2019-04-15 06:17:05 -04:00
# frozen_string_literal: true
2015-06-22 18:08:02 -04:00
require 'spec_helper'
2020-06-03 23:08:05 -04:00
RSpec . describe Admin :: UsersController do
2016-03-30 14:12:02 -04:00
let ( :user ) { create ( :user ) }
2019-12-18 19:08:01 -05:00
2019-10-01 20:06:26 -04:00
let_it_be ( :admin ) { create ( :admin ) }
2015-06-22 18:08:02 -04:00
before do
2016-04-22 17:19:55 -04:00
sign_in ( admin )
2015-06-22 18:08:02 -04:00
end
2019-02-16 17:26:15 -05:00
describe 'GET #index' do
it 'retrieves all users' do
get :index
expect ( assigns ( :users ) ) . to match_array ( [ user , admin ] )
end
it 'filters by admins' do
get :index , params : { filter : 'admins' }
expect ( assigns ( :users ) ) . to eq ( [ admin ] )
end
2020-09-23 08:09:58 -04:00
it 'eager loads authorized projects association' do
get :index
expect ( assigns ( :users ) . first . association ( :authorized_projects ) ) . to be_loaded
end
2019-02-16 17:26:15 -05:00
end
2019-02-12 17:26:07 -05:00
describe 'GET :id' do
it 'finds a user case-insensitively' do
user = create ( :user , username : 'CaseSensitive' )
get :show , params : { id : user . username . downcase }
expect ( response ) . to be_redirect
expect ( response . location ) . to end_with ( user . username )
end
end
2019-10-23 05:06:03 -04:00
describe 'DELETE #user with projects' , :sidekiq_might_not_need_inline do
2017-08-02 15:55:11 -04:00
let ( :project ) { create ( :project , namespace : user . namespace ) }
2017-06-02 08:35:37 -04:00
let! ( :issue ) { create ( :issue , author : user ) }
2015-06-22 18:08:02 -04:00
before do
2017-12-22 03:18:28 -05:00
project . add_developer ( user )
2015-06-22 18:08:02 -04:00
end
2017-06-02 08:35:37 -04:00
it 'deletes user and ghosts their contributions' do
2018-12-17 17:52:17 -05:00
delete :destroy , params : { id : user . username } , format : :json
2017-06-02 08:35:37 -04:00
2020-02-06 13:08:54 -05:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-06-02 08:35:37 -04:00
expect ( User . exists? ( user . id ) ) . to be_falsy
expect ( issue . reload . author ) . to be_ghost
end
it 'deletes the user and their contributions when hard delete is specified' do
2018-12-17 17:52:17 -05:00
delete :destroy , params : { id : user . username , hard_delete : true } , format : :json
2017-06-02 08:35:37 -04:00
2020-02-06 13:08:54 -05:00
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-06-02 08:35:37 -04:00
expect ( User . exists? ( user . id ) ) . to be_falsy
expect ( Issue . exists? ( issue . id ) ) . to be_falsy
2015-06-22 18:08:02 -04:00
end
end
2015-07-02 01:26:14 -04:00
2019-10-09 20:06:44 -04:00
describe 'PUT #activate' do
shared_examples 'a request that activates the user' do
it 'activates the user' do
put :activate , params : { id : user . username }
user . reload
expect ( user . active? ) . to be_truthy
expect ( flash [ :notice ] ) . to eq ( 'Successfully activated' )
end
end
context 'for a deactivated user' do
before do
user . deactivate
end
it_behaves_like 'a request that activates the user'
end
context 'for an active user' do
it_behaves_like 'a request that activates the user'
end
context 'for a blocked user' do
before do
user . block
end
it 'does not activate the user' do
put :activate , params : { id : user . username }
user . reload
expect ( user . active? ) . to be_falsey
expect ( flash [ :notice ] ) . to eq ( 'Error occurred. A blocked user must be unblocked to be activated' )
end
end
end
describe 'PUT #deactivate' do
shared_examples 'a request that deactivates the user' do
it 'deactivates the user' do
put :deactivate , params : { id : user . username }
user . reload
expect ( user . deactivated? ) . to be_truthy
expect ( flash [ :notice ] ) . to eq ( 'Successfully deactivated' )
end
end
context 'for an active user' do
let ( :activity ) { { } }
let ( :user ) { create ( :user , ** activity ) }
context 'with no recent activity' do
let ( :activity ) { { last_activity_on : :: User :: MINIMUM_INACTIVE_DAYS . next . days . ago } }
it_behaves_like 'a request that deactivates the user'
end
context 'with recent activity' do
