post/nas
1
0
Fork 0
forked from gitea/nas
Code Pull requests Activity

Merge remote-tracking branch 'parent/main' into upstream-20240225

Browse source
This commit is contained in:
KMY 2025-02-25 08:15:45 +09:00
commit a72160b66f
115 changed files with 1002 additions and 731 deletions
Download patch file Download diff file Expand all files Collapse all files

9
spec/controllers/admin/domain_blocks_controller_spec.rb
View file

@ -69,7 +69,8 @@ RSpec.describe Admin::DomainBlocksController do
expect(DomainBlockWorker).to_not have_received(:perform_async)
expect(response).to render_template :new
expect(response.parsed_body.title)
.to match(I18n.t('admin.domain_blocks.new.title'))
end
end
@ -84,7 +85,8 @@ RSpec.describe Admin::DomainBlocksController do
expect(DomainBlockWorker).to_not have_received(:perform_async)
expect(response).to render_template :confirm_suspension
expect(response.parsed_body.title)
.to match(I18n.t('admin.domain_blocks.confirm_suspension.title', domain: 'example.com'))
end
end
@ -119,7 +121,8 @@ RSpec.describe Admin::DomainBlocksController do
expect(DomainBlockWorker).to_not have_received(:perform_async)
expect(response).to render_template :confirm_suspension
expect(response.parsed_body.title)
.to match(I18n.t('admin.domain_blocks.confirm_suspension.title', domain: 'example.com'))
end
end

