- # frozen_string_literal: true
-
- # Redmine - project management software
- # Copyright (C) 2006-2023 Jean-Philippe Lang
- #
- # This program is free software; you can redistribute it and/or
- # modify it under the terms of the GNU General Public License
- # as published by the Free Software Foundation; either version 2
- # of the License, or (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program; if not, write to the Free Software
- # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
- require_relative '../../test_helper'
-
- class Redmine::ApiTest::UsersTest < Redmine::ApiTest::Base
- fixtures :users, :email_addresses, :members, :member_roles, :roles, :projects
-
- test "GET /users.xml should return users" do
- users = User.active.order('login')
- users.last.update(twofa_scheme: 'totp')
- Redmine::Configuration.with 'avatar_server_url' => 'https://gravatar.com' do
- with_settings :gravatar_enabled => '1', :gravatar_default => 'mm' do
- get '/users.xml', :headers => credentials('admin')
- end
- end
-
- assert_response :success
- assert_equal 'application/xml', response.media_type
- assert_select 'users' do
- assert_select 'user', :count => users.size do |nodeset|
- nodeset.zip(users) do |user_element, user|
- assert_select user_element, 'id', :text => user.id.to_s
- assert_select user_element, 'updated_on', :text => user.updated_on.iso8601
- assert_select user_element, 'twofa_scheme', :text => user.twofa_scheme.to_s
-
- # No one has changed password.
- assert_select user_element, 'passwd_changed_on', :text => ''
- assert_select user_element, 'avatar_url', :text => %r|\Ahttps://gravatar.com/avatar/\h{32}\?default=mm|
-
- if user == users.last
- assert_select user_element, 'twofa_scheme', :text => 'totp'
- else
- assert_select user_element, 'twofa_scheme', :text => ''
- end
- end
- end
- end
- end
-
- test "GET /users.json should return users" do
- users = User.active.order('login')
- users.last.update(twofa_scheme: 'totp')
- get '/users.json', :headers => credentials('admin')
-
- assert_response :success
- assert_equal 'application/json', response.media_type
- json = ActiveSupport::JSON.decode(response.body)
- assert json.key?('users')
-
- users = User.active.order('login')
- assert_equal users.size, json['users'].size
-
- json['users'].zip(users) do |user_json, user|
- assert_equal user.id, user_json['id']
- assert_equal user.updated_on.iso8601, user_json['updated_on']
- assert_equal user.status, user_json['status']
-
- # No one has changed password.
- assert_nil user_json['passwd_changed_on']
-
- if user == users.last
- assert_equal 'totp', user_json['twofa_scheme']
- else
- assert_nil user_json['twofa_scheme']
- end
- end
- end
-
- test "GET /users.json with legacy filter params" do
- get '/users.json', headers: credentials('admin'), params: { status: 3 }
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
- assert json.key?('users')
- users = User.where(status: 3)
- assert_equal users.size, json['users'].size
-
- get '/users.json', headers: credentials('admin'), params: { status: '*' }
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
- assert json.key?('users')
- users = User.logged
- assert_equal users.size, json['users'].size
-
- get '/users.json', headers: credentials('admin'), params: { name: 'jsmith' }
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
- assert json.key?('users')
- assert_equal 1, json['users'].size
- assert_equal 2, json['users'][0]['id']
-
- get '/users.json', headers: credentials('admin'), params: { group_id: '10' }
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
- assert json.key?('users')
- assert_equal 1, json['users'].size
- assert_equal 8, json['users'][0]['id']
-
- # there should be an implicit filter for status = 1
- User.where(id: [2, 8]).update_all status: 3
-
- get '/users.json', headers: credentials('admin'), params: { name: 'jsmith' }
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
- assert json.key?('users')
- assert_equal 0, json['users'].size
-
- get '/users.json', headers: credentials('admin'), params: { group_id: '10' }
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
- assert json.key?('users')
- assert_equal 0, json['users'].size
- end
-
- test "GET /users.json with include=auth_source" do
