BigW Consortium Gitlab

group_members_spec.rb 7.02 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
require 'spec_helper'

describe API::API, api: true  do
  include ApiHelpers

  let(:owner) { create(:user) }
  let(:reporter) { create(:user) }
  let(:developer) { create(:user) }
  let(:master) { create(:user) }
  let(:guest) { create(:user) }
  let(:stranger) { create(:user) }

  let!(:group_with_members) do
    group = create(:group)
    group.add_users([reporter.id], GroupMember::REPORTER)
    group.add_users([developer.id], GroupMember::DEVELOPER)
    group.add_users([master.id], GroupMember::MASTER)
    group.add_users([guest.id], GroupMember::GUEST)
    group
  end

  let!(:group_no_members) { create(:group) }

  before do
    group_with_members.add_owner owner
    group_no_members.add_owner owner
  end

  describe "GET /groups/:id/members" do
    context "when authenticated as user that is part or the group" do
      it "each user: should return an array of members groups of group3" do
        [owner, master, developer, reporter, guest].each do |user|
          get api("/groups/#{group_with_members.id}/members", user)
34 35 36 37 38 39 40 41
          expect(response.status).to eq(200)
          expect(json_response).to be_an Array
          expect(json_response.size).to eq(5)
          expect(json_response.find { |e| e['id']==owner.id }['access_level']).to eq(GroupMember::OWNER)
          expect(json_response.find { |e| e['id']==reporter.id }['access_level']).to eq(GroupMember::REPORTER)
          expect(json_response.find { |e| e['id']==developer.id }['access_level']).to eq(GroupMember::DEVELOPER)
          expect(json_response.find { |e| e['id']==master.id }['access_level']).to eq(GroupMember::MASTER)
          expect(json_response.find { |e| e['id']==guest.id }['access_level']).to eq(GroupMember::GUEST)
42 43 44 45 46
        end
      end

      it "users not part of the group should get access error" do
        get api("/groups/#{group_with_members.id}/members", stranger)
47
        expect(response.status).to eq(403)
48 49 50 51 52 53 54 55
      end
    end
  end

  describe "POST /groups/:id/members" do
    context "when not a member of the group" do
      it "should not add guest as member of group_no_members when adding being done by person outside the group" do
        post api("/groups/#{group_no_members.id}/members", reporter), user_id: guest.id, access_level: GroupMember::MASTER
56
        expect(response.status).to eq(403)
57 58 59 60 61 62 63
      end
    end

    context "when a member of the group" do
      it "should return ok and add new member" do
        new_user = create(:user)

64 65 66
        expect do
          post api("/groups/#{group_no_members.id}/members", owner), user_id: new_user.id, access_level: GroupMember::MASTER
        end.to change { group_no_members.members.count }.by(1)
67

68 69 70
        expect(response.status).to eq(201)
        expect(json_response['name']).to eq(new_user.name)
        expect(json_response['access_level']).to eq(GroupMember::MASTER)
71 72 73 74 75
      end

      it "should not allow guest to modify group members" do
        new_user = create(:user)

76 77 78
        expect do
          post api("/groups/#{group_with_members.id}/members", guest), user_id: new_user.id, access_level: GroupMember::MASTER
        end.not_to change { group_with_members.members.count }
79

80
        expect(response.status).to eq(403)
81 82 83 84
      end

      it "should return error if member already exists" do
        post api("/groups/#{group_with_members.id}/members", owner), user_id: master.id, access_level: GroupMember::MASTER
85
        expect(response.status).to eq(409)
86 87 88 89
      end

      it "should return a 400 error when user id is not given" do
        post api("/groups/#{group_no_members.id}/members", owner), access_level: GroupMember::MASTER
90
        expect(response.status).to eq(400)
91 92 93 94
      end

      it "should return a 400 error when access level is not given" do
        post api("/groups/#{group_no_members.id}/members", owner), user_id: master.id
95
        expect(response.status).to eq(400)
96 97 98 99
      end

      it "should return a 422 error when access level is not known" do
        post api("/groups/#{group_no_members.id}/members", owner), user_id: master.id, access_level: 1234
100
        expect(response.status).to eq(422)
101 102 103 104
      end
    end
  end

105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167
  describe 'PUT /groups/:id/members/:user_id' do
    context 'when not a member of the group' do
      it 'should return a 409 error if the user is not a group member' do
        put(
          api("/groups/#{group_no_members.id}/members/#{developer.id}",
              owner), access_level: GroupMember::MASTER
        )
        expect(response.status).to eq(404)
      end
    end

    context 'when a member of the group' do
      it 'should return ok and update member access level' do
        put(
          api("/groups/#{group_with_members.id}/members/#{reporter.id}",
              owner),
          access_level: GroupMember::MASTER
        )

        expect(response.status).to eq(200)

        get api("/groups/#{group_with_members.id}/members", owner)
        json_reporter = json_response.find do |e|
          e['id'] == reporter.id
        end

        expect(json_reporter['access_level']).to eq(GroupMember::MASTER)
      end

      it 'should not allow guest to modify group members' do
        put(
          api("/groups/#{group_with_members.id}/members/#{developer.id}",
              guest),
          access_level: GroupMember::MASTER
        )

        expect(response.status).to eq(403)

        get api("/groups/#{group_with_members.id}/members", owner)
        json_developer = json_response.find do |e|
          e['id'] == developer.id
        end

        expect(json_developer['access_level']).to eq(GroupMember::DEVELOPER)
      end

      it 'should return a 400 error when access level is not given' do
        put(
          api("/groups/#{group_with_members.id}/members/#{master.id}", owner)
        )
        expect(response.status).to eq(400)
      end

      it 'should return a 422 error when access level is not known' do
        put(
          api("/groups/#{group_with_members.id}/members/#{master.id}", owner),
          access_level: 1234
        )
        expect(response.status).to eq(422)
      end
    end
  end

168 169 170 171 172
  describe "DELETE /groups/:id/members/:user_id" do
    context "when not a member of the group" do
      it "should not delete guest's membership of group_with_members" do
        random_user = create(:user)
        delete api("/groups/#{group_with_members.id}/members/#{owner.id}", random_user)
173
        expect(response.status).to eq(403)
174 175 176 177 178
      end
    end

    context "when a member of the group" do
      it "should delete guest's membership of group" do
179
        expect do
180
          delete api("/groups/#{group_with_members.id}/members/#{guest.id}", owner)
181
        end.to change { group_with_members.members.count }.by(-1)
182

183
        expect(response.status).to eq(200)
184 185 186 187
      end

      it "should return a 404 error when user id is not known" do
        delete api("/groups/#{group_with_members.id}/members/1328", owner)
188
        expect(response.status).to eq(404)
189
      end
190 191 192

      it "should not allow guest to modify group members" do
        delete api("/groups/#{group_with_members.id}/members/#{master.id}", guest)
193
        expect(response.status).to eq(403)
194
      end
195 196 197
    end
  end
end