2019-12-26 22:10:19 +05:30
# frozen_string_literal: true
2014-09-02 18:07:02 +05:30
require 'spec_helper'
2021-02-22 17:27:13 +05:30
RSpec . describe API :: Users do
2020-06-23 00:09:42 +05:30
let_it_be ( :admin ) { create ( :admin ) }
2021-07-02 01:05:55 +05:30
let_it_be ( :user , reload : true ) { create ( :user , username : 'user.withdot' ) }
2020-06-23 00:09:42 +05:30
let_it_be ( :key ) { create ( :key , user : user ) }
let_it_be ( :gpg_key ) { create ( :gpg_key , user : user ) }
let_it_be ( :email ) { create ( :email , user : user ) }
2015-10-24 18:46:33 +05:30
let ( :omniauth_user ) { create ( :omniauth_user ) }
2016-01-19 16:12:03 +05:30
let ( :ldap_blocked_user ) { create ( :omniauth_user , provider : 'ldapmain' , state : 'ldap_blocked' ) }
2018-11-18 11:00:15 +05:30
let ( :private_user ) { create ( :user , private_profile : true ) }
2020-06-23 00:09:42 +05:30
context 'admin notes' do
let_it_be ( :admin ) { create ( :admin , note : '2019-10-06 | 2FA added | user requested | www.gitlab.com' ) }
let_it_be ( :user , reload : true ) { create ( :user , note : '2018-11-05 | 2FA removed | user requested | www.gitlab.com' ) }
describe 'POST /users' do
context 'when unauthenticated' do
it 'return authentication error' do
post api ( '/users' )
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
context 'when authenticated' do
context 'as an admin' do
it 'contains the note of the user' do
optional_attributes = { note : 'Awesome Note' }
attributes = attributes_for ( :user ) . merge ( optional_attributes )
post api ( '/users' , admin ) , params : attributes
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( json_response [ 'note' ] ) . to eq ( optional_attributes [ :note ] )
end
end
context 'as a regular user' do
it 'does not allow creating new user' do
post api ( '/users' , user ) , params : attributes_for ( :user )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
end
end
describe 'GET /users/:id' do
context 'when unauthenticated' do
it 'does not contain the note of the user' do
get api ( " /users/ #{ user . id } " )
expect ( json_response ) . not_to have_key ( 'note' )
end
end
context 'when authenticated' do
context 'as an admin' do
it 'contains the note of the user' do
get api ( " /users/ #{ user . id } " , admin )
expect ( json_response ) . to have_key ( 'note' )
expect ( json_response [ 'note' ] ) . to eq ( user . note )
2020-10-24 23:57:45 +05:30
expect ( json_response ) . to have_key ( 'sign_in_count' )
2020-06-23 00:09:42 +05:30
end
end
context 'as a regular user' do
it 'does not contain the note of the user' do
get api ( " /users/ #{ user . id } " , user )
expect ( json_response ) . not_to have_key ( 'note' )
2020-10-24 23:57:45 +05:30
expect ( json_response ) . not_to have_key ( 'sign_in_count' )
2020-06-23 00:09:42 +05:30
end
end
end
end
describe " PUT /users/:id " do
context 'when user is an admin' do
it " updates note of the user " do
new_note = '2019-07-07 | Email changed | user requested | www.gitlab.com'
expect do
put api ( " /users/ #{ user . id } " , admin ) , params : { note : new_note }
end . to change { user . reload . note }
. from ( '2018-11-05 | 2FA removed | user requested | www.gitlab.com' )
. to ( new_note )
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response [ 'note' ] ) . to eq ( new_note )
end
end
context 'when user is not an admin' do
it " cannot update their own note " do
expect do
put api ( " /users/ #{ user . id } " , user ) , params : { note : 'new note' }
end . not_to change { user . reload . note }
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
end
describe 'GET /users/' do
context 'when unauthenticated' do
it " does not contain the note of users " do
get api ( " /users " ) , params : { username : user . username }
expect ( json_response . first ) . not_to have_key ( 'note' )
end
end
context 'when authenticated' do
context 'as a regular user' do
it 'does not contain the note of users' do
get api ( " /users " , user ) , params : { username : user . username }
expect ( json_response . first ) . not_to have_key ( 'note' )
end
end
context 'as an admin' do
it 'contains the note of users' do
get api ( " /users " , admin ) , params : { username : user . username }
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response . first ) . to have_key ( 'note' )
expect ( json_response . first [ 'note' ] ) . to eq '2018-11-05 | 2FA removed | user requested | www.gitlab.com'
end
end
end
end
describe 'GET /user' do
context 'when authenticated' do
context 'as an admin' do
context 'accesses their own profile' do
it 'contains the note of the user' do
get api ( " /user " , admin )
expect ( json_response ) . to have_key ( 'note' )
expect ( json_response [ 'note' ] ) . to eq ( admin . note )
end
end
context 'sudo' do
let ( :admin_personal_access_token ) { create ( :personal_access_token , user : admin , scopes : %w[ api sudo ] ) . token }
context 'accesses the profile of another regular user' do
it 'does not contain the note of the user' do
get api ( " /user?private_token= #{ admin_personal_access_token } &sudo= #{ user . id } " )
expect ( json_response [ 'id' ] ) . to eq ( user . id )
expect ( json_response ) . not_to have_key ( 'note' )
end
end
context 'accesses the profile of another admin' do
2021-01-29 00:20:46 +05:30
let ( :admin_2 ) { create ( :admin , note : '2010-10-10 | 2FA added | admin requested | www.gitlab.com' ) }
2020-06-23 00:09:42 +05:30
it 'contains the note of the user' do
get api ( " /user?private_token= #{ admin_personal_access_token } &sudo= #{ admin_2 . id } " )
expect ( json_response [ 'id' ] ) . to eq ( admin_2 . id )
expect ( json_response ) . to have_key ( 'note' )
expect ( json_response [ 'note' ] ) . to eq ( admin_2 . note )
end
end
end
end
context 'as a regular user' do
it 'does not contain the note of the user' do
get api ( " /user " , user )
expect ( json_response ) . not_to have_key ( 'note' )
end
end
end
end
end
2018-11-18 11:00:15 +05:30
shared_examples 'rendering user status' do
it 'returns the status if there was one' do
create ( :user_status , user : user )