235
spec/controllers/admin/roles_controller_spec.rb
View file

@ -1,235 +0,0 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe Admin::RolesController do
render_views
let(:permissions) { UserRole::Flags::NONE }
let(:current_role) { UserRole.create(name: 'Foo', permissions: permissions, position: 10) }
let(:current_user) { Fabricate(:user, role: current_role) }
before do
sign_in current_user, scope: :user
end
describe 'GET #index' do
before do
get :index
end
context 'when user does not have permission to manage roles' do
it 'returns http forbidden' do
expect(response).to have_http_status(403)
end
end
context 'when user has permission to manage roles' do
let(:permissions) { UserRole::FLAGS[:manage_roles] }
it 'returns http success' do
expect(response).to have_http_status(:success)
end
end
end
describe 'GET #new' do
before do
get :new
end
context 'when user does not have permission to manage roles' do
it 'returns http forbidden' do
expect(response).to have_http_status(403)
end
end
context 'when user has permission to manage roles' do
let(:permissions) { UserRole::FLAGS[:manage_roles] }
it 'returns http success' do
expect(response).to have_http_status(:success)
end
end
end
describe 'POST #create' do
let(:selected_position) { 1 }
let(:selected_permissions_as_keys) { %w(manage_roles) }
before do
post :create, params: { user_role: { name: 'Bar', position: selected_position, permissions_as_keys: selected_permissions_as_keys } }
end
context 'when user has permission to manage roles' do
let(:permissions) { UserRole::FLAGS[:manage_roles] }
context 'when new role\'s does not elevate above the user\'s role' do
let(:selected_position) { 1 }
let(:selected_permissions_as_keys) { %w(manage_roles) }
it 'redirects to roles page and creates role' do
expect(response).to redirect_to(admin_roles_path)
expect(UserRole.find_by(name: 'Bar')).to_not be_nil
end
end
context 'when new role\'s position is higher than user\'s role' do
let(:selected_position) { 100 }
let(:selected_permissions_as_keys) { %w(manage_roles) }
it 'renders new template and does not create role' do
expect(response).to render_template(:new)
expect(UserRole.find_by(name: 'Bar')).to be_nil
end
end
context 'when new role has permissions the user does not have' do
let(:selected_position) { 1 }
let(:selected_permissions_as_keys) { %w(manage_roles manage_users manage_reports) }
it 'renders new template and does not create role' do
expect(response).to render_template(:new)
expect(UserRole.find_by(name: 'Bar')).to be_nil
end
end
context 'when user has administrator permission' do
let(:permissions) { UserRole::FLAGS[:administrator] }
let(:selected_position) { 1 }
let(:selected_permissions_as_keys) { %w(manage_roles manage_users manage_reports) }
it 'redirects to roles page and creates new role' do
expect(response).to redirect_to(admin_roles_path)
expect(UserRole.find_by(name: 'Bar')).to_not be_nil
end
end
end
end
describe 'GET #edit' do
let(:role_position) { 8 }
let(:role) { UserRole.create(name: 'Bar', permissions: UserRole::FLAGS[:manage_users], position: role_position) }
before do
get :edit, params: { id: role.id }
end
context 'when user does not have permission to manage roles' do
it 'returns http forbidden' do
expect(response).to have_http_status(403)
end
end
context 'when user has permission to manage roles' do
let(:permissions) { UserRole::FLAGS[:manage_roles] }
context 'when user outranks the role' do
it 'returns http success' do
expect(response).to have_http_status(:success)
end
end
context 'when role outranks user' do
let(:role_position) { current_role.position + 1 }
it 'returns http forbidden' do
expect(response).to have_http_status(403)
end
end
end
end
describe 'PUT #update' do
let(:role_position) { 8 }
let(:role_permissions) { UserRole::FLAGS[:manage_users] }
let(:role) { UserRole.create(name: 'Bar', permissions: role_permissions, position: role_position) }
let(:selected_position) { 8 }
let(:selected_permissions_as_keys) { %w(manage_users) }
before do
put :update, params: { id: role.id, user_role: { name: 'Baz', position: selected_position, permissions_as_keys: selected_permissions_as_keys } }
end
context 'when user does not have permission to manage roles' do
it 'returns http forbidden and does not update role' do
expect(response).to have_http_status(403)
expect(role.reload.name).to eq 'Bar'
end
end
context 'when user has permission to manage roles' do
let(:permissions) { UserRole::FLAGS[:manage_roles] }
context 'when role has permissions the user doesn\'t' do
it 'renders edit template and does not update role' do
expect(response).to render_template(:edit)
expect(role.reload.name).to eq 'Bar'
end
end
context 'when user has all permissions of the role' do
let(:permissions) { UserRole::FLAGS[:manage_roles] | UserRole::FLAGS[:manage_users] }
context 'when user outranks the role' do
it 'redirects to roles page and updates role' do
expect(response).to redirect_to(admin_roles_path)
expect(role.reload.name).to eq 'Baz'
end
end
context 'when role outranks user' do
let(:role_position) { current_role.position + 1 }
it 'returns http forbidden and does not update role' do
expect(response).to have_http_status(403)
expect(role.reload.name).to eq 'Bar'
end
end
end
end
end
describe 'DELETE #destroy' do
let(:role_position) { 8 }
let(:role) { UserRole.create(name: 'Bar', permissions: UserRole::FLAGS[:manage_users], position: role_position) }
before do
delete :destroy, params: { id: role.id }
end
context 'when user does not have permission to manage roles' do
it 'returns http forbidden' do
expect(response).to have_http_status(403)
end
end
context 'when user has permission to manage roles' do
let(:permissions) { UserRole::FLAGS[:manage_roles] }
context 'when user outranks the role' do
it 'redirects to roles page' do
expect(response).to redirect_to(admin_roles_path)
end
end
context 'when role outranks user' do
let(:role_position) { current_role.position + 1 }
it 'returns http forbidden' do
expect(response).to have_http_status(403)
end
end
end
end
end

77
spec/controllers/admin/users/roles_controller_spec.rb
View file

@ -1,77 +0,0 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe Admin::Users::RolesController do
render_views
let(:current_role) { UserRole.create(name: 'Foo', permissions: UserRole::FLAGS[:manage_roles], position: 10) }
let(:current_user) { Fabricate(:user, role: current_role) }
let(:previous_role) { nil }
let(:user) { Fabricate(:user, role: previous_role) }
before do
sign_in current_user, scope: :user
end
describe 'GET #show' do
before do
get :show, params: { user_id: user.id }
end
it 'returns http success' do
expect(response).to have_http_status(:success)
end
context 'when target user is higher ranked than current user' do
let(:previous_role) { UserRole.create(name: 'Baz', permissions: UserRole::FLAGS[:administrator], position: 100) }
it 'returns http forbidden' do
expect(response).to have_http_status(403)
end
end
end
describe 'PUT #update' do
let(:selected_role) { UserRole.create(name: 'Bar', permissions: permissions, position: position) }
before do
put :update, params: { user_id: user.id, user: { role_id: selected_role.id } }
end
context 'with manage roles permissions' do
let(:permissions) { UserRole::FLAGS[:manage_roles] }
let(:position) { 1 }
it 'updates user role and redirects' do
expect(user.reload.role_id).to eq selected_role&.id
expect(response).to redirect_to(admin_account_path(user.account_id))
end
end
context 'when selected role has higher position than current user\'s role' do
let(:permissions) { UserRole::FLAGS[:administrator] }
let(:position) { 100 }
it 'does not update user role and renders edit' do
expect(user.reload.role_id).to eq previous_role&.id
expect(response).to render_template(:show)
end
end
context 'when target user is higher ranked than current user' do
let(:previous_role) { UserRole.create(name: 'Baz', permissions: UserRole::FLAGS[:administrator], position: 100) }
let(:permissions) { UserRole::FLAGS[:manage_roles] }
let(:position) { 1 }
it 'does not update user role and returns http forbidden' do
expect(user.reload.role_id).to eq previous_role&.id
expect(response).to have_http_status(403)
end
end
end
end

