Merge remote-tracking branch 'parent/main' into upstream-20240128

spec/controllers/admin/domain_blocks_controller_spec.rb

@@ -48,15 +48,11 @@ RSpec.describe Admin::DomainBlocksController do
         post :create, params: { domain_block: { domain: 'example.com', severity: 'silence' } }
       end
 
-      it 'records a block' do
+      it 'records a block, calls a worker, redirects' do
         expect(DomainBlock.exists?(domain: 'example.com', severity: 'silence')).to be true
-      end
 
-      it 'calls DomainBlockWorker' do
         expect(DomainBlockWorker).to have_received(:perform_async)
-      end
 
-      it 'redirects with a success message' do
         expect(flash[:notice]).to eq I18n.t('admin.domain_blocks.created_msg')
         expect(response).to redirect_to(admin_instances_path(limited: '1'))
       end
@@ -68,15 +64,11 @@ RSpec.describe Admin::DomainBlocksController do
         post :create, params: { domain_block: { domain: 'example.com', severity: 'silence' } }
       end
 
-      it 'does not record a block' do
+      it 'does not record a block or call worker, renders new' do
         expect(DomainBlock.exists?(domain: 'example.com', severity: 'silence')).to be false
-      end
 
-      it 'does not call DomainBlockWorker' do
         expect(DomainBlockWorker).to_not have_received(:perform_async)
-      end
 
-      it 'renders new' do
         expect(response).to render_template :new
       end
     end
@@ -87,15 +79,11 @@ RSpec.describe Admin::DomainBlocksController do
           post :create, params: { domain_block: { domain: 'example.com', severity: 'suspend', reject_media: true, reject_reports: true } }
         end
 
-        it 'does not record a block' do
+        it 'does not record a block or call worker, renders confirm suspension' do
           expect(DomainBlock.exists?(domain: 'example.com', severity: 'suspend')).to be false
-        end
 
-        it 'does not call DomainBlockWorker' do
           expect(DomainBlockWorker).to_not have_received(:perform_async)
-        end
 
-        it 'renders confirm_suspension' do
           expect(response).to render_template :confirm_suspension
         end
       end
@@ -105,15 +93,11 @@ RSpec.describe Admin::DomainBlocksController do
           post :create, params: { :domain_block => { domain: 'example.com', severity: 'suspend', reject_media: true, reject_reports: true }, 'confirm' => '' }
         end
 
-        it 'records a block' do
+        it 'records a block and calls worker and redirects' do
           expect(DomainBlock.exists?(domain: 'example.com', severity: 'suspend')).to be true
-        end
 
-        it 'calls DomainBlockWorker' do
           expect(DomainBlockWorker).to have_received(:perform_async)
-        end
 
-        it 'redirects with a success message' do
           expect(flash[:notice]).to eq I18n.t('admin.domain_blocks.created_msg')
           expect(response).to redirect_to(admin_instances_path(limited: '1'))
         end
@@ -130,15 +114,11 @@ RSpec.describe Admin::DomainBlocksController do
           post :create, params: { domain_block: { domain: 'example.com', severity: 'suspend', reject_media: true, reject_reports: true } }
         end
 
-        it 'does not record a block' do
+        it 'does not record a block or call worker, renders confirm suspension' do
           expect(DomainBlock.exists?(domain: 'example.com', severity: 'suspend')).to be false
-        end
 
-        it 'does not call DomainBlockWorker' do
           expect(DomainBlockWorker).to_not have_received(:perform_async)
-        end
 
-        it 'renders confirm_suspension' do
           expect(response).to render_template :confirm_suspension
         end
       end
@@ -148,15 +128,11 @@ RSpec.describe Admin::DomainBlocksController do
           post :create, params: { :domain_block => { domain: 'example.com', severity: 'suspend', reject_media: true, reject_reports: true }, 'confirm' => '' }
         end
 
-        it 'updates the record' do
+        it 'updates the record and calls worker, redirects' do
           expect(DomainBlock.exists?(domain: 'example.com', severity: 'suspend')).to be true
-        end
 
-        it 'calls DomainBlockWorker' do
           expect(DomainBlockWorker).to have_received(:perform_async)
-        end
 