get api ( path , user )
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response [ 'message' ] ) . to be_present
expect ( json_response [ 'message_html' ] ) . to be_present
expect ( json_response [ 'emoji' ] ) . to be_present
end
it 'returns an empty response if there was no status' do
get api ( path , user )
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response [ 'message' ] ) . to be_nil
expect ( json_response [ 'emoji' ] ) . to be_nil
end
end
2014-09-02 18:07:02 +05:30
2017-08-17 22:00:37 +05:30
describe 'GET /users' do
2014-09-02 18:07:02 +05:30
context " when unauthenticated " do
2017-09-10 17:25:29 +05:30
it " returns authorization error when the `username` parameter is not passed " do
2014-09-02 18:07:02 +05:30
get api ( " /users " )
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
end
it " returns the user when a valid `username` parameter is passed " do
2019-02-15 15:39:39 +05:30
get api ( " /users " ) , params : { username : user . username }
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-09-10 17:25:29 +05:30
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response [ 0 ] [ 'id' ] ) . to eq ( user . id )
expect ( json_response [ 0 ] [ 'username' ] ) . to eq ( user . username )
end
2018-12-13 13:39:08 +05:30
it " returns the user when a valid `username` parameter is passed (case insensitive) " do
2019-02-15 15:39:39 +05:30
get api ( " /users " ) , params : { username : user . username . upcase }
2018-12-13 13:39:08 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response [ 0 ] [ 'id' ] ) . to eq ( user . id )
expect ( json_response [ 0 ] [ 'username' ] ) . to eq ( user . username )
end
2017-09-10 17:25:29 +05:30
it " returns an empty response when an invalid `username` parameter is passed " do
2019-02-15 15:39:39 +05:30
get api ( " /users " ) , params : { username : 'invalid' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-09-10 17:25:29 +05:30
expect ( json_response ) . to be_an Array
expect ( json_response . size ) . to eq ( 0 )
end
2019-07-07 11:18:12 +05:30
it " does not return the highest role " do
get api ( " /users " ) , params : { username : user . username }
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( json_response . first . keys ) . not_to include 'highest_role'
end
2020-03-13 15:44:24 +05:30
it " does not return the current or last sign-in ip addresses " do
get api ( " /users " ) , params : { username : user . username }
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( json_response . first . keys ) . not_to include 'current_sign_in_ip'
expect ( json_response . first . keys ) . not_to include 'last_sign_in_ip'
end
2017-09-10 17:25:29 +05:30
context " when public level is restricted " do
before do
stub_application_setting ( restricted_visibility_levels : [ Gitlab :: VisibilityLevel :: PUBLIC ] )
end
it " returns authorization error when the `username` parameter refers to an inaccessible user " do
2019-02-15 15:39:39 +05:30
get api ( " /users " ) , params : { username : user . username }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
end
it " returns authorization error when the `username` parameter is not passed " do
get api ( " /users " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
end
2014-09-02 18:07:02 +05:30
end
end
context " when authenticated " do
2016-06-16 23:09:34 +05:30
# These specs are written just in case API authentication is not required anymore
2016-06-02 11:05:42 +05:30
context " when public level is restricted " do
before do
stub_application_setting ( restricted_visibility_levels : [ Gitlab :: VisibilityLevel :: PUBLIC ] )
end
2017-09-10 17:25:29 +05:30
context 'when authenticate as a regular user' do
it " renders 200 " do
get api ( " /users " , user )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-09-10 17:25:29 +05:30
end
2016-06-02 11:05:42 +05:30
end
2017-09-10 17:25:29 +05:30
context 'when authenticate as an admin' do
it " renders 200 " do
get api ( " /users " , admin )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-09-10 17:25:29 +05:30
end
2016-06-02 11:05:42 +05:30
end
end
2016-09-13 17:45:13 +05:30
it " returns an array of users " do
2014-09-02 18:07:02 +05:30
get api ( " /users " , user )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
2015-04-26 12:48:37 +05:30
username = user . username
2015-09-11 14:41:01 +05:30
expect ( json_response . detect do | user |
user [ 'username' ] == username
end [ 'username' ] ) . to eq ( username )
2014-09-02 18:07:02 +05:30
end
2016-01-14 18:37:52 +05:30
2017-08-17 22:00:37 +05:30
it " returns an array of blocked users " do
ldap_blocked_user
create ( :user , state : 'blocked' )
get api ( " /users?blocked=true " , user )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to all ( include ( 'state' = > / (blocked|ldap_blocked) / ) )
end
2021-04-17 20:07:23 +05:30
it " returns an array of external users " do
create ( :user )
external_user = create ( :user , external : true )
get api ( " /users?external=true " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( response ) . to include_pagination_headers
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response [ 0 ] [ 'id' ] ) . to eq ( external_user . id )
end
2016-09-13 17:45:13 +05:30
it " returns one user " do
2016-01-14 18:37:52 +05:30
get api ( " /users?username= #{ omniauth_user . username } " , user )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
2016-01-14 18:37:52 +05:30
expect ( json_response . first [ 'username' ] ) . to eq ( omniauth_user . username )
end
2017-08-17 22:00:37 +05:30
2018-12-13 13:39:08 +05:30
it " returns one user (case insensitive) " do
get api ( " /users?username= #{ omniauth_user . username . upcase } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( response ) . to include_pagination_headers
expect ( json_response . first [ 'username' ] ) . to eq ( omniauth_user . username )
end
2017-08-17 22:00:37 +05:30
it " returns a 403 when non-admin user searches by external UID " do
get api ( " /users?extern_uid= #{ omniauth_user . identities . first . extern_uid } &provider= #{ omniauth_user . identities . first . provider } " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