39
spec/controllers/settings/two_factor_authentication/confirmations_controller_spec.rb
View file

@ -5,14 +5,14 @@ require 'rails_helper'
RSpec.describe Settings::TwoFactorAuthentication::ConfirmationsController do
render_views
shared_examples 'renders :new' do
it 'renders the new view' do
shared_examples 'renders expected page' do
it 'renders the new view with QR code' do
subject
expect(response).to have_http_status(200)
expect(response).to render_template(:new)
expect(response.body)
.to include(qr_code_markup)
.and include(I18n.t('settings.two_factor_authentication'))
end
def qr_code_markup
@ -34,7 +34,7 @@ RSpec.describe Settings::TwoFactorAuthentication::ConfirmationsController do
get :new, session: { challenge_passed_at: Time.now.utc, new_otp_secret: 'thisisasecretforthespecofnewview' }
end
include_examples 'renders :new'
include_examples 'renders expected page'
end
it 'redirects if a new otp_secret has not been set in the session' do
@ -66,10 +66,13 @@ RSpec.describe Settings::TwoFactorAuthentication::ConfirmationsController do
expect { post_create_with_options }
.to change { user.reload.otp_secret }.to 'thisisasecretforthespecofnewview'
expect(flash[:notice]).to eq 'Two-factor authentication successfully enabled'
expect(response).to have_http_status(200)
expect(response).to render_template('settings/two_factor_authentication/recovery_codes/index')
expect(response.body).to include(*otp_backup_codes)
expect(flash[:notice])
.to eq(I18n.t('two_factor_authentication.enabled_success'))
expect(response)
.to have_http_status(200)
expect(response.body)
.to include(*otp_backup_codes)
.and include(I18n.t('settings.two_factor_authentication'))
end
end
@ -86,10 +89,12 @@ RSpec.describe Settings::TwoFactorAuthentication::ConfirmationsController do
it 'renders page with error message' do
subject
expect(response.body).to include 'The entered code was invalid! Are server time and device time correct?'
expect(response.body)
.to include(I18n.t('otp_authentication.wrong_code'))
end
include_examples 'renders :new'
include_examples 'renders expected page'
end
private
@ -116,18 +121,4 @@ RSpec.describe Settings::TwoFactorAuthentication::ConfirmationsController do
end
end
end
context 'when not signed in' do
it 'redirects on POST to create' do
post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }
expect(response).to redirect_to('/auth/sign_in')
end
it 'redirects on GET to new' do
get :new
expect(response).to redirect_to('/auth/sign_in')
end
end
end

192
spec/controllers/statuses_controller_spec.rb
View file

@ -1,192 +0,0 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe StatusesController do
render_views
describe 'GET #show' do
let(:account) { Fabricate(:account) }
let(:status) { Fabricate(:status, account: account) }
context 'when signed-in' do
let(:user) { Fabricate(:user) }
before do
sign_in(user)
end
context 'when status is public' do
before do
get :show, params: { account_username: status.account.username, id: status.id, format: format }
end
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
expect(response)
.to have_http_status(200)
.and render_template(:show)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body).to include status.text
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully', :aggregate_failures do
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when status is private' do
let(:status) { Fabricate(:status, account: account, visibility: :private) }
context 'when user is authorized to see it' do
before do
user.account.follow!(account)
get :show, params: { account_username: status.account.username, id: status.id, format: format }
end
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
expect(response)
.to have_http_status(200)
.and render_template(:show)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body).to include status.text
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully', :aggregate_failures do
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when user is not authorized to see it' do
before do
get :show, params: { account_username: status.account.username, id: status.id, format: format }
end
context 'with JSON' do
let(:format) { 'json' }
it 'returns http not found' do
expect(response).to have_http_status(404)
end
end
context 'with HTML' do
let(:format) { 'html' }
it 'returns http not found' do
expect(response).to have_http_status(404)
end
end
end
end
context 'when status is direct' do
let(:status) { Fabricate(:status, account: account, visibility: :direct) }
context 'when user is authorized to see it' do
before do
Fabricate(:mention, account: user.account, status: status)
get :show, params: { account_username: status.account.username, id: status.id, format: format }
end
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
expect(response)
.to have_http_status(200)
.and render_template(:show)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body).to include status.text
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully' do
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when user is not authorized to see it' do
before do
get :show, params: { account_username: status.account.username, id: status.id, format: format }
end
context 'with JSON' do
let(:format) { 'json' }
it 'returns http not found' do
expect(response).to have_http_status(404)
end
end
context 'with HTML' do
let(:format) { 'html' }
it 'returns http not found' do
expect(response).to have_http_status(404)
end
end
end
end
end
end
end