let ( :activity ) { { last_activity_on : :: User :: MINIMUM_INACTIVE_DAYS . pred . days . ago } }
it 'does not deactivate the user' do
put :deactivate , params : { id : user . username }
user . reload
expect ( user . deactivated? ) . to be_falsey
2019-10-22 20:06:29 -04:00
expect ( flash [ :notice ] ) . to eq ( " The user you are trying to deactivate has been active in the past #{ :: User :: MINIMUM_INACTIVE_DAYS } days and cannot be deactivated " )
2019-10-09 20:06:44 -04:00
end
end
end
context 'for a deactivated user' do
before do
user . deactivate
end
it_behaves_like 'a request that deactivates the user'
end
context 'for a blocked user' do
before do
user . block
end
it 'does not deactivate the user' do
put :deactivate , params : { id : user . username }
user . reload
expect ( user . deactivated? ) . to be_falsey
expect ( flash [ :notice ] ) . to eq ( 'Error occurred. A blocked user cannot be deactivated' )
end
end
end
2015-10-20 03:28:28 -04:00
describe 'PUT block/:id' do
it 'blocks user' do
2018-12-17 17:52:17 -05:00
put :block , params : { id : user . username }
2015-10-20 03:28:28 -04:00
user . reload
expect ( user . blocked? ) . to be_truthy
2019-12-12 07:07:33 -05:00
expect ( flash [ :notice ] ) . to eq _ ( 'Successfully blocked' )
2015-10-20 03:28:28 -04:00
end
end
describe 'PUT unblock/:id' do
2015-12-29 15:58:38 -05:00
context 'ldap blocked users' do
let ( :user ) { create ( :omniauth_user , provider : 'ldapmain' ) }
2015-10-20 03:28:28 -04:00
2015-12-29 15:58:38 -05:00
before do
user . ldap_block
end
2016-07-25 14:16:19 -04:00
it 'does not unblock user' do
2018-12-17 17:52:17 -05:00
put :unblock , params : { id : user . username }
2015-12-29 15:58:38 -05:00
user . reload
expect ( user . blocked? ) . to be_truthy
2019-12-12 07:07:33 -05:00
expect ( flash [ :alert ] ) . to eq _ ( 'This user cannot be unlocked manually from GitLab' )
2015-12-29 15:58:38 -05:00
end
2015-10-20 03:28:28 -04:00
end
2015-12-29 15:58:38 -05:00
context 'manually blocked users' do
before do
user . block
end
it 'unblocks user' do
2018-12-17 17:52:17 -05:00
put :unblock , params : { id : user . username }
2015-12-29 15:58:38 -05:00
user . reload
expect ( user . blocked? ) . to be_falsey
2019-12-12 07:07:33 -05:00
expect ( flash [ :notice ] ) . to eq _ ( 'Successfully unblocked' )
2015-12-29 15:58:38 -05:00
end
2015-10-20 03:28:28 -04:00
end
end
2015-07-02 01:26:14 -04:00
describe 'PUT unlock/:id' do
before do
request . env [ " HTTP_REFERER " ] = " / "
user . lock_access!
end
it 'unlocks user' do
2018-12-17 17:52:17 -05:00
put :unlock , params : { id : user . username }
2015-07-02 01:26:14 -04:00
user . reload
expect ( user . access_locked? ) . to be_falsey
end
end
2015-07-10 17:11:18 -04:00
2015-07-29 10:32:01 -04:00
describe 'PUT confirm/:id' do
let ( :user ) { create ( :user , confirmed_at : nil ) }
before do
request . env [ " HTTP_REFERER " ] = " / "
end
it 'confirms user' do
2018-12-17 17:52:17 -05:00
put :confirm , params : { id : user . username }
2015-07-29 10:32:01 -04:00
user . reload
expect ( user . confirmed? ) . to be_truthy
end
end
2015-07-10 17:11:18 -04:00
describe 'PATCH disable_two_factor' do
2020-08-20 11:10:18 -04:00
subject { patch :disable_two_factor , params : { id : user . to_param } }
2015-07-10 17:11:18 -04:00
2020-08-20 11:10:18 -04:00
context 'for a user that has 2FA enabled' do
let ( :user ) { create ( :user , :two_factor ) }
2015-07-10 17:11:18 -04:00
2020-08-20 11:10:18 -04:00
it 'disables 2FA for the user' do
subject
2015-07-10 17:11:18 -04:00
2020-08-20 11:10:18 -04:00
expect ( user . reload . two_factor_enabled? ) . to eq ( false )
end
it 'redirects back' do
subject
expect ( response ) . to redirect_to ( admin_user_path ( user ) )
end
2015-07-10 17:11:18 -04:00
2020-08-20 11:10:18 -04:00
it 'displays a notice on success' do
subject
2015-07-10 17:11:18 -04:00
2020-08-20 11:10:18 -04:00
expect ( flash [ :notice ] )
. to eq _ ( 'Two-factor authentication has been disabled for this user' )
end
2015-07-10 17:11:18 -04:00
end
2020-08-20 11:10:18 -04:00
context 'for a user that does not have 2FA enabled' do