-        it 'redirects with a success message' do
           expect(flash[:notice]).to eq I18n.t('admin.domain_blocks.created_msg')
           expect(response).to redirect_to(admin_instances_path(limited: '1'))
         end

spec/controllers/admin/email_domain_blocks_controller_spec.rb

@@ -58,11 +58,9 @@ RSpec.describe Admin::EmailDomainBlocksController do
         post :create, params: { email_domain_block: { domain: 'example.com' }, save: '' }
       end
 
-      it 'blocks the domain' do
+      it 'blocks the domain and redirects to email domain blocks' do
         expect(EmailDomainBlock.find_by(domain: 'example.com')).to_not be_nil
-      end
 
-      it 'redirects to e-mail domain blocks' do
         expect(response).to redirect_to(admin_email_domain_blocks_path)
       end
     end

spec/controllers/admin/roles_controller_spec.rb

@@ -68,11 +68,9 @@ RSpec.describe Admin::RolesController do
         let(:selected_position) { 1 }
         let(:selected_permissions_as_keys) { %w(manage_roles) }
 
-        it 'redirects to roles page' do
+        it 'redirects to roles page and creates role' do
           expect(response).to redirect_to(admin_roles_path)
-        end
 
-        it 'creates new role' do
           expect(UserRole.find_by(name: 'Bar')).to_not be_nil
         end
       end
@@ -81,11 +79,9 @@ RSpec.describe Admin::RolesController do
         let(:selected_position) { 100 }
         let(:selected_permissions_as_keys) { %w(manage_roles) }
 
-        it 'renders new template' do
+        it 'renders new template and does not create role' do
           expect(response).to render_template(:new)
-        end
 
-        it 'does not create new role' do
           expect(UserRole.find_by(name: 'Bar')).to be_nil
         end
       end
@@ -94,11 +90,9 @@ RSpec.describe Admin::RolesController do
         let(:selected_position) { 1 }
         let(:selected_permissions_as_keys) { %w(manage_roles manage_users manage_reports) }
 
-        it 'renders new template' do
+        it 'renders new template and does not create role' do
           expect(response).to render_template(:new)
-        end
 
-        it 'does not create new role' do
           expect(UserRole.find_by(name: 'Bar')).to be_nil
         end
       end
@@ -109,11 +103,9 @@ RSpec.describe Admin::RolesController do
         let(:selected_position) { 1 }
         let(:selected_permissions_as_keys) { %w(manage_roles manage_users manage_reports) }
 
-        it 'redirects to roles page' do
+        it 'redirects to roles page and creates new role' do
           expect(response).to redirect_to(admin_roles_path)
-        end
 
-        it 'creates new role' do
           expect(UserRole.find_by(name: 'Bar')).to_not be_nil
         end
       end
@@ -166,11 +158,9 @@ RSpec.describe Admin::RolesController do
     end
 
     context 'when user does not have permission to manage roles' do
-      it 'returns http forbidden' do
+      it 'returns http forbidden and does not update role' do
         expect(response).to have_http_status(403)
-      end
 
-      it 'does not update the role' do
         expect(role.reload.name).to eq 'Bar'
       end
     end
@@ -179,11 +169,9 @@ RSpec.describe Admin::RolesController do
       let(:permissions) { UserRole::FLAGS[:manage_roles] }
 
       context 'when role has permissions the user doesn\'t' do
-        it 'renders edit template' do
+        it 'renders edit template and does not update role' do
           expect(response).to render_template(:edit)
-        end
 
-        it 'does not update the role' do
           expect(role.reload.name).to eq 'Bar'
         end
       end
@@ -192,11 +180,9 @@ RSpec.describe Admin::RolesController do
         let(:permissions) { UserRole::FLAGS[:manage_roles] | UserRole::FLAGS[:manage_users] }
 
         context 'when user outranks the role' do
-          it 'redirects to roles page' do
+          it 'redirects to roles page and updates role' do
             expect(response).to redirect_to(admin_roles_path)
-          end
 
-          it 'updates the role' do
             expect(role.reload.name).to eq 'Baz'
           end
         end
@@ -204,11 +190,9 @@ RSpec.describe Admin::RolesController do
         context 'when role outranks user' do
           let(:role_position) { current_role.position + 1 }
 
-          it 'returns http forbidden' do
+          it 'returns http forbidden and does not update role' do
             expect(response).to have_http_status(403)
-          end
 