138
spec/requests/admin/roles_spec.rb
View file

@ -3,14 +3,142 @@
require 'rails_helper'
RSpec.describe 'Admin Roles' do
describe 'POST /admin/roles' do
context 'when signed in as lower permissions user' do
let(:user_role) { Fabricate(:user_role, permissions: UserRole::Flags::NONE) }
before { sign_in Fabricate(:user, role: user_role) }
describe 'GET /admin/roles' do
it 'returns http forbidden' do
get admin_roles_path
expect(response)
.to have_http_status(403)
end
end
describe 'GET /admin/roles/new' do
it 'returns http forbidden' do
get new_admin_role_path
expect(response)
.to have_http_status(403)
end
end
describe 'GET /admin/roles/:id/edit' do
let(:role) { Fabricate(:user_role) }
it 'returns http forbidden' do
get edit_admin_role_path(role)
expect(response)
.to have_http_status(403)
end
end
describe 'PUT /admin/roles/:id' do
let(:role) { Fabricate(:user_role) }
it 'returns http forbidden' do
put admin_role_path(role)
expect(response)
.to have_http_status(403)
end
end
describe 'DELETE /admin/roles/:id' do
let(:role) { Fabricate(:user_role) }
it 'returns http forbidden' do
delete admin_role_path(role)
expect(response)
.to have_http_status(403)
end
end
end
context 'when user has permissions to manage roles' do
let(:user_role) { Fabricate(:user_role, permissions: UserRole::FLAGS[:manage_users]) }
before { sign_in Fabricate(:user, role: user_role) }
context 'when target role permission outranks user' do
let(:role) { Fabricate(:user_role, position: user_role.position + 1) }
describe 'GET /admin/roles/:id/edit' do
it 'returns http forbidden' do
get edit_admin_role_path(role)
expect(response)
.to have_http_status(403)
end
end
describe 'PUT /admin/roles/:id' do
it 'returns http forbidden' do
put admin_role_path(role)
expect(response)
.to have_http_status(403)
end
end
describe 'DELETE /admin/roles/:id' do
it 'returns http forbidden' do
delete admin_role_path(role)
expect(response)
.to have_http_status(403)
end
end
end
end
context 'when attempting to add permissions the user does not have' do
let(:user_role) { Fabricate(:user_role, permissions: UserRole::FLAGS[:manage_roles], position: 5) }
before { sign_in Fabricate(:user, role: user_role) }
describe 'POST /admin/roles' do
subject { post admin_roles_path, params: { user_role: { name: 'Bar', position: 2, permissions_as_keys: %w(manage_roles manage_users manage_reports) } } }
it 'does not create role' do
expect { subject }
.to_not change(UserRole, :count)
expect(response.body)
.to include(I18n.t('admin.roles.add_new'))
end
end
describe 'PUT /admin/roles/:id' do
subject { put admin_role_path(role), params: { user_role: { position: 2, permissions_as_keys: %w(manage_roles manage_users manage_reports) } } }
let(:role) { Fabricate(:user_role, name: 'Bar') }
it 'does not create role' do
expect { subject }
.to_not(change { role.reload.permissions })
expect(response.parsed_body.title)
.to match(I18n.t('admin.roles.edit', name: 'Bar'))
end
end
end
context 'when signed in as admin' do
before { sign_in Fabricate(:admin_user) }
it 'gracefully handles invalid nested params' do
post admin_roles_path(user_role: 'invalid')
describe 'POST /admin/roles' do
it 'gracefully handles invalid nested params' do
post admin_roles_path(user_role: 'invalid')
expect(response)
.to have_http_status(400)
expect(response)
.to have_http_status(400)
end
end
end
end