end
it 'does not reveal the `is_admin` flag of the user' do
get api ( '/users' , user )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-08-17 22:00:37 +05:30
expect ( json_response . first . keys ) . not_to include 'is_admin'
end
2020-11-24 15:15:51 +05:30
context 'exclude_internal param' do
let_it_be ( :internal_user ) { User . alert_bot }
it 'returns all users when it is not set' do
get api ( " /users?exclude_internal=false " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( response ) . to include_pagination_headers
expect ( json_response . map { | u | u [ 'id' ] } ) . to include ( internal_user . id )
end
it 'returns all non internal users when it is set' do
get api ( " /users?exclude_internal=true " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( response ) . to include_pagination_headers
expect ( json_response . map { | u | u [ 'id' ] } ) . not_to include ( internal_user . id )
end
end
2021-03-08 18:12:59 +05:30
context 'admins param' do
it 'returns all users' do
get api ( " /users?admins=true " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( json_response . size ) . to eq ( 2 )
expect ( json_response . map { | u | u [ 'id' ] } ) . to include ( user . id , admin . id )
end
end
2014-09-02 18:07:02 +05:30
end
context " when admin " do
2018-03-17 18:26:18 +05:30
context 'when sudo is defined' do
it 'does not return 500' do
admin_personal_access_token = create ( :personal_access_token , user : admin , scopes : [ :sudo ] )
get api ( " /users?sudo= #{ user . id } " , admin , personal_access_token : admin_personal_access_token )
expect ( response ) . to have_gitlab_http_status ( :success )
end
end
2016-09-13 17:45:13 +05:30
it " returns an array of users " do
2014-09-02 18:07:02 +05:30
get api ( " /users " , admin )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
end
it " returns an array of external users " do
create ( :user , external : true )
get api ( " /users?external=true " , admin )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to all ( include ( 'external' = > true ) )
end
it " returns one user by external UID " do
get api ( " /users?extern_uid= #{ omniauth_user . identities . first . extern_uid } &provider= #{ omniauth_user . identities . first . provider } " , admin )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-08-17 22:00:37 +05:30
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'username' ] ) . to eq ( omniauth_user . username )
end
it " returns 400 error if provider with no extern_uid " do
get api ( " /users?extern_uid= #{ omniauth_user . identities . first . extern_uid } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
end
it " returns 400 error if provider with no extern_uid " do
get api ( " /users?provider= #{ omniauth_user . identities . first . provider } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2014-09-02 18:07:02 +05:30
end
2017-09-10 17:25:29 +05:30
it " returns a user created before a specific date " do
user = create ( :user , created_at : Date . new ( 2000 , 1 , 1 ) )
get api ( " /users?created_before=2000-01-02T00:00:00.060Z " , admin )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-09-10 17:25:29 +05:30
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'username' ] ) . to eq ( user . username )
end
it " returns no users created before a specific date " do
create ( :user , created_at : Date . new ( 2001 , 1 , 1 ) )
get api ( " /users?created_before=2000-01-02T00:00:00.060Z " , admin )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-09-10 17:25:29 +05:30
expect ( json_response . size ) . to eq ( 0 )
end
it " returns users created before and after a specific date " do
user = create ( :user , created_at : Date . new ( 2001 , 1 , 1 ) )
get api ( " /users?created_before=2001-01-02T00:00:00.060Z&created_after=1999-01-02T00:00:00.060 " , admin )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-09-10 17:25:29 +05:30
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'username' ] ) . to eq ( user . username )
end
2018-03-17 18:26:18 +05:30
it 'returns the correct order when sorted by id' do
2020-06-23 00:09:42 +05:30
# order of let_it_be definitions:
# - admin
# - user
2018-03-17 18:26:18 +05:30
2019-02-15 15:39:39 +05:30
get api ( '/users' , admin ) , params : { order_by : 'id' , sort : 'asc' }
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
expect ( json_response . size ) . to eq ( 2 )
expect ( json_response . first [ 'id' ] ) . to eq ( admin . id )
expect ( json_response . last [ 'id' ] ) . to eq ( user . id )
end
2018-10-15 14:42:47 +05:30
it 'returns users with 2fa enabled' do
user_with_2fa = create ( :user , :two_factor_via_otp )
2019-02-15 15:39:39 +05:30
get api ( '/users' , admin ) , params : { two_factor : 'enabled' }
2018-10-15 14:42:47 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'id' ] ) . to eq ( user_with_2fa . id )
end
2020-04-22 19:07:51 +05:30
it " returns users without projects " do
user_without_projects = create ( :user )
create ( :project , namespace : user . namespace )
create ( :project , namespace : admin . namespace )
get api ( '/users' , admin ) , params : { without_projects : true }
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'id' ] ) . to eq ( user_without_projects . id )
end
2018-03-17 18:26:18 +05:30
it 'returns 400 when provided incorrect sort params' do
2019-02-15 15:39:39 +05:30
get api ( '/users' , admin ) , params : { order_by : 'magic' , sort : 'asc' }
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2018-03-17 18:26:18 +05:30
end
2014-09-02 18:07:02 +05:30
end
2021-03-08 18:12:59 +05:30
context 'admins param' do
it 'returns only admins' do
get api ( " /users?admins=true " , admin )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'id' ] ) . to eq ( admin . id )
end
end
2014-09-02 18:07:02 +05:30
end
describe " GET /users/:id " do
2016-09-13 17:45:13 +05:30
it " returns a user by id " do
2014-09-02 18:07:02 +05:30
get api ( " /users/ #{ user . id } " , user )
