2019-07-31 22:56:46 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2015-09-11 14:41:01 +05:30
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
describe Admin::UsersController do
|
2016-06-02 11:05:42 +05:30
|
|
|
let(:user) { create(:user) }
|
2018-03-17 18:26:18 +05:30
|
|
|
set(:admin) { create(:admin) }
|
2015-09-11 14:41:01 +05:30
|
|
|
|
|
|
|
before do
|
|
|
|
sign_in(admin)
|
|
|
|
end
|
|
|
|
|
2019-07-07 11:18:12 +05:30
|
|
|
describe 'GET #index' do
|
|
|
|
it 'retrieves all users' do
|
|
|
|
get :index
|
|
|
|
|
|
|
|
expect(assigns(:users)).to match_array([user, admin])
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'filters by admins' do
|
|
|
|
get :index, params: { filter: 'admins' }
|
|
|
|
|
|
|
|
expect(assigns(:users)).to eq([admin])
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'GET :id' do
|
|
|
|
it 'finds a user case-insensitively' do
|
|
|
|
user = create(:user, username: 'CaseSensitive')
|
|
|
|
|
|
|
|
get :show, params: { id: user.username.downcase }
|
|
|
|
|
|
|
|
expect(response).to be_redirect
|
|
|
|
expect(response.location).to end_with(user.username)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-09-11 14:41:01 +05:30
|
|
|
describe 'DELETE #user with projects' do
|
2017-09-10 17:25:29 +05:30
|
|
|
let(:project) { create(:project, namespace: user.namespace) }
|
|
|
|
let!(:issue) { create(:issue, author: user) }
|
2015-09-11 14:41:01 +05:30
|
|
|
|
|
|
|
before do
|
2018-03-17 18:26:18 +05:30
|
|
|
project.add_developer(user)
|
2015-09-11 14:41:01 +05:30
|
|
|
end
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
it 'deletes user and ghosts their contributions' do
|
2019-02-15 15:39:39 +05:30
|
|
|
delete :destroy, params: { id: user.username }, format: :json
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
expect(response).to have_gitlab_http_status(200)
|
2017-09-10 17:25:29 +05:30
|
|
|
expect(User.exists?(user.id)).to be_falsy
|
|
|
|
expect(issue.reload.author).to be_ghost
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'deletes the user and their contributions when hard delete is specified' do
|
2019-02-15 15:39:39 +05:30
|
|
|
delete :destroy, params: { id: user.username, hard_delete: true }, format: :json
|
2017-09-10 17:25:29 +05:30
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
expect(response).to have_gitlab_http_status(200)
|
2017-09-10 17:25:29 +05:30
|
|
|
expect(User.exists?(user.id)).to be_falsy
|
|
|
|
expect(Issue.exists?(issue.id)).to be_falsy
|
2015-09-11 14:41:01 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-10-24 18:46:33 +05:30
|
|
|
describe 'PUT block/:id' do
|
|
|
|
it 'blocks user' do
|
2019-02-15 15:39:39 +05:30
|
|
|
put :block, params: { id: user.username }
|
2015-10-24 18:46:33 +05:30
|
|
|
user.reload
|
|
|
|
expect(user.blocked?).to be_truthy
|
|
|
|
expect(flash[:notice]).to eq 'Successfully blocked'
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'PUT unblock/:id' do
|
2016-01-19 16:12:03 +05:30
|
|
|
context 'ldap blocked users' do
|
|
|
|
let(:user) { create(:omniauth_user, provider: 'ldapmain') }
|
2015-10-24 18:46:33 +05:30
|
|
|
|
2016-01-19 16:12:03 +05:30
|
|
|
before do
|
|
|
|
user.ldap_block
|
|
|
|
end
|
|
|
|
|
2016-09-13 17:45:13 +05:30
|
|
|
it 'does not unblock user' do
|
2019-02-15 15:39:39 +05:30
|
|
|
put :unblock, params: { id: user.username }
|
2016-01-19 16:12:03 +05:30
|
|
|
user.reload
|
|
|
|
expect(user.blocked?).to be_truthy
|
|
|
|
expect(flash[:alert]).to eq 'This user cannot be unlocked manually from GitLab'
|
|
|
|
end
|
2015-10-24 18:46:33 +05:30
|
|
|
end
|
|
|
|
|
2016-01-19 16:12:03 +05:30
|
|
|
context 'manually blocked users' do
|
|
|
|
before do
|
|
|
|
user.block
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'unblocks user' do
|
2019-02-15 15:39:39 +05:30
|
|
|
put :unblock, params: { id: user.username }
|
2016-01-19 16:12:03 +05:30
|
|
|
user.reload
|
|
|
|
expect(user.blocked?).to be_falsey
|
|
|
|
expect(flash[:notice]).to eq 'Successfully unblocked'
|
|
|
|
end
|
2015-10-24 18:46:33 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-09-11 14:41:01 +05:30
|
|
|
describe 'PUT unlock/:id' do
|
|
|
|
before do
|
|
|
|
request.env["HTTP_REFERER"] = "/"
|
|
|
|
user.lock_access!