28
spec/requests/admin/users/roles_spec.rb
View file

@ -3,6 +3,34 @@
require 'rails_helper'
RSpec.describe 'Admin Users Roles' do
context 'when target user is higher ranked than current user' do
let(:current_role) { UserRole.create(name: 'Foo', permissions: UserRole::FLAGS[:manage_roles], position: 10) }
let(:current_user) { Fabricate(:user, role: current_role) }
let(:previous_role) { UserRole.create(name: 'Baz', permissions: UserRole::FLAGS[:administrator], position: 100) }
let(:user) { Fabricate(:user, role: previous_role) }
before { sign_in(current_user) }
describe 'GET /admin/users/:user_id/role' do
it 'returns http forbidden' do
get admin_user_role_path(user.id)
expect(response)
.to have_http_status(403)
end
end
describe 'PUT /admin/users/:user_id/role' do
it 'returns http forbidden' do
put admin_user_role_path(user.id)
expect(response)
.to have_http_status(403)
end
end
end
describe 'PUT /admin/users/:user_id/role' do
before { sign_in Fabricate(:admin_user) }

16
spec/requests/settings/two_factor_authentication/confirmations_spec.rb
View file

@ -16,4 +16,20 @@ RSpec.describe 'Settings 2FA Confirmations' do
.to have_http_status(400)
end
end
context 'when not signed in' do
it 'redirects on POST to create' do
post settings_two_factor_authentication_confirmation_path(form_two_factor_confirmation: { otp_attempt: '123456' })
expect(response)
.to redirect_to(new_user_session_path)
end
it 'redirects on GET to new' do
get new_settings_two_factor_authentication_confirmation_path
expect(response)
.to redirect_to(new_user_session_path)
end
end
end

166
spec/requests/statuses_spec.rb
View file

@ -59,7 +59,6 @@ RSpec.describe 'Statuses' do
expect(response)
.to have_http_status(200)
.and render_template(:show)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('public'),
@ -114,9 +113,11 @@ RSpec.describe 'Statuses' do
end
context 'when signed in' do
subject { get short_account_status_path(account_username: account.username, id: status.id, format: format) }
let(:user) { Fabricate(:user) }
before { sign_in(user) }
before { sign_in_with_session(user) }
context 'when account blocks user' do
before { account.block!(user.account) }
@ -128,6 +129,167 @@ RSpec.describe 'Statuses' do
.to have_http_status(404)
end
end
context 'when status is public' do
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body)
.to include(status.text)
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully', :aggregate_failures do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when status is private' do
let(:status) { Fabricate(:status, account: account, visibility: :private) }
context 'when user is authorized to see it' do
before { user.account.follow!(account) }
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body)
.to include(status.text)
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully', :aggregate_failures do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when user is not authorized to see it' do
let(:format) { 'html' }
it 'returns http not found' do
subject
expect(response)
.to have_http_status(404)
end
end
end
context 'when status is direct' do
let(:status) { Fabricate(:status, account: account, visibility: :direct) }
context 'when user is authorized to see it' do
before { Fabricate(:mention, account: user.account, status: status) }
context 'with HTML' do
let(:format) { 'html' }
it 'renders status successfully', :aggregate_failures do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Link' => include('activity+json')
)
expect(response.body)
.to include(status.text)
end
end
context 'with JSON' do
let(:format) { 'json' }
it 'renders ActivityPub Note object successfully' do
subject
expect(response)
.to have_http_status(200)
expect(response.headers).to include(
'Vary' => 'Accept, Accept-Language, Cookie',
'Cache-Control' => include('private'),
'Content-Type' => include('application/activity+json'),
'Link' => include('activity+json')
)
expect(response.parsed_body)
.to include(content: include(status.text))
end
end
end
context 'when user is not authorized to see it' do
let(:format) { 'html' }
it 'returns http not found' do
subject
expect(response)
.to have_http_status(404)
end
end
end
private
def sign_in_with_session(user)
# The regular `sign_in` helper does not actually set session cookies
# The endpoint responses here rely on cookie/session checks to set cache privacy headers
# To enable that, perform a full sign in which will establish those cookies for subsequent spec requests
post user_session_path, params: { user: { email: user.email, password: user.password } }
end
end
context 'with "HTTP Signature" access signed by a remote account' do