-          it 'does not update the role' do
             expect(role.reload.name).to eq 'Bar'
           end
         end

spec/controllers/admin/settings/branding_controller_spec.rb

@@ -16,7 +16,8 @@ RSpec.describe Admin::Settings::BrandingController do
 
         patch :update, params: { form_admin_settings: { new_setting_key: 'New key value' } }
 
-        expect(response).to redirect_to(admin_settings_branding_path)
+        expect(response)
+          .to have_http_status(400)
         expect(Setting.new_setting_key).to be_nil
       end
     end

spec/controllers/admin/users/roles_controller_spec.rb

@@ -44,11 +44,9 @@ RSpec.describe Admin::Users::RolesController do
       let(:permissions) { UserRole::FLAGS[:manage_roles] }
       let(:position) { 1 }
 
-      it 'updates user role' do
+      it 'updates user role and redirects' do
         expect(user.reload.role_id).to eq selected_role&.id
-      end
 
-      it 'redirects back to account page' do
         expect(response).to redirect_to(admin_account_path(user.account_id))
       end
     end
@@ -57,11 +55,9 @@ RSpec.describe Admin::Users::RolesController do
       let(:permissions) { UserRole::FLAGS[:administrator] }
       let(:position) { 100 }
 
-      it 'does not update user role' do
+      it 'does not update user role and renders edit' do
         expect(user.reload.role_id).to eq previous_role&.id
-      end
 
-      it 'renders edit form' do
         expect(response).to render_template(:show)
       end
     end
@@ -71,11 +67,9 @@ RSpec.describe Admin::Users::RolesController do
       let(:permissions) { UserRole::FLAGS[:manage_roles] }
       let(:position) { 1 }
 
-      it 'does not update user role' do
+      it 'does not update user role and returns http forbidden' do
         expect(user.reload.role_id).to eq previous_role&.id
-      end
 
-      it 'returns http forbidden' do
         expect(response).to have_http_status(403)
       end
     end

spec/lib/activitypub/linked_data_signature_spec.rb

@@ -13,10 +13,13 @@ RSpec.describe ActivityPub::LinkedDataSignature do
     {
       '@context' => 'https://www.w3.org/ns/activitystreams',
       'id' => 'http://example.com/hello-world',
+      'type' => 'Note',
+      'content' => 'Hello world',
     }
   end
 
-  let(:json) { raw_json.merge('signature' => signature) }
+  let(:signed_json) { raw_json.merge('signature' => signature) }
+  let(:json) { signed_json }
 
   describe '#verify_actor!' do
     context 'when signature matches' do
@@ -90,6 +93,54 @@ RSpec.describe ActivityPub::LinkedDataSignature do
         expect(subject.verify_actor!).to be_nil
       end
     end
+
+    context 'when an attribute has been removed from the document' do
+      let(:signature) { raw_signature.merge('type' => 'RsaSignature2017', 'signatureValue' => sign(sender, raw_signature, raw_json)) }
+      let(:json) { signed_json.without('content') }
+
+      let(:raw_signature) do
+        {
+          'creator' => 'http://example.com/alice',
+          'created' => '2017-09-23T20:21:34Z',
+        }
+      end
+
+      it 'returns nil' do
+        expect(subject.verify_actor!).to be_nil
+      end
+    end
+
+    context 'when an attribute has been added to the document' do
+      let(:signature) { raw_signature.merge('type' => 'RsaSignature2017', 'signatureValue' => sign(sender, raw_signature, raw_json)) }
+      let(:json) { signed_json.merge('attributedTo' => 'http://example.com/bob') }
+
+      let(:raw_signature) do
+        {
+          'creator' => 'http://example.com/alice',
+          'created' => '2017-09-23T20:21:34Z',
+        }
+      end
+
+      it 'returns nil' do
+        expect(subject.verify_actor!).to be_nil
+      end
+    end
+
+    context 'when an existing attribute has been changed' do
+      let(:signature) { raw_signature.merge('type' => 'RsaSignature2017', 'signatureValue' => sign(sender, raw_signature, raw_json)) }
+      let(:json) { signed_json.merge('content' => 'oops') }
+
+      let(:raw_signature) do
+        {
+          'creator' => 'http://example.com/alice',
+          'created' => '2017-09-23T20:21:34Z',
+        }
+      end
+
+      it 'returns nil' do
+        expect(subject.verify_actor!).to be_nil
+      end
+    end
   end
 
