
  95. params = { email: 'some_new_customer@example.com', signup: true }
  96. post '/api/v1/users', params: params, headers: headers, as: :json
  97. expect(response).to have_http_status(:unprocessable_entity)
  98. expect(json_response['error']).to be_truthy
  99. # already existing user with enabled feature, pretend signup is successful
  100. params = { email: 'rest-customer1@example.com', password: 'asd1ASDasd!', signup: true }
  101. post '/api/v1/users', params: params, headers: headers, as: :json
  102. expect(response).to have_http_status(:created)
  103. expect(json_response).to be_truthy
  104. # email missing with enabled feature
  105. params = { firstname: 'some firstname', signup: true }
  106. post '/api/v1/users', params: params, headers: headers, as: :json
  107. expect(response).to have_http_status(:unprocessable_entity)
  108. expect(json_response['error']).to be_truthy
  109. expect(json_response['error']).to eq('Attribute \'email\' required!')
  110. # email missing with enabled feature
  111. params = { firstname: 'some firstname', signup: true }
  112. post '/api/v1/users', params: params, headers: headers, as: :json
  113. expect(response).to have_http_status(:unprocessable_entity)
  114. expect(json_response['error']).to be_truthy
  115. expect(json_response['error']).to eq('Attribute \'email\' required!')
  116. # create user with enabled feature (take customer role)
  117. params = { firstname: 'Me First', lastname: 'Me Last', email: 'new_here@example.com', password: '1asdASDasd', signup: true }
  118. post '/api/v1/users', params: params, headers: headers, as: :json
  119. expect(response).to have_http_status(:created)
  120. expect(json_response).to be_truthy
  121. expect(json_response['message']).to eq('ok')
  122. user = User.find_by email: 'new_here@example.com'
  123. expect(user).not_to be_role('Admin')
  124. expect(user).not_to be_role('Agent')
  125. expect(user).to be_role('Customer')
  126. # create user with admin role (not allowed for signup, take customer role)
  127. role = Role.lookup(name: 'Admin')
  128. params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin@example.com', role_ids: [ role.id ], signup: true, password: '1asdASDasd' }
  129. post '/api/v1/users', params: params, headers: headers, as: :json
  130. expect(response).to have_http_status(:created)
  131. expect(json_response).to be_truthy
  132. user = User.find_by email: 'new_admin@example.com'
  133. expect(user).not_to be_role('Admin')
  134. expect(user).not_to be_role('Agent')
  135. expect(user).to be_role('Customer')
  136. # create user with agent role (not allowed for signup, take customer role)
  137. role = Role.lookup(name: 'Agent')
  138. params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent@example.com', role_ids: [ role.id ], signup: true, password: '1asdASDasd' }
  139. post '/api/v1/users', params: params, headers: headers, as: :json
  140. expect(response).to have_http_status(:created)
  141. expect(json_response).to be_truthy
  142. user = User.find_by email: 'new_agent@example.com'
  143. expect(user).not_to be_role('Admin')
  144. expect(user).not_to be_role('Agent')
  145. expect(user).to be_role('Customer')
  146. # no user (because of no session)
  147. get '/api/v1/users', params: {}, headers: headers, as: :json
  148. expect(response).to have_http_status(:forbidden)
  149. expect(json_response['error']).to eq('Authentication required')
  150. # me
  151. get '/api/v1/users/me', params: {}, headers: headers, as: :json
  152. expect(response).to have_http_status(:forbidden)
  153. expect(json_response['error']).to eq('Authentication required')
  154. end
  155. it 'does not create user with verified state' do
  156. params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent@example.com', signup: true, password: '1asdASDasd', verified: true }
  157. post '/api/v1/users', params: params, as: :json
  158. expect(response).to have_http_status(:created)
  159. expect(json_response).to be_truthy
  160. user = User.find_by email: 'new_agent@example.com'
  161. expect(user.verified).to be(false)
  162. end
  163. it 'does not create user with ticket groups permissions' do
  164. users_group = Group.find_by(name: 'Users')
  165. params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent@example.com', signup: true, password: '1asdASDasd', verified: true, group_ids: { users_group.id => 'full' } }
  166. post '/api/v1/users', params: params, as: :json
  167. expect(response).to have_http_status(:created)
  168. expect(json_response).to be_truthy
  169. user = User.find_by email: 'new_agent@example.com'
  170. expect(user.groups).to eq([])
  171. end
  172. it 'does not create user with verified state as customer' do
  173. authenticated_as(customer)
  174. params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent@example.com', signup: true, password: '1asdASDasd', verified: true }
  175. post '/api/v1/users', params: params, as: :json
  176. expect(response).to have_http_status(:forbidden)
  177. end
  178. it 'does not create user with ticket groups permissions as customer' do
  179. authenticated_as(customer)
  180. users_group = Group.find_by(name: 'Users')
  181. params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent@example.com', signup: true, password: '1asdASDasd', verified: true, group_ids: { users_group.id => 'full' } }
  182. post '/api/v1/users', params: params, as: :json
  183. expect(response).to have_http_status(:forbidden)
  184. end
  185. context 'password security' do
  186. it 'verified with no current user' do
  187. params = { email: 'some_new_customer@example.com', password: 'asdasdasdasd', signup: true }
  188. post '/api/v1/users', params: params, headers: headers, as: :json
  189. expect(response).to have_http_status(:unprocessable_entity)
  190. expect(json_response['error']).to be_a(Array).and(include(match(%r{Invalid password})))
  191. end
  192. it 'verified with no current user', authenticated_as: :admin do
  193. params = { email: 'some_new_customer@example.com', password: 'asd' }
  194. post '/api/v1/users', params: params, headers: headers, as: :json
  195. expect(response).to have_http_status(:created)
  196. end
  197. end
  198. it 'does auth tests - not existing user' do
  199. authenticated_as(nil, login: 'not_existing@example.com', password: 'adminpw')
  200. get '/api/v1/users/me', params: {}, as: :json
  201. expect(response).to have_http_status(:unauthorized)
  202. expect(json_response['error']).to eq('Invalid BasicAuth credentials')
  203. get '/api/v1/users', params: {}, as: :json
  204. expect(response).to have_http_status(:unauthorized)
  205. expect(json_response['error']).to eq('Invalid BasicAuth credentials')
  206. end
  207. it 'does auth tests - username auth, wrong pw' do
  208. authenticated_as(admin, password: 'not_existing')
  209. get '/api/v1/users', params: {}, as: :json
  210. expect(response).to have_http_status(:unauthorized)
  211. expect(json_response['error']).to eq('Invalid BasicAuth credentials')
  212. end
  213. it 'does auth tests - email auth, wrong pw' do
  214. authenticated_as(nil, login: 'rest-admin@example.com', password: 'not_existing')
  215. get '/api/v1/users', params: {}, as: :json
  216. expect(response).to have_http_status(:unauthorized)
  217. expect(json_response['error']).to eq('Invalid BasicAuth credentials')
  218. end
  219. it 'does auth tests - username auth' do
  220. authenticated_as(nil, login: 'rest-admin-pw', password: 'adminpw')
  221. get '/api/v1/users', params: {}, as: :json
  222. expect(response).to have_http_status(:ok)
  223. expect(json_response).to be_truthy
  224. end
  225. it 'does auth tests - email auth' do
  226. authenticated_as(nil, login: 'rest-admin-pw@example.com', password: 'adminpw')
  227. get '/api/v1/users', params: {}, as: :json
  228. expect(response).to have_http_status(:ok)
  229. expect(json_response).to be_truthy
  230. end
  231. it 'does user index and create with admin' do
  232. authenticated_as(admin)
  233. get '/api/v1/users/me', params: {}, as: :json
  234. expect(response).to have_http_status(:ok)
  235. expect(json_response).to be_truthy
  236. expect(json_response['email']).to eq('rest-admin@example.com')
  237. # index
  238. get '/api/v1/users', params: {}, as: :json
  239. expect(response).to have_http_status(:ok)
  240. expect(json_response).to be_truthy
  241. # index
  242. get '/api/v1/users', params: {}, as: :json
  243. expect(response).to have_http_status(:ok)
  244. expect(json_response).to be_truthy
  245. expect(Array).to eq(json_response.class)
  246. expect(json_response.length >= 3).to be_truthy
  247. # show/:id
  248. get "/api/v1/users/#{agent.id}", params: {}, as: :json
  249. expect(response).to have_http_status(:ok)
  250. expect(json_response).to be_truthy
  251. expect(Hash).to eq(json_response.class)
  252. expect(json_response['email']).to eq('rest-agent@example.com')
  253. get "/api/v1/users/#{customer.id}", params: {}, as: :json
  254. expect(response).to have_http_status(:ok)
  255. expect(json_response).to be_truthy
  256. expect(Hash).to eq(json_response.class)
  257. expect(json_response['email']).to eq('rest-customer1@example.com')
  258. # create user with admin role
  259. role = Role.lookup(name: 'Admin')
  260. params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin_by_admin@example.com', role_ids: [ role.id ] }
  261. post '/api/v1/users', params: params, as: :json
  262. expect(response).to have_http_status(:created)
  263. expect(json_response).to be_truthy
  264. user = User.find(json_response['id'])
  265. expect(user).to be_role('Admin')
  266. expect(user).not_to be_role('Agent')
  267. expect(user).not_to be_role('Customer')
  268. expect(json_response['login']).to eq('new_admin_by_admin@example.com')
  269. expect(json_response['email']).to eq('new_admin_by_admin@example.com')
  270. # create user with agent role
  271. role = Role.lookup(name: 'Agent')
  272. params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent_by_admin1@example.com', role_ids: [ role.id ] }
  273. post '/api/v1/users', params: params, as: :json
  274. expect(response).to have_http_status(:created)
  275. expect(json_response).to be_truthy
  276. user = User.find(json_response['id'])
  277. expect(user).not_to be_role('Admin')
  278. expect(user).to be_role('Agent')
  279. expect(user).not_to be_role('Customer')
  280. expect(json_response['login']).to eq('new_agent_by_admin1@example.com')
  281. expect(json_response['email']).to eq('new_agent_by_admin1@example.com')
  282. role = Role.lookup(name: 'Agent')
  283. params = { firstname: 'Agent First', email: 'new_agent_by_admin2@example.com', role_ids: [ role.id ] }
  284. post '/api/v1/users', params: params, as: :json
  285. expect(response).to have_http_status(:created)
  286. expect(json_response).to be_truthy
  287. user = User.find(json_response['id'])
  288. expect(user).not_to be_role('Admin')
  289. expect(user).to be_role('Agent')
  290. expect(user).not_to be_role('Customer')
  291. expect(json_response['login']).to eq('new_agent_by_admin2@example.com')
  292. expect(json_response['email']).to eq('new_agent_by_admin2@example.com')
  293. expect(json_response['firstname']).to eq('Agent')
  294. expect(json_response['lastname']).to eq('First')
  295. role = Role.lookup(name: 'Agent')
  296. params = { firstname: 'Agent First', email: 'new_agent_by_admin2@example.com', role_ids: [ role.id ] }
  297. post '/api/v1/users', params: params, as: :json
  298. expect(response).to have_http_status(:unprocessable_entity)
  299. expect(json_response).to be_truthy
  300. expect(json_response['error']).to eq("Email address 'new_agent_by_admin2@example.com' is already used for another user.")