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'username' ] ) . to eq ( user . username )
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
it " does not return the user's `is_admin` flag " do
get api ( " /users/ #{ user . id } " , user )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'is_admin'
end
2019-07-07 11:18:12 +05:30
it " does not return the user's `highest_role` " do
get api ( " /users/ #{ user . id } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'highest_role'
end
2020-03-13 15:44:24 +05:30
it " does not return the user's sign in IPs " do
get api ( " /users/ #{ user . id } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'current_sign_in_ip'
expect ( json_response . keys ) . not_to include 'last_sign_in_ip'
end
2020-04-08 14:13:33 +05:30
it " does not contain plan or trial data " do
get api ( " /users/ #{ user . id } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'plan'
expect ( json_response . keys ) . not_to include 'trial'
end
context 'when job title is present' do
let ( :job_title ) { 'Fullstack Engineer' }
before do
create ( :user_detail , user : user , job_title : job_title )
end
it 'returns job title of a user' do
get api ( " /users/ #{ user . id } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response [ 'job_title' ] ) . to eq ( job_title )
end
end
2018-03-17 18:26:18 +05:30
context 'when authenticated as admin' do
it 'includes the `is_admin` field' do
get api ( " /users/ #{ user . id } " , admin )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response [ 'is_admin' ] ) . to be ( false )
end
2018-11-18 11:00:15 +05:30
it " includes the `created_at` field for private users " do
get api ( " /users/ #{ private_user . id } " , admin )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response . keys ) . to include 'created_at'
end
2020-03-13 15:44:24 +05:30
2019-07-07 11:18:12 +05:30
it 'includes the `highest_role` field' do
get api ( " /users/ #{ user . id } " , admin )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response [ 'highest_role' ] ) . to be ( 0 )
end
2020-03-13 15:44:24 +05:30
2020-04-08 14:13:33 +05:30
if Gitlab . ee?
it 'does not include values for plan or trial' do
get api ( " /users/ #{ user . id } " , admin )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
end
else
it 'does not include plan or trial data' do
get api ( " /users/ #{ user . id } " , admin )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'plan'
expect ( json_response . keys ) . not_to include 'trial'
end
end
2020-03-13 15:44:24 +05:30
context 'when user has not logged in' do
it 'does not include the sign in IPs' do
get api ( " /users/ #{ user . id } " , admin )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response ) . to include ( 'current_sign_in_ip' = > nil , 'last_sign_in_ip' = > nil )
end
end
context 'when user has logged in' do
let_it_be ( :signed_in_user ) { create ( :user , :with_sign_ins ) }
it 'includes the sign in IPs' do
get api ( " /users/ #{ signed_in_user . id } " , admin )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response [ 'current_sign_in_ip' ] ) . to eq ( '127.0.0.1' )
expect ( json_response [ 'last_sign_in_ip' ] ) . to eq ( '127.0.0.1' )
end
end
2017-08-17 22:00:37 +05:30
end
2017-09-10 17:25:29 +05:30
context 'for an anonymous user' do
it " returns a user by id " do
get api ( " /users/ #{ user . id } " )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
2017-09-10 17:25:29 +05:30
expect ( json_response [ 'username' ] ) . to eq ( user . username )
end
it " returns a 404 if the target user is present but inaccessible " do
allow ( Ability ) . to receive ( :allowed? ) . and_call_original
allow ( Ability ) . to receive ( :allowed? ) . with ( nil , :read_user , user ) . and_return ( false )
get api ( " /users/ #{ user . id } " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-09-10 17:25:29 +05:30
end
2018-11-18 11:00:15 +05:30
it " returns the `created_at` field for public users " do
get api ( " /users/ #{ user . id } " )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . to include 'created_at'
end
it " does not return the `created_at` field for private users " do
get api ( " /users/ #{ private_user . id } " )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'created_at'
end
2021-03-11 19:13:27 +05:30
it " returns the `followers` field for public users " do
get api ( " /users/ #{ user . id } " )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . to include 'followers'
end
it " does not return the `followers` field for private users " do
get api ( " /users/ #{ private_user . id } " )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'followers'
end
it " returns the `following` field for public users " do
get api ( " /users/ #{ user . id } " )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . to include 'following'
end
it " does not return the `following` field for private users " do
get api ( " /users/ #{ private_user . id } " )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'following'
end
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns a 404 error if user id not found " do
2019-07-07 11:18:12 +05:30
get api ( " /users/0 " , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
2014-09-02 18:07:02 +05:30
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
2015-09-25 12:07:36 +05:30
get api ( " /users/1ASDF " , user )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2014-09-02 18:07:02 +05:30
end
2018-11-18 11:00:15 +05:30
describe 'GET /users/:id_or_username/status' do
context 'when finding the user by id' do
it_behaves_like 'rendering user status' do
let ( :path ) { " /users/ #{ user . id } /status " }
end
end
context 'when finding the user by username' do
it_behaves_like 'rendering user status' do
let ( :path ) { " /users/ #{ user . username } /status " }
end
end
2018-12-13 13:39:08 +05:30
context 'when finding the user by username (case insensitive)' do
it_behaves_like 'rendering user status' do
let ( :path ) { " /users/ #{ user . username . upcase } /status " }
end
end
2018-11-18 11:00:15 +05:30
end
2021-03-11 19:13:27 +05:30