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'unlocks user' do
|
2019-02-15 15:39:39 +05:30
|
|
|
put :unlock, params: { id: user.username }
|
2015-09-11 14:41:01 +05:30
|
|
|
user.reload
|
|
|
|
expect(user.access_locked?).to be_falsey
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'PUT confirm/:id' do
|
|
|
|
let(:user) { create(:user, confirmed_at: nil) }
|
|
|
|
|
|
|
|
before do
|
|
|
|
request.env["HTTP_REFERER"] = "/"
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'confirms user' do
|
2019-02-15 15:39:39 +05:30
|
|
|
put :confirm, params: { id: user.username }
|
2015-09-11 14:41:01 +05:30
|
|
|
user.reload
|
|
|
|
expect(user.confirmed?).to be_truthy
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe 'PATCH disable_two_factor' do
|
|
|
|
it 'disables 2FA for the user' do
|
|
|
|
expect(user).to receive(:disable_two_factor!)
|
|
|
|
allow(subject).to receive(:user).and_return(user)
|
|
|
|
|
|
|
|
go
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'redirects back' do
|
|
|
|
go
|
|
|
|
|
|
|
|
expect(response).to redirect_to(admin_user_path(user))
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'displays an alert' do
|
|
|
|
go
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
expect(flash[:notice])
|
|
|
|
.to eq 'Two-factor Authentication has been disabled for this user'
|
2015-09-11 14:41:01 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
def go
|
2019-02-15 15:39:39 +05:30
|
|
|
patch :disable_two_factor, params: { id: user.to_param }
|
2015-09-11 14:41:01 +05:30
|
|
|
end
|
|
|
|
end
|
2016-06-02 11:05:42 +05:30
|
|
|
|
2017-08-17 22:00:37 +05:30
|
|
|
describe 'POST create' do
|
|
|
|
it 'creates the user' do
|
2019-02-15 15:39:39 +05:30
|
|
|
expect { post :create, params: { user: attributes_for(:user) } }.to change { User.count }.by(1)
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it 'shows only one error message for an invalid email' do
|
2019-02-15 15:39:39 +05:30
|
|
|
post :create, params: { user: attributes_for(:user, email: 'bogus') }
|
2017-08-17 22:00:37 +05:30
|
|
|
expect(assigns[:user].errors).to contain_exactly("Email is invalid")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-06-02 11:05:42 +05:30
|
|
|
describe 'POST update' do
|
|
|
|
context 'when the password has changed' do
|
|
|
|
def update_password(user, password, password_confirmation = nil)
|
|
|
|
params = {
|
|
|
|
id: user.to_param,
|
|
|
|
user: {
|
|
|
|
password: password,
|
|
|
|
password_confirmation: password_confirmation || password
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-02-15 15:39:39 +05:30
|
|
|
post :update, params: params
|
2016-06-02 11:05:42 +05:30
|
|
|
end
|
|
|
|
|
2018-03-17 18:26:18 +05:30
|
|
|
context 'when the admin changes his own password' do
|
|
|
|
it 'updates the password' do
|
|
|
|
expect { update_password(admin, 'AValidPassword1') }
|
|
|
|
.to change { admin.reload.encrypted_password }
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not set the new password to expire immediately' do
|
|
|
|
expect { update_password(admin, 'AValidPassword1') }
|
|
|
|
.not_to change { admin.reload.password_expires_at }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-06-02 11:05:42 +05:30
|
|
|
context 'when the new password is valid' do
|
|
|
|
it 'redirects to the user' do
|
|
|
|
update_password(user, 'AValidPassword1')
|
|
|
|
|
|
|
|
expect(response).to redirect_to(admin_user_path(user))
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'updates the password' do
|
2018-03-17 18:26:18 +05:30
|
|
|
expect { update_password(user, 'AValidPassword1') }
|
|
|
|
.to change { user.reload.encrypted_password }
|
2016-06-02 11:05:42 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it 'sets the new password to expire immediately' do
|
2018-03-17 18:26:18 +05:30
|
|
|
expect { update_password(user, 'AValidPassword1') }
|
|
|
|
.to change { user.reload.password_expires_at }.to be_within(2.seconds).of(Time.now)
|