   describe '#sign!' do

spec/requests/admin/account_actions_spec.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Account Actions' do
+  describe 'POST /admin/accounts/:account_id/action' do
+    before { sign_in Fabricate(:admin_user) }
+
+    let(:account) { Fabricate :account }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_account_action_path(account.id, admin_account_action: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/account_moderation_notes_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Account Moderation Notes' do
+  describe 'POST /admin/account_moderation_notes' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_account_moderation_notes_path(account_moderation_note: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/accounts_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Accounts' do
+  describe 'POST /admin/accounts/batch' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post batch_admin_accounts_path(form_account_batch: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_accounts_path)
+    end
+  end
+end

spec/requests/admin/announcements_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Announcements' do
+  describe 'POST /admin/announcements' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_announcements_path(announcement: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/change_emails_spec.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Account Change Email' do
+  describe 'PUT /admin/accounts/:account_id/change_email' do
+    before { sign_in Fabricate(:admin_user) }
+
+    let(:account) { Fabricate :account }
+
+    it 'gracefully handles invalid nested params' do
+      put admin_account_change_email_path(account.id, user: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/custom_emojis_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Custom Emojis' do
+  describe 'POST /admin/custom_emojis' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_custom_emojis_path(custom_emoji: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/domain_allows_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Domain Allows' do
+  describe 'POST /admin/domain_allows' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_domain_allows_path(domain_allow: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/domain_blocks_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Domain Blocks' do
+  describe 'POST /admin/domain_blocks/batch' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post batch_admin_domain_blocks_path(form_domain_block_batch: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_instances_path(limited: '1'))
+    end
+  end
+end

spec/requests/admin/email_domain_blocks_spec.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Email Domain Blocks' do
+  describe 'POST /admin/email_domain_blocks' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_email_domain_blocks_path(email_domain_block: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+
+  describe 'POST /admin/email_domain_blocks/batch' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post batch_admin_email_domain_blocks_path(form_email_domain_block_batch: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_email_domain_blocks_path)
+    end
+  end
+end

spec/requests/admin/export_domain_allows_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Export Domain Allows' do
+  describe 'POST /admin/export_domain_allows/import' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post import_admin_export_domain_allows_path(admin_import: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_instances_path)
+    end
+  end
+end

spec/requests/admin/export_domain_blocks_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Export Domain Blocks' do
+  describe 'POST /admin/export_domain_blocks/import' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post import_admin_export_domain_blocks_path(admin_import: 'invalid')
+
+      expect(response.body)
+        .to include(I18n.t('admin.export_domain_blocks.no_file'))
+    end
+  end
+end

spec/requests/admin/follow_recommendations_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Follow Recommendations' do
+  describe 'PUT /admin/follow_recommendations' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      put admin_follow_recommendations_path(form_account_batch: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_follow_recommendations_path)
+    end
+  end
+end

spec/requests/admin/invites_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Invites' do
+  describe 'POST /admin/invites' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_invites_path(invite: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/ip_blocks_spec.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin IP Blocks' do
+  describe 'POST /admin/ip_blocks' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_ip_blocks_path(ip_block: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+
+  describe 'POST /admin/ip_blocks/batch' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post batch_admin_ip_blocks_path(form_ip_block_batch: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_ip_blocks_path)
+    end
+  end
+end

spec/requests/admin/relays_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Relays' do
+  describe 'POST /admin/relays' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_relays_path(relay: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/report_notes_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Report Notes' do
+  describe 'POST /admin/report_notes' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_report_notes_path(report_note: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/roles_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Roles' do
+  describe 'POST /admin/roles' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_roles_path(user_role: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/rules_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Rules' do
+  describe 'POST /admin/rules' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_rules_path(rule: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/settings/about_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Settings About' do
+  describe 'PUT /admin/settings/about' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      put admin_settings_about_path(form_admin_settings: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/statuses_spec.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Statuses' do
+  describe 'POST /admin/accounts/:account_id/statuses/batch' do
+    before { sign_in Fabricate(:admin_user) }
+
+    let(:account) { Fabricate :account }
+
+    it 'gracefully handles invalid nested params' do
+      post batch_admin_account_statuses_path(account.id, admin_status_batch_action: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_account_statuses_path(account.id))
+    end
+  end
+end