describe 'POST /users/:id/follow' do
let ( :followee ) { create ( :user ) }
context 'on an unfollowed user' do
it 'follows the user' do
post api ( " /users/ #{ followee . id } /follow " , user )
expect ( user . followees ) . to contain_exactly ( followee )
expect ( response ) . to have_gitlab_http_status ( :created )
end
end
context 'on a followed user' do
before do
user . follow ( followee )
end
it 'does not change following' do
post api ( " /users/ #{ followee . id } /follow " , user )
expect ( user . followees ) . to contain_exactly ( followee )
expect ( response ) . to have_gitlab_http_status ( :not_modified )
end
end
end
describe 'POST /users/:id/unfollow' do
let ( :followee ) { create ( :user ) }
context 'on a followed user' do
before do
user . follow ( followee )
end
it 'unfollow the user' do
post api ( " /users/ #{ followee . id } /unfollow " , user )
expect ( user . followees ) . to be_empty
expect ( response ) . to have_gitlab_http_status ( :created )
end
end
context 'on an unfollowed user' do
it 'does not change following' do
post api ( " /users/ #{ followee . id } /unfollow " , user )
expect ( user . followees ) . to be_empty
expect ( response ) . to have_gitlab_http_status ( :not_modified )
end
end
end
describe 'GET /users/:id/followers' do
let ( :follower ) { create ( :user ) }
context 'user has followers' do
it 'lists followers' do
follower . follow ( user )
get api ( " /users/ #{ user . id } /followers " , user )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
end
it 'do not lists followers if profile is private' do
follower . follow ( private_user )
get api ( " /users/ #{ private_user . id } /followers " , user )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
context 'user does not have any follower' do
it 'does list nothing' do
get api ( " /users/ #{ user . id } /followers " , user )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_empty
end
end
end
describe 'GET /users/:id/following' do
let ( :followee ) { create ( :user ) }
context 'user has followers' do
it 'lists following user' do
user . follow ( followee )
get api ( " /users/ #{ user . id } /following " , user )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
end
it 'do not lists following user if profile is private' do
user . follow ( private_user )
get api ( " /users/ #{ private_user . id } /following " , user )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
context 'user does not have any follower' do
it 'does list nothing' do
get api ( " /users/ #{ user . id } /following " , user )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_empty
end
end
end
2014-09-02 18:07:02 +05:30
describe " POST /users " do
2016-09-13 17:45:13 +05:30
it " creates user " do
2015-09-11 14:41:01 +05:30
expect do
2019-02-15 15:39:39 +05:30
post api ( " /users " , admin ) , params : attributes_for ( :user , projects_limit : 3 )
2015-09-11 14:41:01 +05:30
end . to change { User . count } . by ( 1 )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " creates user with correct attributes " do
2019-02-15 15:39:39 +05:30
post api ( '/users' , admin ) , params : attributes_for ( :user , admin : true , can_create_group : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2014-09-02 18:07:02 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
2015-04-26 12:48:37 +05:30
expect ( new_user . admin ) . to eq ( true )
expect ( new_user . can_create_group ) . to eq ( true )
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
it " creates user with optional attributes " do
2020-03-13 15:44:24 +05:30
optional_attributes = { confirm : true , theme_id : 2 , color_scheme_id : 4 }
2017-08-17 22:00:37 +05:30
attributes = attributes_for ( :user ) . merge ( optional_attributes )
2019-02-15 15:39:39 +05:30
post api ( '/users' , admin ) , params : attributes
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2017-08-17 22:00:37 +05:30
end
2016-09-13 17:45:13 +05:30
it " creates non-admin user " do
2019-02-15 15:39:39 +05:30
post api ( '/users' , admin ) , params : attributes_for ( :user , admin : false , can_create_group : false )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2014-09-02 18:07:02 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
2015-04-26 12:48:37 +05:30
expect ( new_user . admin ) . to eq ( false )
expect ( new_user . can_create_group ) . to eq ( false )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " creates non-admin users by default " do
2019-02-15 15:39:39 +05:30
post api ( '/users' , admin ) , params : attributes_for ( :user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2014-09-02 18:07:02 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
2015-04-26 12:48:37 +05:30
expect ( new_user . admin ) . to eq ( false )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 201 Created on success " do
2019-02-15 15:39:39 +05:30
post api ( " /users " , admin ) , params : attributes_for ( :user , projects_limit : 3 )
2019-09-30 21:07:59 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2014-09-02 18:07:02 +05:30
end
2016-06-02 11:05:42 +05:30
it 'creates non-external users by default' do
2019-02-15 15:39:39 +05:30
post api ( " /users " , admin ) , params : attributes_for ( :user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2016-06-02 11:05:42 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
expect ( new_user . external ) . to be_falsy
end
2016-09-13 17:45:13 +05:30
it 'allows an external user to be created' do
2019-02-15 15:39:39 +05:30
post api ( " /users " , admin ) , params : attributes_for ( :user , external : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2016-06-02 11:05:42 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
expect ( new_user . external ) . to be_truthy
end
2017-08-17 22:00:37 +05:30
it " creates user with reset password " do
2019-02-15 15:39:39 +05:30
post api ( '/users' , admin ) , params : attributes_for ( :user , reset_password : true ) . except ( :password )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2017-08-17 22:00:37 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
2019-09-30 21:07:59 +05:30