it 'redirects back' do
subject
expect ( response ) . to redirect_to ( admin_user_path ( user ) )
end
it 'displays an alert on failure' do
subject
expect ( flash [ :alert ] )
. to eq _ ( 'Two-factor authentication is not enabled for this user' )
end
2015-07-10 17:11:18 -04:00
end
end
2016-04-22 17:19:55 -04:00
2016-10-27 15:46:28 -04:00
describe 'POST create' do
it 'creates the user' do
2018-12-17 17:52:17 -05:00
expect { post :create , params : { user : attributes_for ( :user ) } } . to change { User . count } . by ( 1 )
2016-10-27 15:46:28 -04:00
end
it 'shows only one error message for an invalid email' do
2018-12-17 17:52:17 -05:00
post :create , params : { user : attributes_for ( :user , email : 'bogus' ) }
2019-12-12 07:07:33 -05:00
errors = assigns [ :user ] . errors
expect ( errors ) . to contain_exactly ( errors . full_message ( :email , I18n . t ( 'errors.messages.invalid' ) ) )
2016-10-27 15:46:28 -04:00
end
2020-05-28 05:08:05 -04:00
context 'admin notes' do
it 'creates the user with note' do
note = '2020-05-12 | Note | DCMA | Link'
user_params = attributes_for ( :user , note : note )
expect { post :create , params : { user : user_params } } . to change { User . count } . by ( 1 )
new_user = User . last
expect ( new_user . note ) . to eq ( note )
end
end
2016-10-27 15:46:28 -04:00
end
2016-05-03 07:42:55 -04:00
describe 'POST update' do
context 'when the password has changed' do
2020-09-04 05:08:38 -04:00
def update_password ( user , password = User . random_password , password_confirmation = password )
2016-05-03 07:42:55 -04:00
params = {
id : user . to_param ,
user : {
password : password ,
2020-09-04 05:08:38 -04:00
password_confirmation : password_confirmation
2016-05-03 07:42:55 -04:00
}
}
2018-12-17 17:52:17 -05:00
post :update , params : params
2016-05-03 07:42:55 -04:00
end
2020-09-04 05:08:38 -04:00
context 'when admin changes their own password' do
context 'when password is valid' do
it 'updates the password' do
expect { update_password ( admin ) }
. to change { admin . reload . encrypted_password }
end
it 'does not set the new password to expire immediately' do
expect { update_password ( admin ) }
. not_to change { admin . reload . password_expired? }
end
it 'does not enqueue the `admin changed your password` email' do
expect { update_password ( admin ) }
. not_to have_enqueued_mail ( DeviseMailer , :password_change_by_admin )
end
it 'enqueues the `password changed` email' do
expect { update_password ( admin ) }
. to have_enqueued_mail ( DeviseMailer , :password_change )
end
2017-08-29 10:15:48 -04:00
end
end
2020-09-04 05:08:38 -04:00
context 'when admin changes the password of another user' do
context 'when the new password is valid' do
it 'redirects to the user' do
update_password ( user )
expect ( response ) . to redirect_to ( admin_user_path ( user ) )
end
it 'updates the password' do
expect { update_password ( user ) }
. to change { user . reload . encrypted_password }
end
it 'sets the new password to expire immediately' do
expect { update_password ( user ) }
. to change { user . reload . password_expired? } . from ( false ) . to ( true )
end
it 'enqueues the `admin changed your password` email' do
expect { update_password ( user ) }
. to have_enqueued_mail ( DeviseMailer , :password_change_by_admin )
end
it 'does not enqueue the `password changed` email' do
expect { update_password ( user ) }
. not_to have_enqueued_mail ( DeviseMailer , :password_change )
end
2016-05-03 07:42:55 -04:00
end
end
context 'when the new password is invalid' do
2020-09-04 05:08:38 -04:00
let ( :password ) { 'invalid' }
2016-05-03 07:42:55 -04:00
it 'shows the edit page again' do
2020-09-04 05:08:38 -04:00
update_password ( user , password )
2016-05-03 07:42:55 -04:00
expect ( response ) . to render_template ( :edit )
end
it 'returns the error message' do
2020-09-04 05:08:38 -04:00
update_password ( user , password )
2016-05-03 07:42:55 -04:00
expect ( assigns [ :user ] . errors ) . to contain_exactly ( a_string_matching ( / too short / ) )
end
it 'does not update the password' do