78
spec/system/admin/roles_spec.rb Normal file
View file

@ -0,0 +1,78 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe 'Admin::Roles' do
context 'when user has administrator permissions' do
let(:user_role) { Fabricate(:user_role, permissions: UserRole::FLAGS[:administrator], position: 10) }
before { sign_in Fabricate(:user, role: user_role) }
it 'creates new user role' do
visit new_admin_role_path
fill_in 'user_role_name', with: 'Baz'
fill_in 'user_role_position', with: '1'
check 'user_role_permissions_as_keys_manage_reports'
check 'user_role_permissions_as_keys_manage_roles'
expect { click_on I18n.t('admin.roles.add_new') }
.to change(UserRole, :count)
expect(page)
.to have_title(I18n.t('admin.roles.title'))
end
end
context 'when user has permissions to manage roles' do
let(:user_role) { Fabricate(:user_role, permissions: UserRole::FLAGS[:manage_roles], position: 10) }
before { sign_in Fabricate(:user, role: user_role) }
it 'Creates user roles' do
visit admin_roles_path
expect(page)
.to have_title(I18n.t('admin.roles.title'))
click_on I18n.t('admin.roles.add_new')
expect(page)
.to have_title(I18n.t('admin.roles.add_new'))
# Position too high
fill_in 'user_role_name', with: 'Baz'
fill_in 'user_role_position', with: '100'
expect { click_on I18n.t('admin.roles.add_new') }
.to_not change(UserRole, :count)
expect(page)
.to have_content(I18n.t('activerecord.errors.models.user_role.attributes.position.elevated'))
# Valid submission
fill_in 'user_role_name', with: 'Baz'
fill_in 'user_role_position', with: '5' # Lower than user
check 'user_role_permissions_as_keys_manage_roles' # User has permission
expect { click_on I18n.t('admin.roles.add_new') }
.to change(UserRole, :count)
expect(page)
.to have_title(I18n.t('admin.roles.title'))
end
it 'Manages existing user roles' do
role = Fabricate :user_role, name: 'Baz'
visit edit_admin_role_path(role)
expect(page)
.to have_title(I18n.t('admin.roles.edit', name: 'Baz'))
# Update role attribute
fill_in 'user_role_position', with: '5' # Lower than user
expect { click_on submit_button }
.to(change { role.reload.position })
# Destroy the role
visit edit_admin_role_path(role)
expect { click_on I18n.t('admin.roles.delete') }
.to change(UserRole, :count).by(-1)
expect(page)
.to have_title(I18n.t('admin.roles.title'))
end
end
end

38
spec/system/admin/users/roles_spec.rb Normal file
View file

@ -0,0 +1,38 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe 'Admin Users Roles' do
let(:current_role) { UserRole.create(name: 'Foo', permissions: UserRole::FLAGS[:manage_roles], position: 10) }
let(:current_user) { Fabricate(:user, role: current_role) }
let(:previous_role) { nil }
let(:user) { Fabricate(:user, role: previous_role) }
before do
sign_in current_user, scope: :user
end
describe 'Managing user roles' do
let!(:too_high_role) { UserRole.create(name: 'TooHigh', permissions: UserRole::FLAGS[:administrator], position: 100) }
let!(:usable_role) { UserRole.create(name: 'Usable', permissions: UserRole::FLAGS[:manage_roles], position: 1) }
it 'selects and updates user roles' do
visit admin_user_role_path(user)
expect(page)
.to have_title I18n.t('admin.accounts.change_role.title', username: user.account.username)
# Fails to assign not allowed role
select too_high_role.name, from: 'user_role_id'
expect { click_on submit_button }
.to_not(change { user.reload.role_id })
expect(page)
.to have_title I18n.t('admin.accounts.change_role.title', username: user.account.username)
# Assigns allowed role
select usable_role.name, from: 'user_role_id'
expect { click_on submit_button }
.to(change { user.reload.role_id }.to(usable_role.id))
end
end
end

15
spec/system/statuses_spec.rb Normal file
View file

@ -0,0 +1,15 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe 'Status page' do
let(:status) { Fabricate :status }
it 'visits the status page and renders the web app' do
visit short_account_status_path(account_username: status.account.username, id: status.id)
expect(page)
.to have_css('noscript', text: /Mastodon/)
.and have_css('body', class: 'app-body')
end
end