expect ( new_user . recently_sent_password_reset? ) . to eq ( true )
end
it " creates user with random password " do
2021-04-29 21:17:54 +05:30
params = attributes_for ( :user , force_random_password : true )
params . delete ( :password )
2019-09-30 21:07:59 +05:30
post api ( '/users' , admin ) , params : params
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2019-09-30 21:07:59 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
2021-04-29 21:17:54 +05:30
expect ( new_user . encrypted_password ) . to be_present
2017-08-17 22:00:37 +05:30
end
2018-11-18 11:00:15 +05:30
it " creates user with private profile " do
2019-02-15 15:39:39 +05:30
post api ( '/users' , admin ) , params : attributes_for ( :user , private_profile : true )
2018-11-18 11:00:15 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2018-11-18 11:00:15 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
expect ( new_user ) . not_to eq ( nil )
expect ( new_user . private_profile? ) . to eq ( true )
end
2021-04-17 20:07:23 +05:30
it " creates user with view_diffs_file_by_file " do
post api ( '/users' , admin ) , params : attributes_for ( :user , view_diffs_file_by_file : true )
expect ( response ) . to have_gitlab_http_status ( :created )
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
expect ( new_user ) . not_to eq ( nil )
expect ( new_user . user_preference . view_diffs_file_by_file? ) . to eq ( true )
end
2016-09-13 17:45:13 +05:30
it " does not create user with invalid email " do
2015-04-26 12:48:37 +05:30
post api ( '/users' , admin ) ,
2021-01-29 00:20:46 +05:30
params : {
email : 'invalid email' ,
password : 'password' ,
name : 'test'
}
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if name not given' do
2019-02-15 15:39:39 +05:30
post api ( '/users' , admin ) , params : attributes_for ( :user ) . except ( :name )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-04-26 12:48:37 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if password not given' do
2019-02-15 15:39:39 +05:30
post api ( '/users' , admin ) , params : attributes_for ( :user ) . except ( :password )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if email not given' do
2019-02-15 15:39:39 +05:30
post api ( '/users' , admin ) , params : attributes_for ( :user ) . except ( :email )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if username not given' do
2019-02-15 15:39:39 +05:30
post api ( '/users' , admin ) , params : attributes_for ( :user ) . except ( :username )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-04-26 12:48:37 +05:30
end
2020-03-13 15:44:24 +05:30
it " doesn't create user with invalid optional attributes " do
optional_attributes = { theme_id : 50 , color_scheme_id : 50 }
attributes = attributes_for ( :user ) . merge ( optional_attributes )
post api ( '/users' , admin ) , params : attributes
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2020-03-13 15:44:24 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if user does not validate' do
2015-04-26 12:48:37 +05:30
post api ( '/users' , admin ) ,
2021-01-29 00:20:46 +05:30
params : {
password : 'pass' ,
email : 'test@example.com' ,
username : 'test!' ,
name : 'test' ,
bio : 'g' * 256 ,
projects_limit : - 1
}
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-09-10 17:25:29 +05:30
expect ( json_response [ 'message' ] [ 'password' ] )
. to eq ( [ 'is too short (minimum is 8 characters)' ] )
expect ( json_response [ 'message' ] [ 'bio' ] )
. to eq ( [ 'is too long (maximum is 255 characters)' ] )
expect ( json_response [ 'message' ] [ 'projects_limit' ] )
. to eq ( [ 'must be greater than or equal to 0' ] )
expect ( json_response [ 'message' ] [ 'username' ] )
. to eq ( [ Gitlab :: PathRegex . namespace_format_message ] )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " is not available for non admin users " do
2019-02-15 15:39:39 +05:30
post api ( " /users " , user ) , params : attributes_for ( :user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2014-09-02 18:07:02 +05:30
end
2015-04-26 12:48:37 +05:30
context 'with existing user' do
before do
post api ( '/users' , admin ) ,
2021-01-29 00:20:46 +05:30
params : {
email : 'test@example.com' ,
password : 'password' ,
username : 'test' ,
name : 'foo'
}
2015-04-26 12:48:37 +05:30
end
2014-09-02 18:07:02 +05:30
2016-09-13 17:45:13 +05:30
it 'returns 409 conflict error if user with same email exists' do
2015-09-11 14:41:01 +05:30
expect do
2015-04-26 12:48:37 +05:30
post api ( '/users' , admin ) ,
2021-01-29 00:20:46 +05:30
params : {
name : 'foo' ,
email : 'test@example.com' ,
password : 'password' ,
username : 'foo'
}
2015-09-11 14:41:01 +05:30
end . to change { User . count } . by ( 0 )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'Email has already been taken' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 409 conflict error if same username exists' do
2015-04-26 12:48:37 +05:30
expect do
post api ( '/users' , admin ) ,
2021-01-29 00:20:46 +05:30
params : {
name : 'foo' ,
email : 'foo@example.com' ,
password : 'password' ,
username : 'test'
}
2015-04-26 12:48:37 +05:30
end . to change { User . count } . by ( 0 )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'Username has already been taken' )
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
2018-12-13 13:39:08 +05:30
it 'returns 409 conflict error if same username exists (case insensitive)' do
expect do
post api ( '/users' , admin ) ,
2021-01-29 00:20:46 +05:30
params : {
name : 'foo' ,
email : 'foo@example.com' ,
password : 'password' ,
username : 'TEST'
}
2018-12-13 13:39:08 +05:30
end . to change { User . count } . by ( 0 )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2018-12-13 13:39:08 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'Username has already been taken' )
end
2017-08-17 22:00:37 +05:30
it 'creates user with new identity' do
2019-02-15 15:39:39 +05:30
post api ( " /users " , admin ) , params : attributes_for ( :user , provider : 'github' , extern_uid : '67890' )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'identities' ] . first [ 'extern_uid' ] ) . to eq ( '67890' )