2020-09-04 05:08:38 -04:00
expect { update_password ( user , password ) }
2017-08-29 10:15:48 -04:00
. not_to change { user . reload . encrypted_password }
2016-05-03 07:42:55 -04:00
end
end
context 'when the new password does not match the password confirmation' do
2020-09-04 05:08:38 -04:00
let ( :password ) { 'some_password' }
let ( :password_confirmation ) { 'not_same_as_password' }
2016-05-03 07:42:55 -04:00
it 'shows the edit page again' do
2020-09-04 05:08:38 -04:00
update_password ( user , password , password_confirmation )
2016-05-03 07:42:55 -04:00
expect ( response ) . to render_template ( :edit )
end
it 'returns the error message' do
2020-09-04 05:08:38 -04:00
update_password ( user , password , password_confirmation )
2016-05-03 07:42:55 -04:00
expect ( assigns [ :user ] . errors ) . to contain_exactly ( a_string_matching ( / doesn't match / ) )
end
it 'does not update the password' do
2020-09-04 05:08:38 -04:00
expect { update_password ( user , password , password_confirmation ) }
2017-08-29 10:15:48 -04:00
. not_to change { user . reload . encrypted_password }
2016-05-03 07:42:55 -04:00
end
end
end
2020-05-28 05:08:05 -04:00
context 'admin notes' do
it 'updates the note for the user' do
note = '2020-05-12 | Note | DCMA | Link'
params = {
id : user . to_param ,
user : {
note : note
}
}
expect { post :update , params : params } . to change { user . reload . note } . to ( note )
end
end
2016-05-03 07:42:55 -04:00
end
2020-04-21 11:21:10 -04:00
describe " DELETE # remove_email " do
it 'deletes the email' do
email = create ( :email , user : user )
delete :remove_email , params : { id : user . username , email_id : email . id }
expect ( user . reload . emails ) . not_to include ( email )
expect ( flash [ :notice ] ) . to eq ( 'Successfully removed email.' )
end
end
2016-04-22 17:19:55 -04:00
describe " POST impersonate " do
context " when the user is blocked " do
before do
user . block!
end
it " shows a notice " do
2018-12-17 17:52:17 -05:00
post :impersonate , params : { id : user . username }
2016-04-22 17:19:55 -04:00
2019-12-12 07:07:33 -05:00
expect ( flash [ :alert ] ) . to eq ( _ ( 'You cannot impersonate a blocked user' ) )
2016-04-22 17:19:55 -04:00
end
it " doesn't sign us in as the user " do
2018-12-17 17:52:17 -05:00
post :impersonate , params : { id : user . username }
2016-04-22 17:19:55 -04:00
expect ( warden . user ) . to eq ( admin )
end
end
context " when the user is not blocked " do
it " stores the impersonator in the session " do
2018-12-17 17:52:17 -05:00
post :impersonate , params : { id : user . username }
2016-04-22 17:19:55 -04:00
expect ( session [ :impersonator_id ] ) . to eq ( admin . id )
end
it " signs us in as the user " do
2018-12-17 17:52:17 -05:00
post :impersonate , params : { id : user . username }
2016-04-22 17:19:55 -04:00
expect ( warden . user ) . to eq ( user )
end
2019-07-23 02:14:09 -04:00
it 'logs the beginning of the impersonation event' do
expect ( Gitlab :: AppLogger ) . to receive ( :info ) . with ( " User #{ admin . username } has started impersonating #{ user . username } " ) . and_call_original
post :impersonate , params : { id : user . username }
end
2016-04-22 17:19:55 -04:00
it " redirects to root " do
2018-12-17 17:52:17 -05:00
post :impersonate , params : { id : user . username }
2016-04-22 17:19:55 -04:00
expect ( response ) . to redirect_to ( root_path )
end
it " shows a notice " do
2018-12-17 17:52:17 -05:00
post :impersonate , params : { id : user . username }
2016-04-22 17:19:55 -04:00
expect ( flash [ :alert ] ) . to eq ( " You are now impersonating #{ user . username } " )
end
end
2018-11-24 07:39:16 -05:00
context " when impersonation is disabled " do
before do
stub_config_setting ( impersonation_enabled : false )
end
it " shows error page " do
2018-12-17 17:52:17 -05:00
post :impersonate , params : { id : user . username }
2018-11-24 07:39:16 -05:00
2020-02-06 13:08:54 -05:00
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-11-24 07:39:16 -05:00
end
end
2016-04-22 17:19:55 -04:00
end
2015-06-22 18:08:02 -04:00
end