  301. # missing required attributes
  302. params = { note: 'some note' }
  303. post '/api/v1/users', params: params, as: :json
  304. expect(response).to have_http_status(:unprocessable_entity)
  305. expect(json_response).to be_truthy
  306. expect(json_response['error']).to eq('At least one identifier (firstname, lastname, phone or email) for user is required.')
  307. # invalid email
  308. params = { firstname: 'newfirstname123', email: 'some_what', note: 'some note' }
  309. post '/api/v1/users', params: params, as: :json
  310. expect(response).to have_http_status(:unprocessable_entity)
  311. expect(json_response).to be_truthy
  312. expect(json_response['error']).to eq("Invalid email 'some_what'")
  313. # with valid attributes
  314. params = { firstname: 'newfirstname123', note: 'some note' }
  315. post '/api/v1/users', params: params, as: :json
  316. expect(response).to have_http_status(:created)
  317. expect(json_response).to be_truthy
  318. user = User.find(json_response['id'])
  319. expect(user).not_to be_role('Admin')
  320. expect(user).not_to be_role('Agent')
  321. expect(user).to be_role('Customer')
  322. expect(json_response['login']).to be_start_with('auto-')
  323. expect(json_response['email']).to eq('')
  324. expect(json_response['firstname']).to eq('newfirstname123')
  325. expect(json_response['lastname']).to eq('')
  326. end
  327. it 'does user index and create with agent' do
  328. authenticated_as(agent)
  329. get '/api/v1/users/me', params: {}, as: :json
  330. expect(response).to have_http_status(:ok)
  331. expect(json_response).to be_truthy
  332. expect(json_response['email']).to eq('rest-agent@example.com')
  333. # index
  334. get '/api/v1/users', params: {}, as: :json
  335. expect(response).to have_http_status(:ok)
  336. expect(json_response).to be_truthy
  337. # index
  338. get '/api/v1/users', params: {}, as: :json
  339. expect(response).to have_http_status(:ok)
  340. expect(json_response).to be_truthy
  341. expect(Array).to eq(json_response.class)
  342. expect(json_response.length >= 3).to be_truthy
  343. get '/api/v1/users?limit=40&page=1&per_page=2', params: {}, as: :json
  344. expect(response).to have_http_status(:ok)
  345. expect(json_response).to be_a(Array)
  346. users = User.reorder(:id).limit(2)
  347. expect(json_response[0]['id']).to eq(users[0].id)
  348. expect(json_response[1]['id']).to eq(users[1].id)
  349. expect(json_response.count).to eq(2)
  350. get '/api/v1/users?limit=40&page=2&per_page=2', params: {}, as: :json
  351. expect(response).to have_http_status(:ok)
  352. expect(json_response).to be_a(Array)
  353. users = User.reorder(:id).limit(4)
  354. expect(json_response[0]['id']).to eq(users[2].id)
  355. expect(json_response[1]['id']).to eq(users[3].id)
  356. expect(json_response.count).to eq(2)
  357. # create user with admin role
  358. firstname = "First test#{SecureRandom.uuid}"
  359. role = Role.lookup(name: 'Admin')
  360. params = { firstname: "Admin#{firstname}", lastname: 'Admin Last', email: 'new_admin_by_agent@example.com', role_ids: [ role.id ] }
  361. post '/api/v1/users', params: params, as: :json
  362. expect(response).to have_http_status(:created)
  363. json_response1 = JSON.parse(@response.body)
  364. expect(json_response1).to be_truthy
  365. user = User.find(json_response1['id'])
  366. expect(user).not_to be_role('Admin')
  367. expect(user).not_to be_role('Agent')
  368. expect(user).to be_role('Customer')
  369. expect(json_response1['login']).to eq('new_admin_by_agent@example.com')
  370. expect(json_response1['email']).to eq('new_admin_by_agent@example.com')
  371. # create user with agent role
  372. role = Role.lookup(name: 'Agent')
  373. params = { firstname: "Agent#{firstname}", lastname: 'Agent Last', email: 'new_agent_by_agent@example.com', role_ids: [ role.id ] }
  374. post '/api/v1/users', params: params, as: :json
  375. expect(response).to have_http_status(:created)
  376. json_response1 = JSON.parse(@response.body)
  377. expect(json_response1).to be_truthy
  378. user = User.find(json_response1['id'])
  379. expect(user).not_to be_role('Admin')
  380. expect(user).not_to be_role('Agent')
  381. expect(user).to be_role('Customer')
  382. expect(json_response1['login']).to eq('new_agent_by_agent@example.com')
  383. expect(json_response1['email']).to eq('new_agent_by_agent@example.com')
  384. # create user with customer role
  385. role = Role.lookup(name: 'Customer')
  386. params = { firstname: "Customer#{firstname}", lastname: 'Customer Last', email: 'new_customer_by_agent@example.com', role_ids: [ role.id ] }
  387. post '/api/v1/users', params: params, as: :json
  388. expect(response).to have_http_status(:created)
  389. json_response1 = JSON.parse(@response.body)
  390. expect(json_response1).to be_truthy
  391. user = User.find(json_response1['id'])
  392. expect(user).not_to be_role('Admin')
  393. expect(user).not_to be_role('Agent')
  394. expect(user).to be_role('Customer')
  395. expect(json_response1['login']).to eq('new_customer_by_agent@example.com')
  396. expect(json_response1['email']).to eq('new_customer_by_agent@example.com')
  397. # search as agent
  398. perform_enqueued_jobs
  399. sleep 2 # let es time to come ready
  400. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}", params: {}, as: :json
  401. expect(response).to have_http_status(:ok)
  402. expect(json_response).to be_a(Array)
  403. expect(json_response[0]['id']).to eq(json_response1['id'])
  404. expect(json_response[0]['firstname']).to eq("Customer#{firstname}")
  405. expect(json_response[0]['lastname']).to eq('Customer Last')
  406. expect(json_response[0]['role_ids']).to be_truthy
  407. expect(json_response[0]['roles']).to be_falsey
  408. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&expand=true", params: {}, as: :json
  409. expect(response).to have_http_status(:ok)
  410. expect(json_response).to be_a(Array)
  411. expect(json_response[0]['id']).to eq(json_response1['id'])
  412. expect(json_response[0]['firstname']).to eq("Customer#{firstname}")
  413. expect(json_response[0]['lastname']).to eq('Customer Last')
  414. expect(json_response[0]['role_ids']).to be_truthy
  415. expect(json_response[0]['roles']).to be_truthy
  416. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&label=true", params: {}, as: :json
  417. expect(response).to have_http_status(:ok)
  418. expect(json_response).to be_a(Array)
  419. expect(json_response[0]['id']).to eq(json_response1['id'])
  420. expect(json_response[0]['label']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  421. expect(json_response[0]['value']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  422. expect(json_response[0]['role_ids']).to be_falsey
  423. expect(json_response[0]['roles']).to be_falsey
  424. get "/api/v1/users/search?term=#{CGI.escape("Customer#{firstname}")}", params: {}, as: :json
  425. expect(response).to have_http_status(:ok)
  426. expect(json_response).to be_a(Array)
  427. expect(json_response[0]['id']).to eq(json_response1['id'])
  428. expect(json_response[0]['label']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  429. expect(json_response[0]['value']).to eq('new_customer_by_agent@example.com')
  430. expect(json_response[0]['inactive']).to be(false)
  431. expect(json_response[0]['role_ids']).to be_falsey
  432. expect(json_response[0]['roles']).to be_falsey
  433. get "/api/v1/users/search?term=#{CGI.escape('CustomerInactive')}", params: {}, as: :json
  434. expect(response).to have_http_status(:ok)
  435. expect(json_response).to be_a(Array)
  436. expect(json_response[0]['inactive']).to be(true)
  437. # Regression test for issue #2539 - search pagination broken in users_controller.rb
  438. # Get the total number of users N, then search with one result per page, so there should N pages with one result each
  439. get '/api/v1/users/search', params: { query: '*' }, as: :json
  440. total_number = json_response.count
  441. (1..total_number).each do |i|
  442. get '/api/v1/users/search', params: { query: '*', per_page: 1, page: i }, as: :json
  443. expect(response).to have_http_status(:ok)
  444. expect(json_response).to be_a(Array)
  445. expect(json_response.count).to eq(1), "Page #{i}/#{total_number} of the user search pagination test have the wrong result!"