2016-06-02 11:05:42 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the new password is invalid' do
|
|
|
|
it 'shows the edit page again' do
|
|
|
|
update_password(user, 'invalid')
|
|
|
|
|
|
|
|
expect(response).to render_template(:edit)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns the error message' do
|
|
|
|
update_password(user, 'invalid')
|
|
|
|
|
|
|
|
expect(assigns[:user].errors).to contain_exactly(a_string_matching(/too short/))
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not update the password' do
|
2018-03-17 18:26:18 +05:30
|
|
|
expect { update_password(user, 'invalid') }
|
|
|
|
.not_to change { user.reload.encrypted_password }
|
2016-06-02 11:05:42 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the new password does not match the password confirmation' do
|
|
|
|
it 'shows the edit page again' do
|
|
|
|
update_password(user, 'AValidPassword1', 'AValidPassword2')
|
|
|
|
|
|
|
|
expect(response).to render_template(:edit)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns the error message' do
|
|
|
|
update_password(user, 'AValidPassword1', 'AValidPassword2')
|
|
|
|
|
|
|
|
expect(assigns[:user].errors).to contain_exactly(a_string_matching(/doesn't match/))
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not update the password' do
|
2018-03-17 18:26:18 +05:30
|
|
|
expect { update_password(user, 'AValidPassword1', 'AValidPassword2') }
|
|
|
|
.not_to change { user.reload.encrypted_password }
|
2016-06-02 11:05:42 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe "POST impersonate" do
|
|
|
|
context "when the user is blocked" do
|
|
|
|
before do
|
|
|
|
user.block!
|
|
|
|
end
|
|
|
|
|
|
|
|
it "shows a notice" do
|
2019-02-15 15:39:39 +05:30
|
|
|
post :impersonate, params: { id: user.username }
|
2016-06-02 11:05:42 +05:30
|
|
|
|
|
|
|
expect(flash[:alert]).to eq("You cannot impersonate a blocked user")
|
|
|
|
end
|
|
|
|
|
|
|
|
it "doesn't sign us in as the user" do
|
2019-02-15 15:39:39 +05:30
|
|
|
post :impersonate, params: { id: user.username }
|
2016-06-02 11:05:42 +05:30
|
|
|
|
|
|
|
expect(warden.user).to eq(admin)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when the user is not blocked" do
|
|
|
|
it "stores the impersonator in the session" do
|
2019-02-15 15:39:39 +05:30
|
|
|
post :impersonate, params: { id: user.username }
|
2016-06-02 11:05:42 +05:30
|
|
|
|
|
|
|
expect(session[:impersonator_id]).to eq(admin.id)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "signs us in as the user" do
|
2019-02-15 15:39:39 +05:30
|
|
|
post :impersonate, params: { id: user.username }
|
2016-06-02 11:05:42 +05:30
|
|
|
|
|
|
|
expect(warden.user).to eq(user)
|
|
|
|
end
|
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
it 'logs the beginning of the impersonation event' do
|
|
|
|
expect(Gitlab::AppLogger).to receive(:info).with("User #{admin.username} has started impersonating #{user.username}").and_call_original
|
|
|
|
|
|
|
|
post :impersonate, params: { id: user.username }
|
|
|
|
end
|
|
|
|
|
2016-06-02 11:05:42 +05:30
|
|
|
it "redirects to root" do
|
2019-02-15 15:39:39 +05:30
|
|
|
post :impersonate, params: { id: user.username }
|
2016-06-02 11:05:42 +05:30
|
|
|
|
|
|
|
expect(response).to redirect_to(root_path)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "shows a notice" do
|
2019-02-15 15:39:39 +05:30
|
|
|
post :impersonate, params: { id: user.username }
|
2016-06-02 11:05:42 +05:30
|
|
|
|
|
|
|
expect(flash[:alert]).to eq("You are now impersonating #{user.username}")
|
|
|
|
end
|
|
|
|
end
|
2019-02-15 15:39:39 +05:30
|
|
|
|
|
|
|
context "when impersonation is disabled" do
|
|
|
|
before do
|
|
|
|
stub_config_setting(impersonation_enabled: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "shows error page" do
|
|
|
|
post :impersonate, params: { id: user.username }
|
|
|
|
|
|
|
|
expect(response).to have_gitlab_http_status(404)
|
|
|
|
end
|
|
|
|
end
|
2016-06-02 11:05:42 +05:30
|
|
|
end
|
2015-09-11 14:41:01 +05:30
|
|
|
end
|