spec/requests/admin/tags_spec.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Tags' do
+  describe 'PUT /admin/tags/:id' do
+    before { sign_in Fabricate(:admin_user) }
+
+    let(:tag) { Fabricate :tag }
+
+    it 'gracefully handles invalid nested params' do
+      put admin_tag_path(tag.id, tag: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/terms_of_service/drafts_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Terms Drafts' do
+  describe 'PUT /admin/terms_of_service/draft' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      put admin_terms_of_service_draft_path(terms_of_service: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/terms_of_service/generates_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Terms Generates' do
+  describe 'POST /admin/terms_of_service/generates' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_terms_of_service_generate_path(terms_of_service_generator: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/trends/links/preview_card_providers_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Trends Links Preview Card Providers' do
+  describe 'POST /admin/trends/links/publishers/batch' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post batch_admin_trends_links_preview_card_providers_path(trends_preview_card_provider_batch: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_trends_links_preview_card_providers_path)
+    end
+  end
+end

spec/requests/admin/trends/links_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Trends Links' do
+  describe 'POST /admin/trends/links/batch' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post batch_admin_trends_links_path(trends_preview_card_batch: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_trends_links_path)
+    end
+  end
+end

spec/requests/admin/trends/statuses_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Trends Statuses' do
+  describe 'POST /admin/trends/statuses/batch' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post batch_admin_trends_statuses_path(trends_status_batch: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_trends_statuses_path)
+    end
+  end
+end

spec/requests/admin/trends/tags_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Trends Tags' do
+  describe 'POST /admin/trends/tags/batch' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post batch_admin_trends_tags_path(trends_tag_batch: 'invalid')
+
+      expect(response)
+        .to redirect_to(admin_trends_tags_path)
+    end
+  end
+end

spec/requests/admin/users/roles_spec.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Users Roles' do
+  describe 'PUT /admin/users/:user_id/role' do
+    before { sign_in Fabricate(:admin_user) }
+
+    let(:user) { Fabricate :user }
+
+    it 'gracefully handles invalid nested params' do
+      put admin_user_role_path(user.id, user: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/warning_presets_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Warning Presets' do
+  describe 'POST /admin/warning_presets' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_warning_presets_path(account_warning_preset: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/admin/webhooks_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Admin Webhooks' do
+  describe 'POST /admin/webhooks' do
+    before { sign_in Fabricate(:admin_user) }
+
+    it 'gracefully handles invalid nested params' do
+      post admin_webhooks_path(webhook: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/auth/challenges_spec.rb

@@ -33,5 +33,14 @@ RSpec.describe 'Auth Challenges' do
           .to be_nil
       end
     end
+
+    context 'with invalid params' do
+      it 'gracefully handles invalid nested params' do
+        post auth_challenge_path(form_challenge: 'invalid')
+
+        expect(response)
+          .to have_http_status(400)
+      end
+    end
   end
 end

spec/requests/auth/sessions_spec.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Auth Sessions' do
+  describe 'POST /auth/sign_in' do
+    # The rack-attack check has issues with the non-nested invalid param used here
+    before { Rack::Attack.enabled = false }
+    after { Rack::Attack.enabled = true }
+
+    it 'gracefully handles invalid nested params' do
+      post user_session_path(user: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/filters/statuses_spec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Filters Statuses' do
+  describe 'POST /filters/:filter_id/statuses/batch' do
+    before { sign_in(user) }
+
+    let(:filter) { Fabricate :custom_filter, account: user.account }
+    let(:user) { Fabricate :user }
+
+    it 'gracefully handles invalid nested params' do
+      post batch_filter_statuses_path(filter.id, form_status_filter_batch_action: 'invalid')
+
+      expect(response)
+        .to redirect_to(edit_filter_path(filter))
+    end
+  end
+end

spec/requests/relationships_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Relationships' do
+  describe 'PUT /relationships' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      put relationships_path(form_account_batch: 'invalid')
+
+      expect(response)
+        .to redirect_to(relationships_path)
+    end
+  end
+end

spec/requests/settings/applications_spec.rb

@@ -40,5 +40,23 @@ RSpec.describe 'Settings / Exports' do
       expect(response)
         .to redirect_to(settings_applications_path)
     end
+
+    it 'gracefully handles invalid nested params' do
+      post settings_applications_path(doorkeeper_application: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+
+  describe 'PUT /settings/applications/:id' do
+    let(:application) { Fabricate :application, owner: user }
+
+    it 'gracefully handles invalid nested params' do
+      put settings_application_path(application.id, doorkeeper_application: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
   end
 end