  446. end
  447. role = Role.find_by(name: 'Agent')
  448. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&role_ids=#{role.id}&label=true", params: {}, as: :json
  449. expect(response).to have_http_status(:ok)
  450. expect(json_response).to be_a(Array)
  451. expect(json_response.count).to eq(0)
  452. role = Role.find_by(name: 'Customer')
  453. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&role_ids=#{role.id}&label=true", params: {}, as: :json
  454. expect(response).to have_http_status(:ok)
  455. expect(json_response).to be_a(Array)
  456. expect(json_response[0]['id']).to eq(json_response1['id'])
  457. expect(json_response[0]['label']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  458. expect(json_response[0]['value']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  459. expect(json_response[0]['role_ids']).to be_falsey
  460. expect(json_response[0]['roles']).to be_falsey
  461. permission = Permission.find_by(name: 'ticket.agent')
  462. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&permissions=#{permission.name}&label=true", params: {}, as: :json
  463. expect(response).to have_http_status(:ok)
  464. expect(json_response).to be_a(Array)
  465. expect(json_response.count).to eq(0)
  466. permission = Permission.find_by(name: 'ticket.customer')
  467. get "/api/v1/users/search?query=#{CGI.escape("Customer#{firstname}")}&permissions=#{permission.name}&label=true", params: {}, as: :json
  468. expect(response).to have_http_status(:ok)
  469. expect(json_response).to be_a(Array)
  470. expect(json_response[0]['id']).to eq(json_response1['id'])
  471. expect(json_response[0]['label']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  472. expect(json_response[0]['value']).to eq("Customer#{firstname} Customer Last <new_customer_by_agent@example.com>")
  473. expect(json_response[0]['role_ids']).to be_falsey
  474. expect(json_response[0]['roles']).to be_falsey
  475. end
  476. it 'does user index and create with customer1' do
  477. authenticated_as(customer)
  478. get '/api/v1/users/me', params: {}, as: :json
  479. expect(response).to have_http_status(:ok)
  480. expect(json_response).to be_truthy
  481. expect(json_response['email']).to eq('rest-customer1@example.com')
  482. # index
  483. get '/api/v1/users', params: {}, as: :json
  484. expect(response).to have_http_status(:ok)
  485. expect(Array).to eq(json_response.class)
  486. expect(json_response.length).to eq(1)
  487. # show/:id
  488. get "/api/v1/users/#{customer.id}", params: {}, as: :json
  489. expect(response).to have_http_status(:ok)
  490. expect(Hash).to eq(json_response.class)
  491. expect(json_response['email']).to eq('rest-customer1@example.com')
  492. get "/api/v1/users/#{customer2.id}", params: {}, as: :json
  493. expect(response).to have_http_status(:forbidden)
  494. expect(Hash).to eq(json_response.class)
  495. expect(json_response['error']).to be_truthy
  496. # create user with admin role
  497. role = Role.lookup(name: 'Admin')
  498. params = { firstname: 'Admin First', lastname: 'Admin Last', email: 'new_admin_by_customer1@example.com', role_ids: [ role.id ] }
  499. post '/api/v1/users', params: params, as: :json
  500. expect(response).to have_http_status(:forbidden)
  501. # create user with agent role
  502. role = Role.lookup(name: 'Agent')
  503. params = { firstname: 'Agent First', lastname: 'Agent Last', email: 'new_agent_by_customer1@example.com', role_ids: [ role.id ] }
  504. post '/api/v1/users', params: params, as: :json
  505. expect(response).to have_http_status(:forbidden)
  506. # search
  507. perform_enqueued_jobs
  508. get "/api/v1/users/search?query=#{CGI.escape('First')}", params: {}, as: :json
  509. expect(response).to have_http_status(:forbidden)
  510. end
  511. it 'does user index with customer2' do
  512. authenticated_as(customer2)
  513. get '/api/v1/users/me', params: {}, as: :json
  514. expect(response).to have_http_status(:ok)
  515. expect(json_response).to be_truthy
  516. expect(json_response['email']).to eq('rest-customer2@example.com')
  517. # index
  518. get '/api/v1/users', params: {}, as: :json
  519. expect(response).to have_http_status(:ok)
  520. expect(Array).to eq(json_response.class)
  521. expect(json_response.length).to eq(1)
  522. # show/:id
  523. get "/api/v1/users/#{customer2.id}", params: {}, as: :json
  524. expect(response).to have_http_status(:ok)
  525. expect(Hash).to eq(json_response.class)
  526. expect(json_response['email']).to eq('rest-customer2@example.com')
  527. get "/api/v1/users/#{customer.id}", params: {}, as: :json
  528. expect(response).to have_http_status(:forbidden)
  529. expect(Hash).to eq(json_response.class)
  530. expect(json_response['error']).to be_truthy
  531. # search
  532. perform_enqueued_jobs
  533. get "/api/v1/users/search?query=#{CGI.escape('First')}", params: {}, as: :json
  534. expect(response).to have_http_status(:forbidden)
  535. end
  536. it 'does users show and response format (04.01)' do
  537. user = create(
  538. :customer,
  539. login: 'rest-customer3@example.com',
  540. firstname: 'Rest',
  541. lastname: 'Customer3',
  542. email: 'rest-customer3@example.com',
  543. password: 'customer3pw',
  544. active: true,
  545. organization: organization,
  546. updated_by_id: admin.id,
  547. created_by_id: admin.id,
  548. )
  549. authenticated_as(admin)
  550. get "/api/v1/users/#{user.id}", params: {}, as: :json
  551. expect(response).to have_http_status(:ok)
  552. expect(json_response).to be_a(Hash)
  553. expect(json_response['id']).to eq(user.id)
  554. expect(json_response['firstname']).to eq(user.firstname)
  555. expect(json_response['organization']).to be_falsey
  556. expect(json_response['organization_id']).to eq(user.organization_id)
  557. expect(json_response['password']).to be_falsey
  558. expect(json_response['role_ids']).to eq(user.role_ids)
  559. expect(json_response['updated_by_id']).to eq(admin.id)
  560. expect(json_response['created_by_id']).to eq(admin.id)
  561. get "/api/v1/users/#{user.id}?expand=true", params: {}, as: :json
  562. expect(response).to have_http_status(:ok)
  563. expect(json_response).to be_a(Hash)
  564. expect(json_response['id']).to eq(user.id)
  565. expect(json_response['firstname']).to eq(user.firstname)
  566. expect(json_response['organization_id']).to eq(user.organization_id)
  567. expect(json_response['organization']).to eq(user.organization.name)
  568. expect(json_response['role_ids']).to eq(user.role_ids)
  569. expect(json_response['password']).to be_falsey
  570. expect(json_response['updated_by_id']).to eq(admin.id)
  571. expect(json_response['created_by_id']).to eq(admin.id)
  572. get "/api/v1/users/#{user.id}?expand=false", params: {}, as: :json
  573. expect(response).to have_http_status(:ok)
  574. expect(json_response).to be_a(Hash)
  575. expect(json_response['id']).to eq(user.id)
  576. expect(json_response['firstname']).to eq(user.firstname)
  577. expect(json_response['organization']).to be_falsey
  578. expect(json_response['organization_id']).to eq(user.organization_id)