- user = User.find(2)
- user.update(:auth_source_id => 1)
- get '/users.json?include=auth_source', :headers => credentials('admin')
-
- json = ActiveSupport::JSON.decode(response.body)
- assert json.key?('users')
-
- json['users'].each do |user_json|
- if user_json['id'] == user.id
- assert_kind_of Hash, user_json['auth_source']
- assert_equal user.auth_source.id, user_json['auth_source']['id']
- assert_equal user.auth_source.name, user_json['auth_source']['name']
- else
- assert_nil user_json['auth_source']
- end
- end
- end
-
- test "GET /users.json with short filters" do
- get '/users.json', headers: credentials('admin'), params: { status: "1|3" }
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
- assert json.key?('users')
- users = User.where(status: [1, 3])
- assert_equal users.size, json['users'].size
- end
-
- test "GET /users/:id.xml should return the user" do
- Redmine::Configuration.with 'avatar_server_url' => 'https://gravatar.com' do
- with_settings :gravatar_enabled => '1', :gravatar_default => 'robohash' do
- get '/users/2.xml'
- end
- end
-
- assert_response :success
- assert_select 'user id', :text => '2'
- assert_select 'user updated_on', :text => Time.zone.parse('2006-07-19T20:42:15Z').iso8601
- assert_select 'user passwd_changed_on', :text => ''
- assert_select 'user avatar_url', :text => %r|\Ahttps://gravatar.com/avatar/\h{32}\?default=robohash|
- end
-
- test "GET /users/:id.xml should not return avatar_url when not set email address" do
- user = User.find(2)
- user.email_addresses.delete_all
- assert_equal 'jsmith', user.login
- assert_nil user.mail
-
- Redmine::Configuration.with 'avatar_server_url' => 'https://gravatar.com' do
- with_settings :gravatar_enabled => '1', :gravatar_default => 'robohash' do
- get '/users/2.xml'
- end
- end
-
- assert_response :success
- assert_select 'user id', :text => '2'
- assert_select 'user login', :text => 'jsmith'
- assert_select 'user avatar_url', :count => 0
- end
-
- test "GET /users/:id.json should return the user" do
- get '/users/2.json'
-
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
- assert_kind_of Hash, json
- assert_kind_of Hash, json['user']
- assert_equal 2, json['user']['id']
- assert_equal Time.zone.parse('2006-07-19T20:42:15Z').iso8601, json['user']['updated_on']
- assert_nil json['user']['passwd_changed_on']
- assert_nil json['user']['twofa_scheme']
- assert_nil json['user']['auth_source']
- end
-
- test "GET /users/:id.xml with include=memberships should include memberships" do
- get '/users/2.xml?include=memberships'
-
- assert_response :success
- assert_select 'user memberships', 1
- end
-
- test "GET /users/:id.json with include=memberships should include memberships" do
- get '/users/2.json?include=memberships'
-
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
- assert_kind_of Array, json['user']['memberships']
- assert_equal [{
- "id"=>1,
- "project"=>{"name"=>"eCookbook", "id"=>1},
- "roles"=>[{"name"=>"Manager", "id"=>1}]
- }], json['user']['memberships']
- end
-
- test "GET /users/:id.json with include=auth_source should include auth_source for administrators" do
- user = User.find(2)
- user.update(:auth_source_id => 1)
- get '/users/2.json?include=auth_source', :headers => credentials('admin')
-
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
-
- assert_equal user.auth_source.id, json['user']['auth_source']['id']
- assert_equal user.auth_source.name, json['user']['auth_source']['name']
- end
-
- test "GET /users/:id.json without include=auth_source should not include auth_source" do
- user = User.find(2)
- user.update(:auth_source_id => 1)
- get '/users/2.json', :headers => credentials('admin')
-
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
-
- assert_response :success
- assert_nil json['user']['auth_source']
- end
-
- test "GET /users/:id.json should not include auth_source for standard user" do
- user = User.find(2)
- user.update(:auth_source_id => 1)
- get '/users/2.json?include=auth_source', :headers => credentials('jsmith')
-
- assert_response :success
- json = ActiveSupport::JSON.decode(response.body)
-
- assert_equal user.id, json['user']['id']
- assert_nil json['user']['auth_source']
- end
-