expect ( json_response [ 'identities' ] . first [ 'provider' ] ) . to eq ( 'github' )
end
2014-09-02 18:07:02 +05:30
end
2017-09-10 17:25:29 +05:30
context " scopes " do
let ( :user ) { admin }
let ( :path ) { '/users' }
let ( :api_call ) { method ( :api ) }
include_examples 'does not allow the "read_user" scope'
end
2014-09-02 18:07:02 +05:30
end
describe " PUT /users/:id " do
2019-09-30 21:07:59 +05:30
it " returns 200 OK on success " do
put api ( " /users/ #{ user . id } " , admin ) , params : { bio : 'new test bio' }
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2019-09-30 21:07:59 +05:30
end
2020-11-24 15:15:51 +05:30
context 'updating password' do
def update_password ( user , admin , password = User . random_password )
put api ( " /users/ #{ user . id } " , admin ) , params : { password : password }
end
context 'admin updates their own password' do
it 'does not force reset on next login' do
update_password ( admin , admin )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . password_expired? ) . to eq ( false )
end
it 'does not enqueue the `admin changed your password` email' do
expect { update_password ( admin , admin ) }
. not_to have_enqueued_mail ( DeviseMailer , :password_change_by_admin )
end
it 'enqueues the `password changed` email' do
expect { update_password ( admin , admin ) }
. to have_enqueued_mail ( DeviseMailer , :password_change )
end
end
context 'admin updates the password of another user' do
it 'forces reset on next login' do
update_password ( user , admin )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . password_expired? ) . to eq ( true )
end
it 'enqueues the `admin changed your password` email' do
expect { update_password ( user , admin ) }
. to have_enqueued_mail ( DeviseMailer , :password_change_by_admin )
end
it 'does not enqueue the `password changed` email' do
expect { update_password ( user , admin ) }
. not_to have_enqueued_mail ( DeviseMailer , :password_change )
end
end
end
2016-09-13 17:45:13 +05:30
it " updates user with new bio " do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { bio : 'new test bio' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'bio' ] ) . to eq ( 'new test bio' )
expect ( user . reload . bio ) . to eq ( 'new test bio' )
end
2020-04-22 19:07:51 +05:30
it " updates user with empty bio " do
2020-06-23 00:09:42 +05:30
user . update! ( bio : 'previous bio' )
2020-04-22 19:07:51 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { bio : '' }
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ 'bio' ] ) . to eq ( '' )
expect ( user . reload . bio ) . to eq ( '' )
end
2020-07-28 23:09:34 +05:30
it 'updates user with nil bio' do
put api ( " /users/ #{ user . id } " , admin ) , params : { bio : nil }
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ 'bio' ] ) . to eq ( '' )
expect ( user . reload . bio ) . to eq ( '' )
end
2016-11-03 12:29:30 +05:30
it " updates user with organization " do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { organization : 'GitLab' }
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2016-11-03 12:29:30 +05:30
expect ( json_response [ 'organization' ] ) . to eq ( 'GitLab' )
expect ( user . reload . organization ) . to eq ( 'GitLab' )
end
2017-09-10 17:25:29 +05:30
it 'updates user with avatar' do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { avatar : fixture_file_upload ( 'spec/fixtures/banana_sample.gif' , 'image/gif' ) }
2017-09-10 17:25:29 +05:30
user . reload
expect ( user . avatar ) . to be_present
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-09-10 17:25:29 +05:30
expect ( json_response [ 'avatar_url' ] ) . to include ( user . avatar_path )
end
it 'updates user with a new email' do
2018-11-08 19:23:39 +05:30
old_email = user . email
old_notification_email = user . notification_email
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { email : 'new@email.com' }
2017-09-10 17:25:29 +05:30
2018-11-08 19:23:39 +05:30
user . reload
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-11-08 19:23:39 +05:30
expect ( user ) . to be_confirmed
expect ( user . email ) . to eq ( old_email )
expect ( user . notification_email ) . to eq ( old_notification_email )
expect ( user . unconfirmed_email ) . to eq ( 'new@email.com' )
2017-09-10 17:25:29 +05:30
end
2018-03-17 18:26:18 +05:30
it 'skips reconfirmation when requested' do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { email : 'new@email.com' , skip_reconfirmation : true }
2018-03-17 18:26:18 +05:30
user . reload
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-11-08 19:23:39 +05:30
expect ( user ) . to be_confirmed
expect ( user . email ) . to eq ( 'new@email.com' )
2018-03-17 18:26:18 +05:30
end
2020-03-13 15:44:24 +05:30
it 'updates user with their own username' do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { username : user . username }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'username' ] ) . to eq ( user . username )
expect ( user . reload . username ) . to eq ( user . username )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " updates user's existing identity " do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ omniauth_user . id } " , admin ) , params : { provider : 'ldapmain' , extern_uid : '654321' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-10-24 18:46:33 +05:30
expect ( omniauth_user . reload . identities . first . extern_uid ) . to eq ( '654321' )
end
2016-09-13 17:45:13 +05:30
it 'updates user with new identity' do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { provider : 'github' , extern_uid : 'john' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( user . reload . identities . first . extern_uid ) . to eq ( 'john' )
2015-10-24 18:46:33 +05:30
expect ( user . reload . identities . first . provider ) . to eq ( 'github' )
end
2016-09-13 17:45:13 +05:30
it " updates admin status " do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { admin : true }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-04-26 12:48:37 +05:30