  579. expect(json_response['password']).to be_falsey
  580. expect(json_response['role_ids']).to eq(user.role_ids)
  581. expect(json_response['updated_by_id']).to eq(admin.id)
  582. expect(json_response['created_by_id']).to eq(admin.id)
  583. get "/api/v1/users/#{user.id}?full=true", params: {}, as: :json
  584. expect(response).to have_http_status(:ok)
  585. expect(json_response).to be_a(Hash)
  586. expect(json_response['id']).to eq(user.id)
  587. expect(json_response['assets']).to be_truthy
  588. expect(json_response['assets']['User']).to be_truthy
  589. expect(json_response['assets']['User'][user.id.to_s]).to be_truthy
  590. expect(json_response['assets']['User'][user.id.to_s]['id']).to eq(user.id)
  591. expect(json_response['assets']['User'][user.id.to_s]['firstname']).to eq(user.firstname)
  592. expect(json_response['assets']['User'][user.id.to_s]['organization_id']).to eq(user.organization_id)
  593. expect(json_response['assets']['User'][user.id.to_s]['role_ids']).to eq(user.role_ids)
  594. get "/api/v1/users/#{user.id}?full=false", params: {}, as: :json
  595. expect(response).to have_http_status(:ok)
  596. expect(json_response).to be_a(Hash)
  597. expect(json_response['id']).to eq(user.id)
  598. expect(json_response['firstname']).to eq(user.firstname)
  599. expect(json_response['organization']).to be_falsey
  600. expect(json_response['organization_id']).to eq(user.organization_id)
  601. expect(json_response['password']).to be_falsey
  602. expect(json_response['role_ids']).to eq(user.role_ids)
  603. expect(json_response['updated_by_id']).to eq(admin.id)
  604. expect(json_response['created_by_id']).to eq(admin.id)
  605. end
  606. it 'does user index and response format (04.02)' do
  607. user = create(
  608. :customer,
  609. login: 'rest-customer3@example.com',
  610. firstname: 'Rest',
  611. lastname: 'Customer3',
  612. email: 'rest-customer3@example.com',
  613. password: 'customer3pw',
  614. active: true,
  615. organization: organization,
  616. updated_by_id: admin.id,
  617. created_by_id: admin.id,
  618. )
  619. authenticated_as(admin)
  620. get '/api/v1/users', params: {}, as: :json
  621. expect(response).to have_http_status(:ok)
  622. expect(json_response).to be_a(Array)
  623. expect(json_response[0].class).to eq(Hash)
  624. expect(json_response.last['id']).to eq(user.id)
  625. expect(json_response.last['lastname']).to eq(user.lastname)
  626. expect(json_response.last['organization']).to be_falsey
  627. expect(json_response.last['role_ids']).to eq(user.role_ids)
  628. expect(json_response.last['organization_id']).to eq(user.organization_id)
  629. expect(json_response.last['password']).to be_falsey
  630. expect(json_response.last['updated_by_id']).to eq(admin.id)
  631. expect(json_response.last['created_by_id']).to eq(admin.id)
  632. get '/api/v1/users?expand=true', params: {}, as: :json
  633. expect(response).to have_http_status(:ok)
  634. expect(json_response).to be_a(Array)
  635. expect(json_response[0].class).to eq(Hash)
  636. expect(json_response.last['id']).to eq(user.id)
  637. expect(json_response.last['lastname']).to eq(user.lastname)
  638. expect(json_response.last['organization_id']).to eq(user.organization_id)
  639. expect(json_response.last['organization']).to eq(user.organization.name)
  640. expect(json_response.last['password']).to be_falsey
  641. expect(json_response.last['updated_by_id']).to eq(admin.id)
  642. expect(json_response.last['created_by_id']).to eq(admin.id)
  643. get '/api/v1/users?expand=false', params: {}, as: :json
  644. expect(response).to have_http_status(:ok)
  645. expect(json_response).to be_a(Array)
  646. expect(json_response[0].class).to eq(Hash)
  647. expect(json_response.last['id']).to eq(user.id)
  648. expect(json_response.last['lastname']).to eq(user.lastname)
  649. expect(json_response.last['organization']).to be_falsey
  650. expect(json_response.last['role_ids']).to eq(user.role_ids)
  651. expect(json_response.last['organization_id']).to eq(user.organization_id)
  652. expect(json_response.last['password']).to be_falsey
  653. expect(json_response.last['updated_by_id']).to eq(admin.id)
  654. expect(json_response.last['created_by_id']).to eq(admin.id)
  655. get '/api/v1/users?full=true', params: {}, as: :json
  656. expect(response).to have_http_status(:ok)
  657. expect(json_response).to be_a(Hash)
  658. expect(json_response['record_ids'].class).to eq(Array)
  659. expect(json_response['record_ids'][0]).to eq(1)
  660. expect(json_response['record_ids'].last).to eq(user.id)
  661. expect(json_response['assets']).to be_truthy
  662. expect(json_response['assets']['User']).to be_truthy
  663. expect(json_response['assets']['User'][user.id.to_s]).to be_truthy
  664. expect(json_response['assets']['User'][user.id.to_s]['id']).to eq(user.id)
  665. expect(json_response['assets']['User'][user.id.to_s]['lastname']).to eq(user.lastname)
  666. expect(json_response['assets']['User'][user.id.to_s]['organization_id']).to eq(user.organization_id)
  667. expect(json_response['assets']['User'][user.id.to_s]['password']).to be_falsey
  668. get '/api/v1/users?full=false', params: {}, as: :json
  669. expect(response).to have_http_status(:ok)
  670. expect(json_response).to be_a(Array)
  671. expect(json_response[0].class).to eq(Hash)
  672. expect(json_response.last['id']).to eq(user.id)
  673. expect(json_response.last['lastname']).to eq(user.lastname)
  674. expect(json_response.last['organization']).to be_falsey
  675. expect(json_response.last['role_ids']).to eq(user.role_ids)
  676. expect(json_response.last['organization_id']).to eq(user.organization_id)
  677. expect(json_response.last['password']).to be_falsey
  678. expect(json_response.last['updated_by_id']).to eq(admin.id)
  679. expect(json_response.last['created_by_id']).to eq(admin.id)
  680. end
  681. it 'does ticket create and response format (04.03)' do
  682. organization = Organization.first
  683. params = {
  684. firstname: 'newfirstname123',
  685. note: 'some note',
  686. organization: organization.name,
  687. }
  688. authenticated_as(admin)
  689. post '/api/v1/users', params: params, as: :json
  690. expect(response).to have_http_status(:created)
  691. expect(json_response).to be_a(Hash)
  692. user = User.find(json_response['id'])
  693. expect(json_response['firstname']).to eq(user.firstname)
  694. expect(json_response['organization_id']).to eq(user.organization_id)
  695. expect(json_response['organization']).to be_falsey
  696. expect(json_response['password']).to be_falsey
  697. expect(json_response['updated_by_id']).to eq(admin.id)
  698. expect(json_response['created_by_id']).to eq(admin.id)
  699. post '/api/v1/users?expand=true', params: params, as: :json
  700. expect(response).to have_http_status(:created)
  701. expect(json_response).to be_a(Hash)
  702. user = User.find(json_response['id'])
  703. expect(json_response['firstname']).to eq(user.firstname)
  704. expect(json_response['organization_id']).to eq(user.organization_id)
  705. expect(json_response['organization']).to eq(user.organization.name)