- test "GET /users/current.xml should require authentication" do
- get '/users/current.xml'
-
- assert_response 401
- end
-
- test "GET /users/current.xml should return current user" do
- get '/users/current.xml', :headers => credentials('jsmith')
-
- assert_select 'user id', :text => '2'
- end
-
- test "GET /users/:id should return login for visible user" do
- get '/users/3.xml', :headers => credentials('jsmith')
- assert_response :success
- assert_select 'user login', :text => 'dlopper'
- end
-
- test "GET /users/:id should not return api_key for other user" do
- get '/users/3.xml', :headers => credentials('jsmith')
- assert_response :success
- assert_select 'user api_key', 0
- end
-
- test "GET /users/:id should return api_key for current user" do
- get '/users/2.xml', :headers => credentials('jsmith')
- assert_response :success
- assert_select 'user api_key', :text => User.find(2).api_key
- end
-
- test "GET /users/:id should not return status for standard user" do
- get '/users/3.xml', :headers => credentials('jsmith')
- assert_response :success
- assert_select 'user status', 0
- end
-
- test "GET /users/:id should return status for administrators" do
- get '/users/2.xml', :headers => credentials('admin')
- assert_response :success
- assert_select 'user status', :text => User.find(2).status.to_s
- end
-
- test "GET /users/:id should return admin status for current user" do
- get '/users/2.xml', :headers => credentials('jsmith')
- assert_response :success
- assert_select 'user admin', :text => 'false'
- end
-
- test "GET /users/:id should not return admin status for other user" do
- get '/users/3.xml', :headers => credentials('jsmith')
- assert_response :success
- assert_select 'user admin', 0
- end
-
- test "GET /users/:id should not return twofa_scheme for standard user" do
- # User and password authentication is disabled when twofa is enabled
- # Use token authentication
- user = User.find(2)
- token = Token.create!(:user => user, :action => 'api')
- user.update(twofa_scheme: 'totp')
-
- get '/users/3.xml', :headers => credentials(token.value, 'X')
- assert_response :success
- assert_select 'twofa_scheme', 0
- end
-
- test "GET /users/:id should return twofa_scheme for administrators" do
- User.find(2).update(twofa_scheme: 'totp')
- get '/users/2.xml', :headers => credentials('admin')
- assert_response :success
- assert_select 'twofa_scheme', :text => 'totp'
- end
-
- test "POST /users.xml with valid parameters should create the user" do
- assert_difference('User.count') do
- post(
- '/users.xml',
- :params => {
- :user => {
- :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname',
- :mail => 'foo@example.net', :password => 'secret123',
- :mail_notification => 'only_assigned'
- }
- },
- :headers => credentials('admin'))
- end
-
- user = User.order('id DESC').first
- assert_equal 'foo', user.login
- assert_equal 'Firstname', user.firstname
- assert_equal 'Lastname', user.lastname
- assert_equal 'foo@example.net', user.mail
- assert_equal 'only_assigned', user.mail_notification
- assert !user.admin?
- assert user.check_password?('secret123')
-
- assert_response :created
- assert_equal 'application/xml', @response.media_type
- assert_select 'user id', :text => user.id.to_s
- end
-
- test "POST /users.xml with generate_password should generate password" do
- assert_difference('User.count') do
- post(
- '/users.xml',
- :params => {
- :user => {
- :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname',
- :mail => 'foo@example.net', :generate_password => 'true'
- }
- },
- :headers => credentials('admin'))
- end
-
- user = User.order('id DESC').first
- assert user.hashed_password.present?
- end
-
- test "POST /users.json with valid parameters should create the user" do
- assert_difference('User.count') do
- post(
- '/users.json',
- :params => {
- :user => {
- :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname',
- :mail => 'foo@example.net', :password => 'secret123',
- :mail_notification => 'only_assigned'
- }
- },
- :headers => credentials('admin'))
- end
-
- user = User.order('id DESC').first
- assert_equal 'foo', user.login
- assert_equal 'Firstname', user.firstname
- assert_equal 'Lastname', user.lastname
- assert_equal 'foo@example.net', user.mail
- assert !user.admin?
