BigW Consortium Gitlab

users_controller_spec.rb 6.24 KB
Newer Older
1 2 3
require 'spec_helper'

describe Admin::UsersController do
4
  let(:user) { create(:user) }
5
  let(:admin) { create(:admin) }
6 7

  before do
8
    sign_in(admin)
9 10 11
  end

  describe 'DELETE #user with projects' do
12
    let(:project) { create(:empty_project, namespace: user.namespace) }
13 14 15 16 17 18 19

    before do
      project.team << [user, :developer]
    end

    it 'deletes user' do
      delete :destroy, id: user.username, format: :json
20
      expect(response).to have_http_status(200)
21 22 23
      expect { User.find(user.id) }.to raise_exception(ActiveRecord::RecordNotFound)
    end
  end
24

25 26 27 28 29 30 31 32 33 34
  describe 'PUT block/:id' do
    it 'blocks user' do
      put :block, id: user.username
      user.reload
      expect(user.blocked?).to be_truthy
      expect(flash[:notice]).to eq 'Successfully blocked'
    end
  end

  describe 'PUT unblock/:id' do
35 36
    context 'ldap blocked users' do
      let(:user) { create(:omniauth_user, provider: 'ldapmain') }
37

38 39 40 41
      before do
        user.ldap_block
      end

42
      it 'does not unblock user' do
43 44 45 46 47
        put :unblock, id: user.username
        user.reload
        expect(user.blocked?).to be_truthy
        expect(flash[:alert]).to eq 'This user cannot be unlocked manually from GitLab'
      end
48 49
    end

50 51 52 53 54 55 56 57 58 59 60
    context 'manually blocked users' do
      before do
        user.block
      end

      it 'unblocks user' do
        put :unblock, id: user.username
        user.reload
        expect(user.blocked?).to be_falsey
        expect(flash[:notice]).to eq 'Successfully unblocked'
      end
61 62 63
    end
  end

64 65 66 67 68 69 70 71 72 73 74 75
  describe 'PUT unlock/:id' do
    before do
      request.env["HTTP_REFERER"] = "/"
      user.lock_access!
    end

    it 'unlocks user' do
      put :unlock, id: user.username
      user.reload
      expect(user.access_locked?).to be_falsey
    end
  end
76

77 78 79 80 81 82 83 84 85 86 87 88 89 90
  describe 'PUT confirm/:id' do
    let(:user) { create(:user, confirmed_at: nil) }

    before do
      request.env["HTTP_REFERER"] = "/"
    end

    it 'confirms user' do
      put :confirm, id: user.username
      user.reload
      expect(user.confirmed?).to be_truthy
    end
  end

91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115
  describe 'PATCH disable_two_factor' do
    it 'disables 2FA for the user' do
      expect(user).to receive(:disable_two_factor!)
      allow(subject).to receive(:user).and_return(user)

      go
    end

    it 'redirects back' do
      go

      expect(response).to redirect_to(admin_user_path(user))
    end

    it 'displays an alert' do
      go

      expect(flash[:notice]).
        to eq 'Two-factor Authentication has been disabled for this user'
    end

    def go
      patch :disable_two_factor, id: user.to_param
    end
  end
116

117 118 119 120 121 122 123 124 125 126 127
  describe 'POST create' do
    it 'creates the user' do
      expect{ post :create, user: attributes_for(:user) }.to change{ User.count }.by(1)
    end

    it 'shows only one error message for an invalid email' do
      post :create, user: attributes_for(:user, email: 'bogus')
      expect(assigns[:user].errors).to contain_exactly("Email is invalid")
    end
  end

128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203
  describe 'POST update' do
    context 'when the password has changed' do
      def update_password(user, password, password_confirmation = nil)
        params = {
          id: user.to_param,
          user: {
            password: password,
            password_confirmation: password_confirmation || password
          }
        }

        post :update, params
      end

      context 'when the new password is valid' do
        it 'redirects to the user' do
          update_password(user, 'AValidPassword1')

          expect(response).to redirect_to(admin_user_path(user))
        end

        it 'updates the password' do
          update_password(user, 'AValidPassword1')

          expect { user.reload }.to change { user.encrypted_password }
        end

        it 'sets the new password to expire immediately' do
          update_password(user, 'AValidPassword1')

          expect { user.reload }.to change { user.password_expires_at }.to(a_value <= Time.now)
        end
      end

      context 'when the new password is invalid' do
        it 'shows the edit page again' do
          update_password(user, 'invalid')

          expect(response).to render_template(:edit)
        end

        it 'returns the error message' do
          update_password(user, 'invalid')

          expect(assigns[:user].errors).to contain_exactly(a_string_matching(/too short/))
        end

        it 'does not update the password' do
          update_password(user, 'invalid')

          expect { user.reload }.not_to change { user.encrypted_password }
        end
      end

      context 'when the new password does not match the password confirmation' do
        it 'shows the edit page again' do
          update_password(user, 'AValidPassword1', 'AValidPassword2')

          expect(response).to render_template(:edit)
        end

        it 'returns the error message' do
          update_password(user, 'AValidPassword1', 'AValidPassword2')

          expect(assigns[:user].errors).to contain_exactly(a_string_matching(/doesn't match/))
        end

        it 'does not update the password' do
          update_password(user, 'AValidPassword1', 'AValidPassword2')

          expect { user.reload }.not_to change { user.encrypted_password }
        end
      end
    end
  end

204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248
  describe "POST impersonate" do
    context "when the user is blocked" do
      before do
        user.block!
      end

      it "shows a notice" do
        post :impersonate, id: user.username

        expect(flash[:alert]).to eq("You cannot impersonate a blocked user")
      end

      it "doesn't sign us in as the user" do
        post :impersonate, id: user.username

        expect(warden.user).to eq(admin)
      end
    end

    context "when the user is not blocked" do
      it "stores the impersonator in the session" do
        post :impersonate, id: user.username

        expect(session[:impersonator_id]).to eq(admin.id)
      end

      it "signs us in as the user" do
        post :impersonate, id: user.username

        expect(warden.user).to eq(user)
      end

      it "redirects to root" do
        post :impersonate, id: user.username

        expect(response).to redirect_to(root_path)
      end

      it "shows a notice" do
        post :impersonate, id: user.username

        expect(flash[:alert]).to eq("You are now impersonating #{user.username}")
      end
    end
  end
249
end