  706. expect(json_response['password']).to be_falsey
  707. expect(json_response['updated_by_id']).to eq(admin.id)
  708. expect(json_response['created_by_id']).to eq(admin.id)
  709. post '/api/v1/users?full=true', params: params, as: :json
  710. expect(response).to have_http_status(:created)
  711. expect(json_response).to be_a(Hash)
  712. user = User.find(json_response['id'])
  713. expect(json_response['assets']).to be_truthy
  714. expect(json_response['assets']['User']).to be_truthy
  715. expect(json_response['assets']['User'][user.id.to_s]).to be_truthy
  716. expect(json_response['assets']['User'][user.id.to_s]['id']).to eq(user.id)
  717. expect(json_response['assets']['User'][user.id.to_s]['firstname']).to eq(user.firstname)
  718. expect(json_response['assets']['User'][user.id.to_s]['lastname']).to eq(user.lastname)
  719. expect(json_response['assets']['User'][user.id.to_s]['password']).to be_falsey
  720. end
  721. it 'does ticket update and response formats (04.04)' do
  722. user = create(
  723. :customer,
  724. login: 'rest-customer3@example.com',
  725. firstname: 'Rest',
  726. lastname: 'Customer3',
  727. email: 'rest-customer3@example.com',
  728. password: 'customer3pw',
  729. active: true,
  730. organization: organization,
  731. updated_by_id: admin.id,
  732. created_by_id: admin.id,
  733. )
  734. authenticated_as(admin)
  735. params = {
  736. firstname: 'a update firstname #1',
  737. }
  738. put "/api/v1/users/#{user.id}", params: params, as: :json
  739. expect(response).to have_http_status(:ok)
  740. expect(json_response).to be_a(Hash)
  741. user = User.find(json_response['id'])
  742. expect(json_response['lastname']).to eq(user.lastname)
  743. expect(json_response['firstname']).to eq(params[:firstname])
  744. expect(json_response['organization_id']).to eq(user.organization_id)
  745. expect(json_response['organization']).to be_falsey
  746. expect(json_response['password']).to be_falsey
  747. expect(json_response['updated_by_id']).to eq(admin.id)
  748. expect(json_response['created_by_id']).to eq(admin.id)
  749. params = {
  750. firstname: 'a update firstname #2',
  751. }
  752. put "/api/v1/users/#{user.id}?expand=true", params: params, as: :json
  753. expect(response).to have_http_status(:ok)
  754. expect(json_response).to be_a(Hash)
  755. user = User.find(json_response['id'])
  756. expect(json_response['lastname']).to eq(user.lastname)
  757. expect(json_response['firstname']).to eq(params[:firstname])
  758. expect(json_response['organization_id']).to eq(user.organization_id)
  759. expect(json_response['organization']).to eq(user.organization.name)
  760. expect(json_response['password']).to be_falsey
  761. expect(json_response['updated_by_id']).to eq(admin.id)
  762. expect(json_response['created_by_id']).to eq(admin.id)
  763. params = {
  764. firstname: 'a update firstname #3',
  765. }
  766. put "/api/v1/users/#{user.id}?full=true", params: params, as: :json
  767. expect(response).to have_http_status(:ok)
  768. expect(json_response).to be_a(Hash)
  769. user = User.find(json_response['id'])
  770. expect(json_response['assets']).to be_truthy
  771. expect(json_response['assets']['User']).to be_truthy
  772. expect(json_response['assets']['User'][user.id.to_s]).to be_truthy
  773. expect(json_response['assets']['User'][user.id.to_s]['id']).to eq(user.id)
  774. expect(json_response['assets']['User'][user.id.to_s]['firstname']).to eq(params[:firstname])
  775. expect(json_response['assets']['User'][user.id.to_s]['lastname']).to eq(user.lastname)
  776. expect(json_response['assets']['User'][user.id.to_s]['password']).to be_falsey
  777. end
  778. it 'does csv example - customer no access (05.01)' do
  779. authenticated_as(customer)
  780. get '/api/v1/users/import_example', params: {}, as: :json
  781. expect(response).to have_http_status(:forbidden)
  782. expect(json_response['error']).to eq('Not authorized (user)!')
  783. end
  784. it 'does csv example - admin access (05.02)' do
  785. authenticated_as(admin)
  786. get '/api/v1/users/import_example', params: {}, as: :json
  787. expect(response).to have_http_status(:ok)
  788. rows = CSV.parse(@response.body)
  789. header = rows.shift
  790. expect(header[0]).to eq('id')
  791. expect(header[1]).to eq('login')
  792. expect(header[2]).to eq('firstname')
  793. expect(header[3]).to eq('lastname')
  794. expect(header[4]).to eq('email')
  795. expect(header).to include('organization')
  796. end
  797. it 'does csv import - admin access (05.03)' do
  798. # invalid file
  799. csv_file = fixture_file_upload('csv_import/user/simple_col_not_existing.csv', 'text/csv')
  800. authenticated_as(admin)
  801. post '/api/v1/users/import?try=true', params: { file: csv_file, col_sep: ';' }
  802. expect(response).to have_http_status(:ok)
  803. expect(json_response).to be_a(Hash)
  804. expect(json_response['try']).to be(true)
  805. expect(json_response['records']).to be_empty
  806. expect(json_response['result']).to eq('failed')
  807. expect(json_response['errors'].count).to eq(2)
  808. expect(json_response['errors'][0]).to eq("Line 1: Unable to create record - unknown attribute 'firstname2' for User.")
  809. expect(json_response['errors'][1]).to eq("Line 2: Unable to create record - unknown attribute 'firstname2' for User.")
  810. # valid file try
  811. csv_file = fixture_file_upload('csv_import/user/simple.csv', 'text/csv')
  812. post '/api/v1/users/import?try=true', params: { file: csv_file, col_sep: ';' }
  813. expect(response).to have_http_status(:ok)
  814. expect(json_response).to be_a(Hash)
  815. expect(json_response['try']).to be(true)
  816. expect(json_response['records'].count).to eq(2)
  817. expect(json_response['result']).to eq('success')
  818. expect(User.find_by(login: 'user-simple-import1')).to be_nil
  819. expect(User.find_by(login: 'user-simple-import2')).to be_nil
  820. # valid file
  821. csv_file = fixture_file_upload('csv_import/user/simple.csv', 'text/csv')
  822. post '/api/v1/users/import', params: { file: csv_file, col_sep: ';' }
  823. expect(response).to have_http_status(:ok)
  824. expect(json_response).to be_a(Hash)
  825. expect(json_response['try']).to be(false)
  826. expect(json_response['records'].count).to eq(2)
  827. expect(json_response['result']).to eq('success')
  828. user1 = User.find_by(login: 'user-simple-import1')
  829. expect(user1).to be_truthy
  830. expect(user1.login).to eq('user-simple-import1')
  831. expect(user1.firstname).to eq('firstname-simple-import1')
  832. expect(user1.lastname).to eq('lastname-simple-import1')
  833. expect(user1.email).to eq('user-simple-import1@example.com')
  834. expect(user1.active).to be(true)
  835. user2 = User.find_by(login: 'user-simple-import2')
  836. expect(user2).to be_truthy
  837. expect(user2.login).to eq('user-simple-import2')
  838. expect(user2.firstname).to eq('firstname-simple-import2')
  839. expect(user2.lastname).to eq('lastname-simple-import2')
  840. expect(user2.email).to eq('user-simple-import2@example.com')
  841. expect(user2.active).to be(false)
  842. user1.destroy!
  843. user2.destroy!