spec/requests/settings/preferences/appearance_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings Preferences Appearance' do
+  describe 'PUT /settings/preferences/appearance' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      put settings_preferences_appearance_path(user: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/settings/two_factor_authentication/confirmations_spec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings 2FA Confirmations' do
+  describe 'POST /settings/two_factor_authentication/confirmations' do
+    before do
+      sign_in Fabricate(:user, encrypted_password: '') # Empty encrypted password avoids challengable flow
+      post settings_otp_authentication_path # Sets `session[:new_otp_secret]` which is needed for next step
+    end
+
+    it 'gracefully handles invalid nested params' do
+      post settings_two_factor_authentication_confirmation_path(form_two_factor_confirmation: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/requests/settings/verifications_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Settings Verifications' do
+  describe 'PUT /settings/verification' do
+    before { sign_in Fabricate(:user) }
+
+    it 'gracefully handles invalid nested params' do
+      put settings_verification_path(account: 'invalid')
+
+      expect(response)
+        .to have_http_status(400)
+    end
+  end
+end

spec/services/activitypub/process_status_update_service_spec.rb

@@ -274,7 +274,7 @@ RSpec.describe ActivityPub::ProcessStatusUpdateService do
 
       it 'updates tags and featured tags' do
         expect { subject.call(status, json, json) }
-          .to change { status.tags.reload.pluck(:name) }.from(%w(test foo)).to(%w(foo bar))
+          .to change { status.tags.reload.pluck(:name) }.from(contain_exactly('test', 'foo')).to(contain_exactly('foo', 'bar'))
           .and change { status.account.featured_tags.find_by(name: 'test').statuses_count }.by(-1)
           .and change { status.account.featured_tags.find_by(name: 'bar').statuses_count }.by(1)
           .and change { status.account.featured_tags.find_by(name: 'bar').last_status_at }.from(nil).to(be_present)

spec/system/filters_spec.rb

@@ -44,6 +44,8 @@ RSpec.describe 'Filters' do
     let(:new_title) { 'Change title value' }
 
     let!(:custom_filter) { Fabricate :custom_filter, account: user.account, title: filter_title }
+    let!(:keyword_one) { Fabricate :custom_filter_keyword, custom_filter: custom_filter }
+    let!(:keyword_two) { Fabricate :custom_filter_keyword, custom_filter: custom_filter }
 
     it 'Updates the saved filter' do
       navigate_to_filters
@@ -51,7 +53,12 @@ RSpec.describe 'Filters' do
       click_on filter_title
 
       fill_in filter_title_field, with: new_title
-      click_on submit_button
+      fill_in 'custom_filter_keywords_attributes_0_keyword', with: 'New value'
+      fill_in 'custom_filter_keywords_attributes_1_keyword', with: 'Wilderness'
+
+      expect { click_on submit_button }
+        .to change { keyword_one.reload.keyword }.to(/New value/)
+        .and(change { keyword_two.reload.keyword }.to(/Wilderness/))
 
       expect(page).to have_content(new_title)
     end

spec/system/settings/preferences/appearance_spec.rb

@@ -17,10 +17,13 @@ RSpec.describe 'Settings preferences appearance page' do
     check confirm_reblog_field
     uncheck confirm_delete_field
 
+    check advanced_layout_field
+
     expect { save_changes }
       .to change { user.reload.settings.theme }.to('contrast')
       .and change { user.reload.settings['web.reblog_modal'] }.to(true)
-      .and(change { user.reload.settings['web.delete_modal'] }.to(false))
+      .and change { user.reload.settings['web.delete_modal'] }.to(false)
+      .and(change { user.reload.settings['web.advanced_layout'] }.to(true))
     expect(page)
       .to have_title(I18n.t('settings.appearance'))
   end
@@ -40,4 +43,8 @@ RSpec.describe 'Settings preferences appearance page' do
   def theme_selection_field
     I18n.t('simple_form.labels.defaults.setting_theme')
   end
+
+  def advanced_layout_field
+    I18n.t('simple_form.labels.defaults.setting_advanced_layout')
+  end
 end