-
- assert_response :created
- assert_equal 'application/json', @response.media_type
- json = ActiveSupport::JSON.decode(response.body)
- assert_kind_of Hash, json
- assert_kind_of Hash, json['user']
- assert_equal user.id, json['user']['id']
- end
-
- test "POST /users.xml with with invalid parameters should return errors" do
- assert_no_difference('User.count') do
- post(
- '/users.xml',
- :params => {
- :user =>{
- :login => 'foo', :lastname => 'Lastname', :mail => 'foo'
- }
- },
- :headers => credentials('admin'))
- end
-
- assert_response :unprocessable_entity
- assert_equal 'application/xml', @response.media_type
- assert_select 'errors error', :text => "First name cannot be blank"
- end
-
- test "POST /users.json with with invalid parameters should return errors" do
- assert_no_difference('User.count') do
- post(
- '/users.json',
- :params => {
- :user => {
- :login => 'foo', :lastname => 'Lastname', :mail => 'foo'
- }
- },
- :headers => credentials('admin'))
- end
-
- assert_response :unprocessable_entity
- assert_equal 'application/json', @response.media_type
- json = ActiveSupport::JSON.decode(response.body)
- assert_kind_of Hash, json
- assert json.has_key?('errors')
- assert_kind_of Array, json['errors']
- end
-
- test "PUT /users/:id.xml with valid parameters should update the user" do
- assert_no_difference('User.count') do
- put(
- '/users/2.xml',
- :params => {
- :user => {
- :login => 'jsmith', :firstname => 'John', :lastname => 'Renamed',
- :mail => 'jsmith@somenet.foo'
- }
- },
- :headers => credentials('admin'))
- end
-
- user = User.find(2)
- assert_equal 'jsmith', user.login
- assert_equal 'John', user.firstname
- assert_equal 'Renamed', user.lastname
- assert_equal 'jsmith@somenet.foo', user.mail
- assert !user.admin?
-
- assert_response :no_content
- assert_equal '', @response.body
- end
-
- test "PUT /users/:id.json with valid parameters should update the user" do
- assert_no_difference('User.count') do
- put(
- '/users/2.json',
- :params => {
- :user => {
- :login => 'jsmith', :firstname => 'John', :lastname => 'Renamed',
- :mail => 'jsmith@somenet.foo'
- }
- },
- :headers => credentials('admin'))
- end
-
- user = User.find(2)
- assert_equal 'jsmith', user.login
- assert_equal 'John', user.firstname
- assert_equal 'Renamed', user.lastname
- assert_equal 'jsmith@somenet.foo', user.mail
- assert !user.admin?
-
- assert_response :no_content
- assert_equal '', @response.body
- end
-
- test "PUT /users/:id.xml with invalid parameters" do
- assert_no_difference('User.count') do
- put(
- '/users/2.xml',
- :params => {
- :user => {
- :login => 'jsmith', :firstname => '', :lastname => 'Lastname',
- :mail => 'foo'
- }
- },
- :headers => credentials('admin'))
- end
-
- assert_response :unprocessable_entity
- assert_equal 'application/xml', @response.media_type
- assert_select 'errors error', :text => "First name cannot be blank"
- end
-
- test "PUT /users/:id.json with invalid parameters" do
- assert_no_difference('User.count') do
- put(
- '/users/2.json',
- :params => {
- :user => {
- :login => 'jsmith', :firstname => '', :lastname => 'Lastname',
- :mail => 'foo'
- }
- },
- :headers => credentials('admin'))
- end
-
- assert_response :unprocessable_entity
- assert_equal 'application/json', @response.media_type
- json = ActiveSupport::JSON.decode(response.body)
- assert_kind_of Hash, json
- assert json.has_key?('errors')
- assert_kind_of Array, json['errors']
- end
-
- test "DELETE /users/:id.xml should delete the user" do
- assert_difference('User.count', -1) do
- delete '/users/2.xml', :headers => credentials('admin')
- end
-
- assert_response :no_content
- assert_equal '', @response.body
- end
-
- test "DELETE /users/:id.json should delete the user" do
- assert_difference('User.count', -1) do
- delete '/users/2.json', :headers => credentials('admin')
- end
-
- assert_response :no_content
- assert_equal '', @response.body
- end
- end
|