  844. end
  845. it 'does user history' do
  846. user1 = create(
  847. :customer,
  848. login: 'history@example.com',
  849. firstname: 'History',
  850. lastname: 'Customer1',
  851. email: 'history@example.com',
  852. )
  853. authenticated_as(agent)
  854. get "/api/v1/users/history/#{user1.id}", params: {}, as: :json
  855. expect(response).to have_http_status(:ok)
  856. expect(json_response).to be_a(Hash)
  857. expect(json_response['history'].class).to eq(Array)
  858. expect(json_response['assets'].class).to eq(Hash)
  859. expect(json_response['assets']['Ticket']).to be_nil
  860. expect(json_response['assets']['User'][user1.id.to_s]).not_to be_nil
  861. end
  862. it 'does user search sortable' do
  863. firstname = "user_search_sortable #{SecureRandom.uuid}"
  864. user1 = create(
  865. :customer,
  866. login: 'rest-user_search_sortableA@example.com',
  867. firstname: "#{firstname} A",
  868. lastname: 'user_search_sortableA',
  869. email: 'rest-user_search_sortableA@example.com',
  870. password: 'user_search_sortableA',
  871. active: true,
  872. organization_id: organization.id,
  873. out_of_office: false,
  874. created_at: '2016-02-05 17:42:00',
  875. )
  876. user2 = create(
  877. :customer,
  878. login: 'rest-user_search_sortableB@example.com',
  879. firstname: "#{firstname} B",
  880. lastname: 'user_search_sortableB',
  881. email: 'rest-user_search_sortableB@example.com',
  882. password: 'user_search_sortableB',
  883. active: true,
  884. organization_id: organization.id,
  885. out_of_office_start_at: '2016-02-06 19:42:00',
  886. out_of_office_end_at: '2016-02-07 19:42:00',
  887. out_of_office_replacement_id: 1,
  888. out_of_office: true,
  889. created_at: '2016-02-05 19:42:00',
  890. )
  891. perform_enqueued_jobs
  892. sleep 2 # let es time to come ready
  893. authenticated_as(admin)
  894. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: 'created_at', order_by: 'asc' }, as: :json
  895. expect(response).to have_http_status(:ok)
  896. expect(json_response).to be_a(Array)
  897. result = json_response
  898. result.collect! { |v| v['id'] }
  899. expect(result).to eq([user1.id, user2.id])
  900. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: 'firstname', order_by: 'asc' }, as: :json
  901. expect(response).to have_http_status(:ok)
  902. expect(json_response).to be_a(Array)
  903. result = json_response
  904. result.collect! { |v| v['id'] }
  905. expect(result).to eq([user1.id, user2.id])
  906. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: 'firstname', order_by: 'desc' }, as: :json
  907. expect(response).to have_http_status(:ok)
  908. expect(json_response).to be_a(Array)
  909. result = json_response
  910. result.collect! { |v| v['id'] }
  911. expect(result).to eq([user2.id, user1.id])
  912. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: %w[firstname created_at], order_by: %w[desc asc] }, as: :json
  913. expect(response).to have_http_status(:ok)
  914. expect(json_response).to be_a(Array)
  915. result = json_response
  916. result.collect! { |v| v['id'] }
  917. expect(result).to eq([user2.id, user1.id])
  918. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: %w[firstname created_at], order_by: %w[desc asc] }, as: :json
  919. expect(response).to have_http_status(:ok)
  920. expect(json_response).to be_a(Array)
  921. result = json_response
  922. result.collect! { |v| v['id'] }
  923. expect(result).to eq([user2.id, user1.id])
  924. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: 'out_of_office', order_by: 'asc' }, as: :json
  925. expect(response).to have_http_status(:ok)
  926. expect(json_response).to be_a(Array)
  927. result = json_response
  928. result.collect! { |v| v['id'] }
  929. expect(result).to eq([user1.id, user2.id])
  930. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: 'out_of_office', order_by: 'desc' }, as: :json
  931. expect(response).to have_http_status(:ok)
  932. expect(json_response).to be_a(Array)
  933. result = json_response
  934. result.collect! { |v| v['id'] }
  935. expect(result).to eq([user2.id, user1.id])
  936. get "/api/v1/users/search?query=#{CGI.escape(firstname)}", params: { sort_by: %w[created_by_id created_at], order_by: %w[asc asc] }, as: :json
  937. expect(response).to have_http_status(:ok)
  938. expect(json_response).to be_a(Array)
  939. result = json_response
  940. result.collect! { |v| v['id'] }
  941. expect(result).to eq([user1.id, user2.id])
  942. end
  943. context 'does password reset send work' do
  944. let(:user) { create(:customer, login: 'somebody', email: 'somebody@example.com') }
  945. context 'for user without email address' do
  946. let(:user) { create(:customer, login: 'somebody', email: '') }
  947. it 'return failed' do
  948. post '/api/v1/users/password_reset', params: { username: user.login }, as: :json
  949. expect(response).to have_http_status(:ok)
  950. expect(json_response).to be_a(Hash)
  951. expect(json_response['message']).to eq('failed')
  952. end
  953. end
  954. context 'for user with email address' do
  955. it 'return ok' do
  956. post '/api/v1/users/password_reset', params: { username: user.login }, as: :json
  957. expect(response).to have_http_status(:ok)
  958. expect(json_response).to be_a(Hash)
  959. expect(json_response['message']).to eq('ok')
  960. end
  961. end
  962. context 'for user with email address but disabled feature' do
  963. before { Setting.set('user_lost_password', false) }
  964. it 'raise 422' do
  965. post '/api/v1/users/password_reset', params: { username: user.login }, as: :json
  966. expect(response).to have_http_status(:unprocessable_entity)
  967. expect(json_response['error']).to be_truthy
  968. expect(json_response['error']).to eq('Feature not enabled!')
  969. end
  970. end
  971. end
  972. context 'does password reset by token work' do
  973. let(:user) { create(:customer, login: 'somebody', email: 'somebody@example.com') }
  974. let(:token) { create(:token, action: 'PasswordReset', user_id: user.id) }
  975. context 'for user without email address' do
  976. let(:user) { create(:customer, login: 'somebody', email: '') }
  977. it 'return failed' do
  978. post '/api/v1/users/password_reset_verify', params: { username: user.login, token: token.token, password: 'Test1234#.' }, as: :json
  979. expect(response).to have_http_status(:ok)
  980. expect(json_response).to be_a(Hash)
  981. expect(json_response['message']).to eq('failed')
  982. end
  983. end
  984. context 'for user with email address' do
  985. it 'return ok' do
  986. post '/api/v1/users/password_reset_verify', params: { username: user.login, token: token.token, password: 'TEst1234#.' }, as: :json
  987. expect(response).to have_http_status(:ok)
  988. expect(json_response).to be_a(Hash)
  989. expect(json_response['message']).to eq('ok')
  990. end
  991. end
  992. context 'for user with email address but disabled feature' do
  993. before { Setting.set('user_lost_password', false) }
  994. it 'raise 422' do
  995. post '/api/v1/users/password_reset_verify', params: { username: user.login, token: token.token, password: 'Test1234#.' }, as: :json
  996. expect(response).to have_http_status(:unprocessable_entity)
  997. expect(json_response['error']).to be_truthy
  998. expect(json_response['error']).to eq('Feature not enabled!')
  999. end
  1000. end
  1001. end
  1002. context 'password change' do
  1003. let(:user) { create(:customer, login: 'somebody', email: 'somebody@example.com', password: 'Test1234#.') }
  1004. before { authenticated_as(user, login: 'somebody', password: 'Test1234#.') }
  1005. context 'user without email address' do
  1006. let(:user) { create(:customer, login: 'somebody', email: '', password: 'Test1234#.') }
  1007. it 'return ok' do
  1008. post '/api/v1/users/password_change', params: { password_old: 'Test1234#.', password_new: 'TEst12345#.' }, as: :json
  1009. expect(response).to have_http_status(:ok)
  1010. expect(json_response).to be_a(Hash)
  1011. expect(json_response['message']).to eq('ok')
  1012. end
  1013. end
  1014. context 'user with email address' do
  1015. it 'return ok' do
  1016. post '/api/v1/users/password_change', params: { password_old: 'Test1234#.', password_new: 'TEst12345#.' }, as: :json
  1017. expect(response).to have_http_status(:ok)
  1018. expect(json_response).to be_a(Hash)
  1019. expect(json_response['message']).to eq('ok')
  1020. end
  1021. end
  1022. end
  1023. context 'ultra long password', authenticated_as: :user do
  1024. let(:user) { create(:agent, :with_valid_password) }
  1025. let(:long_string) { "asd1ASDasd!#{Faker::Lorem.characters(number: 1_000)}" }
  1026. it 'does not reach verifying when old password is too long' do
  1027. allow(PasswordHash).to receive(:verified?).and_call_original
  1028. post '/api/v1/users/password_change', params: { password_old: long_string, password_new: long_string }, as: :json
  1029. expect(PasswordHash).not_to have_received(:verified?).with(any_args, long_string)
  1030. expect(response).to have_http_status(:unprocessable_entity)
  1031. expect(json_response['message']).to eq('failed')
  1032. end
  1033. it 'does not reach hashing when saving' do
  1034. allow(PasswordHash).to receive(:crypt).and_call_original
  1035. post '/api/v1/users/password_change', params: { password_old: user.password_plain, password_new: long_string }, as: :json
  1036. expect(PasswordHash).not_to have_received(:crypt)
  1037. expect(response).to have_http_status(:unprocessable_entity)
  1038. expect(json_response['message']).to eq('failed')
  1039. end
  1040. end
  1041. end
  1042. describe 'POST /api/v1/users', authenticated_as: -> { create(:admin) } do
  1043. def make_request(params)
  1044. post '/api/v1/users', params: params, as: :json
  1045. end
  1046. let(:successful_params) { { email: attributes_for(:admin)[:email] } }
  1047. let(:params_with_role) { successful_params.merge({ role_ids: [Role.find_by(name: 'Admin').id] }) }
  1048. let(:params_with_invite) { successful_params.merge({ invite: true }) }
  1049. it 'succeeds' do
  1050. make_request successful_params
  1051. expect(response).to have_http_status(:created)
  1052. end
  1053. it 'returns user data' do
  1054. make_request successful_params
  1055. expect(json_response).to have_key('email').and(have_value(successful_params[:email]))
  1056. end
  1057. it 'no session treated as signup', authenticated_as: false do
  1058. make_request successful_params
  1059. expect(response).to have_http_status(:unprocessable_entity)
  1060. end
  1061. it 'does not accept requests from customers', authenticated_as: -> { create(:customer) } do
  1062. make_request successful_params
  1063. expect(response).to have_http_status(:forbidden)
  1064. end
  1065. it 'admins can give any role', authenticated_as: -> { create(:admin) } do
  1066. make_request params_with_role
  1067. expect(User.last).to be_role 'Admin'
  1068. end
  1069. it 'agents can not give roles', authenticated_as: -> { create(:agent) } do
  1070. make_request params_with_role
  1071. expect(User.last).not_to be_role 'Admin'
  1072. end
  1073. it 'does not send email verification notifications' do
  1074. allow(NotificationFactory::Mailer).to receive(:notification)
  1075. make_request successful_params
  1076. expect(NotificationFactory::Mailer).not_to have_received(:notification) { |arguments| arguments[:template] == 'signup' }
  1077. end
  1078. it 'does not send invitation notification by default' do
  1079. allow(NotificationFactory::Mailer).to receive(:notification)
  1080. make_request successful_params
  1081. expect(NotificationFactory::Mailer).not_to have_received(:notification) { |arguments| arguments[:template] == 'user_invite' }
  1082. end
  1083. it 'sends invitation notification when required' do
  1084. allow(NotificationFactory::Mailer).to receive(:notification)
  1085. make_request params_with_invite
  1086. expect(NotificationFactory::Mailer).to have_received(:notification) { |arguments| arguments[:template] == 'user_invite' }
  1087. end
  1088. it 'requires at least one identifier' do
  1089. make_request({ web: 'example.com' })
  1090. expect(json_response['error']).to start_with('At least one identifier')
  1091. end
  1092. it 'takes first name as identifier' do
  1093. make_request({ firstname: 'name' })
  1094. expect(response).to have_http_status(:created)
  1095. end
  1096. it 'takes last name as identifier' do
  1097. make_request({ lastname: 'name' })
  1098. expect(response).to have_http_status(:created)
  1099. end
  1100. it 'takes login as identifier' do
  1101. make_request({ login: 'name' })
  1102. expect(response).to have_http_status(:created)
  1103. end
  1104. it 'requires valid email if present' do
  1105. make_request({ email: 'not_valid_email' })
  1106. expect(response).to have_http_status(:unprocessable_entity)
  1107. end
  1108. end
  1109. describe 'POST /api/v1/users processed by #create_admin', authenticated_as: false do
  1110. before do
  1111. User.all[2...].each(&:destroy) # destroy previously created users
  1112. end
  1113. def make_request(params)
  1114. post '/api/v1/users', params: params, as: :json
  1115. end
  1116. let(:successful_params) do
  1117. email = attributes_for(:admin)[:email]
  1118. { firstname: 'Admin First', lastname: 'Admin Last', email: email, password: 'asd1ASDasd!' }
  1119. end
  1120. it 'succeds' do
  1121. make_request successful_params
  1122. expect(response).to have_http_status(:created)
  1123. end
  1124. it 'returns success message' do
  1125. make_request successful_params
  1126. expect(json_response).to have_key('message').and(have_value('ok'))
  1127. end
  1128. it 'does not allow to create 2nd administrator account' do
  1129. create(:admin)
  1130. make_request successful_params
  1131. expect(response).to have_http_status(:unprocessable_entity)
  1132. end
  1133. it 'requires email' do
  1134. make_request successful_params.merge(email: nil)
  1135. expect(response).to have_http_status(:unprocessable_entity)
  1136. end
  1137. it 'requires valid email' do
  1138. make_request successful_params.merge(email: 'invalid_email')
  1139. expect(response).to have_http_status(:unprocessable_entity)
  1140. end
  1141. it 'loads calendar' do
  1142. allow(Calendar).to receive(:init_setup)
  1143. make_request successful_params
  1144. expect(Calendar).to have_received(:init_setup)
  1145. end
  1146. it 'loads text module' do
  1147. allow(TextModule).to receive(:load)
  1148. make_request successful_params
  1149. expect(TextModule).to have_received(:load)
  1150. end
  1151. it 'does not send any notifications' do
  1152. allow(NotificationFactory::Mailer).to receive(:notification)
  1153. make_request successful_params
  1154. expect(NotificationFactory::Mailer).not_to have_received(:notification)
  1155. end
  1156. end
  1157. describe 'POST /api/v1/users processed by #create_signup', authenticated_as: false do
  1158. def make_request(params)
  1159. post '/api/v1/users', params: params, as: :json
  1160. end
  1161. let(:successful_params) do
  1162. email = attributes_for(:admin)[:email]
  1163. { firstname: 'Customer First', lastname: 'Customer Last', email: email, password: 'gsd1ASDasd!', signup: true }
  1164. end
  1165. before do
  1166. create(:admin) # simulate functional system with admin created
  1167. end
  1168. it 'succeeds' do
  1169. make_request successful_params
  1170. expect(response).to have_http_status(:created)
  1171. end
  1172. it 'requires csrf', allow_forgery_protection: true do
  1173. make_request successful_params
  1174. expect(response).to have_http_status(:unauthorized)
  1175. end
  1176. it 'requires honeypot attribute' do
  1177. params = successful_params.clone
  1178. params.delete :signup
  1179. make_request params
  1180. expect(response).to have_http_status(:unprocessable_entity)
  1181. end
  1182. it 'requires signup to be enabled' do
  1183. Setting.set('user_create_account', false)
  1184. make_request successful_params
  1185. expect(response).to have_http_status(:unprocessable_entity)
  1186. end
  1187. it 'requires email' do
  1188. make_request successful_params.merge(email: nil)
  1189. expect(response).to have_http_status(:unprocessable_entity)
  1190. end
  1191. it 'requires valid email' do
  1192. make_request successful_params.merge(email: 'not_valid_email')
  1193. expect(response).to have_http_status(:unprocessable_entity)
  1194. end
  1195. it 'returns false positive when email already used' do
  1196. create(:customer, email: successful_params[:email])
  1197. make_request successful_params
  1198. expect(response).to have_http_status(:created)
  1199. end
  1200. it 'sends email verification notifications' do
  1201. allow(NotificationFactory::Mailer).to receive(:notification)
  1202. make_request successful_params
  1203. expect(NotificationFactory::Mailer).to have_received(:notification) { |arguments| arguments[:template] == 'signup' }
  1204. end
  1205. it 'sends password reset notification when email already used' do
  1206. create(:customer, email: successful_params[:email])
  1207. allow(NotificationFactory::Mailer).to receive(:notification)
  1208. make_request successful_params
  1209. expect(NotificationFactory::Mailer).to have_received(:notification) { |arguments| arguments[:template] == 'signup_taken_reset' }
  1210. end
  1211. it 'sets role to Customer' do
  1212. make_request successful_params
  1213. expect(User.last).to be_role('Customer')
  1214. end
  1215. it 'ignores given Agent role' do
  1216. make_request successful_params.merge(role_ids: [Role.find_by(name: 'Agent').id])
  1217. expect(User.last).not_to be_role('Agent')
  1218. end
  1219. end
  1220. describe 'GET /api/v1/users/search group ids' do
  1221. let(:group1) { create(:group) }
  1222. let(:group2) { create(:group) }
  1223. let!(:agent1) { create(:agent, firstname: '9U7Z-agent1', groups: [group1]) }
  1224. let!(:agent2) { create(:agent, firstname: '9U7Z-agent2', groups: [group2]) }
  1225. def make_request(params)
  1226. authenticated_as(agent1)
  1227. get '/api/v1/users/search', params: params, as: :json
  1228. end
  1229. describe 'without searchindex' do
  1230. before do
  1231. Setting.set('es_url', nil)
  1232. end
  1233. it 'does find both users' do
  1234. make_request(query: '9U7Z')
  1235. expect(json_response.count).to eq(2)
  1236. end
  1237. it 'does find only agent 1' do
  1238. make_request(query: '9U7Z', group_ids: { group1.id => 'read' })
  1239. expect(json_response[0]['firstname']).to eq(agent1.firstname)
  1240. expect(json_response.count).to eq(1)
  1241. end
  1242. it 'does find only agent 2' do
  1243. make_request(query: '9U7Z', group_ids: { group2.id => 'read' })
  1244. expect(json_response[0]['firstname']).to eq(agent2.firstname)
  1245. expect(json_response.count).to eq(1)
  1246. end
  1247. it 'does find none' do
  1248. make_request(query: '9U7Z', group_ids: { 999 => 'read' })
  1249. expect(json_response.count).to eq(0)
  1250. end
  1251. it 'does not list user with id 1' do
  1252. make_request(query: '')
  1253. not_in_response = json_response.none? { |item| item['id'] == 1 }
  1254. expect(not_in_response).to be(true)
  1255. end
  1256. end
  1257. describe 'with searchindex', searchindex: true do
  1258. before do
  1259. searchindex_model_reload([User])
  1260. end
  1261. it 'does find both users' do
  1262. make_request(query: '9U7Z')
  1263. expect(json_response.count).to eq(2)
  1264. end
  1265. it 'does find only agent 1' do
  1266. make_request(query: '9U7Z', group_ids: { group1.id => 'read' })
  1267. expect(json_response[0]['firstname']).to eq(agent1.firstname)
  1268. expect(json_response.count).to eq(1)
  1269. end
  1270. it 'does find only agent 2' do
  1271. make_request(query: '9U7Z', group_ids: { group2.id => 'read' })
  1272. expect(json_response[0]['firstname']).to eq(agent2.firstname)
  1273. expect(json_response.count).to eq(1)
  1274. end
  1275. it 'does find none' do
  1276. make_request(query: '9U7Z', group_ids: { 999 => 'read' })
  1277. expect(json_response.count).to eq(0)
  1278. end
  1279. it 'does not list user with id 1' do
  1280. make_request(query: '')
  1281. not_in_response = json_response.none? { |item| item['id'] == 1 }
  1282. expect(not_in_response).to be(true)
  1283. end
  1284. end
  1285. end
  1286. describe 'GET /api/v1/users/search, checks ES Usage', authenticated_as: :agent, searchindex: true do
  1287. let!(:agent) { create(:agent) }
  1288. def make_request(params)
  1289. get '/api/v1/users/search', params: params, as: :json
  1290. end
  1291. before do
  1292. # create some users that can be found
  1293. create(:agent, firstname: 'Test-Agent1')
  1294. create(:agent, firstname: 'Test-Agent2')
  1295. searchindex_model_reload([User])
  1296. end
  1297. it 'uses elasticsearch when query is non empty' do
  1298. # Check if ES is used
  1299. allow(SearchIndexBackend).to receive(:search)
  1300. make_request(query: 'Test')
  1301. expect(SearchIndexBackend).to have_received(:search)
  1302. end
  1303. it 'does not uses elasticsearch when query is empty' do
  1304. allow(SearchIndexBackend).to receive(:search)
  1305. make_request(query: '')
  1306. expect(SearchIndexBackend).not_to have_received(:search)
  1307. end
  1308. end
  1309. describe 'POST /api/v1/users/avatar', authenticated_as: :user do
  1310. let(:user) { create(:user) }
  1311. let(:base64) { 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==' }
  1312. def make_request(params)
  1313. post '/api/v1/users/avatar', params: params, as: :json
  1314. end
  1315. it 'returns verbose error when full image is missing' do
  1316. make_request(avatar_full: '')
  1317. expect(json_response).to include('error' => 'The image is invalid.')
  1318. end
  1319. it 'returns verbose error when resized image is missing' do
  1320. make_request(avatar_full: base64)
  1321. expect(json_response).to include('error' => 'The image is invalid.')
  1322. end
  1323. it 'successfully changes avatar' do
  1324. expect { make_request(avatar_full: base64, avatar_resize: base64) }
  1325. .to change { Avatar.list('User', user.id) }
  1326. end
  1327. context 'with a not allowed mime-type' do
  1328. let(:base64) { 'data:image/svg+xml;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==' }
  1329. it 'returns verbose error for a not allowed mime-type' do
  1330. make_request(avatar_full: base64)
  1331. expect(json_response).to include('error' => 'The MIME type of the image is invalid.')
  1332. end
  1333. end
  1334. context 'with a not allowed resized image mime-type' do
  1335. let(:resized_base64) { 'data:image/svg+xml;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==' }
  1336. it 'returns verbose error for a not allowed mime-type' do
  1337. make_request(avatar_full: base64, avatar_resize: resized_base64)
  1338. expect(json_response).to include('error' => 'The MIME type of the image is invalid.')
  1339. end
  1340. end
  1341. end
  1342. describe 'GET /api/v1/users/image/:hash', authenticated_as: :user do
  1343. let(:user) { create(:user) }
  1344. let(:avatar_mime_type) { 'image/png' }
  1345. let(:avatar) do
  1346. file = File.open('test/data/image/1000x1000.png', 'rb')
  1347. contents = file.read
  1348. Avatar.add(
  1349. object: 'User',
  1350. o_id: user.id,
  1351. default: true,
  1352. resize: {
  1353. content: contents,
  1354. mime_type: avatar_mime_type,
  1355. },
  1356. source: 'web',
  1357. deletable: true,
  1358. updated_by_id: 1,
  1359. created_by_id: 1,
  1360. )
  1361. end
  1362. let(:avatar_content) { Avatar.get_by_hash(avatar.store_hash).content }
  1363. before do
  1364. user.update!(image: avatar.store_hash)
  1365. end
  1366. def make_request(image_hash, params: {})
  1367. get "/api/v1/users/image/#{image_hash}", params: params, as: :json
  1368. end
  1369. it 'returns the image with caching headers', :aggregate_failures do
  1370. make_request(avatar.store_hash)
  1371. expect(response.body).to eq(avatar_content)
  1372. expect(response.headers['Cache-Control']).to match('^max-age=\d{9,}, private, must-revalidate$')
  1373. end
  1374. context 'with a not allowed inline mime-type' do
  1375. let(:avatar_mime_type) { 'image/svg+xml' }
  1376. it 'returns the default image' do
  1377. make_request(avatar.store_hash)
  1378. expect(response.headers['Content-Type']).to include('image/gif')
  1379. end
  1380. end
  1381. end
  1382. describe 'GET /api/v1/users/search, checks usage of the ids parameter', authenticated_as: :agent do
  1383. let(:agent) { create(:agent) }
  1384. let!(:search_agents) { create_list(:agent, 3, firstname: 'Nick') }
  1385. shared_examples 'ids requests' do
  1386. before do
  1387. post '/api/v1/users/search', params: { query: 'Nick', ids: search_ids, sort_by: ['created_at'], order_by: ['ASC'] }, as: :json
  1388. end
  1389. shared_examples 'result check' do
  1390. it 'returns only agents matching search parameter ids' do
  1391. expect(json_response.pluck('id')).to eq(search_ids)
  1392. end
  1393. end
  1394. context 'when searching for first two agents' do
  1395. let(:search_ids) { search_agents.first(2).map(&:id) }
  1396. include_examples 'result check'
  1397. end
  1398. context 'when searching for last two agents' do
  1399. let(:search_ids) { search_agents.last(2).map(&:id) }
  1400. include_examples 'result check'
  1401. end
  1402. end
  1403. context 'with elasticsearch', searchindex: true do
  1404. before do
  1405. searchindex_model_reload([User])
  1406. end
  1407. include_examples 'ids requests'
  1408. end
  1409. context 'without elasticsearch' do
  1410. before do
  1411. Setting.set('es_url', nil)
  1412. end
  1413. include_examples 'ids requests'
  1414. end
  1415. end
  1416. describe 'PUT /api/v1/users/{id}', authenticated_as: :admin do
  1417. let(:admin) { create(:admin) }
  1418. let(:agent) { create(:agent) }
  1419. context 'with secondary organizations' do
  1420. let(:primary_org) { create(:organization) }
  1421. let(:secondary_org) { create(:organization) }
  1422. before { put "/api/v1/users/#{agent.id}", params: params, as: :json }
  1423. context 'with primary organization' do
  1424. let(:params) { { organization_id: primary_org.id, organization_ids: [secondary_org.id] } }
  1425. it 'succeeds' do
  1426. expect(response).to have_http_status(:success)
  1427. end
  1428. end
  1429. context 'without primary organization' do
  1430. let(:params) { { organization_ids: [secondary_org.id] } }
  1431. it 'fails with validation error' do
  1432. expect(response).to have_http_status(:unprocessable_entity)
  1433. end
  1434. end
  1435. end
  1436. end
  1437. describe 'PUT /api/v1/users/unlock/{id}' do
  1438. let(:admin) { create(:admin) }
  1439. let(:agent) { create(:agent) }
  1440. let(:customer) { create(:customer, login_failed: 2) }
  1441. def make_request(id)
  1442. put "/api/v1/users/unlock/#{id}", params: {}, as: :json
  1443. end
  1444. context 'with authenticated admin user', authenticated_as: :admin do
  1445. it 'returns success' do
  1446. make_request(customer.id)
  1447. expect(response).to have_http_status(:ok)
  1448. end
  1449. it 'check that login failed was reseted' do
  1450. expect { make_request(customer.id) }.to change { customer.reload.login_failed }.from(2).to(0)
  1451. end
  1452. it 'fail with not existing user id' do
  1453. make_request(99_999)
  1454. expect(response).to have_http_status(:not_found)
  1455. end
  1456. end
  1457. context 'with authenticated agent user', authenticated_as: :agent do
  1458. it 'fail without admin permission' do
  1459. make_request(customer.id)
  1460. expect(response).to have_http_status(:forbidden)
  1461. end
  1462. it 'check that login failed was not changed' do
  1463. expect { make_request(customer.id) }.not_to change { customer.reload.login_failed }
  1464. end
  1465. end
  1466. end
  1467. describe 'POST /api/v1/preferences_notifications_reset', authenticated_as: :agent do
  1468. let(:agent) { create(:agent) }
  1469. it 'return ok' do
  1470. post '/api/v1/users/preferences_notifications_reset', as: :json
  1471. expect(response).to have_http_status(:ok)
  1472. expect(json_response).to include('message' => 'ok')
  1473. end
  1474. it 'calls notification reset method' do
  1475. allow(User)
  1476. .to receive(:reset_notifications_preferences!)
  1477. post '/api/v1/users/preferences_notifications_reset', as: :json
  1478. expect(User).to have_received(:reset_notifications_preferences!).with(agent)
  1479. end
  1480. end
  1481. end