expect ( user . reload . admin ) . to eq ( true )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " updates external status " do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { external : true }
2017-09-10 17:25:29 +05:30
2020-04-22 19:07:51 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2016-06-02 11:05:42 +05:30
expect ( json_response [ 'external' ] ) . to eq ( true )
expect ( user . reload . external? ) . to be_truthy
end
2020-03-13 15:44:24 +05:30
it " private profile is false by default " do
put api ( " /users/ #{ user . id } " , admin ) , params : { }
expect ( user . reload . private_profile ) . to eq ( false )
end
2020-04-08 14:13:33 +05:30
it " does have default values for theme and color-scheme ID " do
put api ( " /users/ #{ user . id } " , admin ) , params : { }
expect ( user . reload . theme_id ) . to eq ( Gitlab :: Themes . default . id )
expect ( user . reload . color_scheme_id ) . to eq ( Gitlab :: ColorSchemes . default . id )
end
2018-11-18 11:00:15 +05:30
it " updates private profile " do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { private_profile : true }
2018-11-18 11:00:15 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-11-18 11:00:15 +05:30
expect ( user . reload . private_profile ) . to eq ( true )
end
2021-04-17 20:07:23 +05:30
it " updates viewing diffs file by file " do
put api ( " /users/ #{ user . id } " , admin ) , params : { view_diffs_file_by_file : true }
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . user_preference . view_diffs_file_by_file? ) . to eq ( true )
end
2020-03-13 15:44:24 +05:30
it " updates private profile to false when nil is given " do
2020-06-23 00:09:42 +05:30
user . update! ( private_profile : true )
2019-09-30 21:07:59 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { private_profile : nil }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2019-09-30 21:07:59 +05:30
expect ( user . reload . private_profile ) . to eq ( false )
end
2020-03-13 15:44:24 +05:30
it " does not modify private profile when field is not provided " do
2020-06-23 00:09:42 +05:30
user . update! ( private_profile : true )
2020-03-13 15:44:24 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( user . reload . private_profile ) . to eq ( true )
end
2020-04-08 14:13:33 +05:30
it " does not modify theme or color-scheme ID when field is not provided " do
theme = Gitlab :: Themes . each . find { | t | t . id != Gitlab :: Themes . default . id }
scheme = Gitlab :: ColorSchemes . each . find { | t | t . id != Gitlab :: ColorSchemes . default . id }
2020-06-23 00:09:42 +05:30
user . update! ( theme_id : theme . id , color_scheme_id : scheme . id )
2020-04-08 14:13:33 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { }
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . theme_id ) . to eq ( theme . id )
expect ( user . reload . color_scheme_id ) . to eq ( scheme . id )
end
2016-09-13 17:45:13 +05:30
it " does not update admin status " do
2020-06-23 00:09:42 +05:30
admin_user = create ( :admin )
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ admin_user . id } " , admin ) , params : { can_create_group : false }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-04-26 12:48:37 +05:30
expect ( admin_user . reload . admin ) . to eq ( true )
expect ( admin_user . can_create_group ) . to eq ( false )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " does not allow invalid update " do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , admin ) , params : { email : 'invalid email' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-04-26 12:48:37 +05:30
expect ( user . reload . email ) . not_to eq ( 'invalid email' )
2014-09-02 18:07:02 +05:30
end
2020-03-13 15:44:24 +05:30
it " updates theme id " do
put api ( " /users/ #{ user . id } " , admin ) , params : { theme_id : 5 }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( user . reload . theme_id ) . to eq ( 5 )
end
it " does not update invalid theme id " do
put api ( " /users/ #{ user . id } " , admin ) , params : { theme_id : 50 }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2020-03-13 15:44:24 +05:30
expect ( user . reload . theme_id ) . not_to eq ( 50 )
end
it " updates color scheme id " do
put api ( " /users/ #{ user . id } " , admin ) , params : { color_scheme_id : 5 }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( user . reload . color_scheme_id ) . to eq ( 5 )
end
it " does not update invalid color scheme id " do
put api ( " /users/ #{ user . id } " , admin ) , params : { color_scheme_id : 50 }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2020-03-13 15:44:24 +05:30
expect ( user . reload . color_scheme_id ) . not_to eq ( 50 )
end
2017-09-10 17:25:29 +05:30
context 'when the current user is not an admin' do
it " is not available " do
expect do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ user . id } " , user ) , params : attributes_for ( :user )
2017-09-10 17:25:29 +05:30
end . not_to change { user . reload . attributes }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
end
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 404 for non-existing user " do
2019-07-07 11:18:12 +05:30
put api ( " /users/0 " , admin ) , params : { bio : 'update should fail' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
2015-04-26 12:48:37 +05:30
end
2016-11-03 12:29:30 +05:30
it " returns a 404 if invalid ID " do
put api ( " /users/ASDF " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if user does not validate' do
2015-04-26 12:48:37 +05:30
put api ( " /users/ #{ user . id } " , admin ) ,
2021-01-29 00:20:46 +05:30
params : {
password : 'pass' ,
email : 'test@example.com' ,
username : 'test!' ,
name : 'test' ,
bio : 'g' * 256 ,
projects_limit : - 1
}
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-09-10 17:25:29 +05:30
expect ( json_response [ 'message' ] [ 'password' ] )
. to eq ( [ 'is too short (minimum is 8 characters)' ] )
expect ( json_response [ 'message' ] [ 'bio' ] )
. to eq ( [ 'is too long (maximum is 255 characters)' ] )
expect ( json_response [ 'message' ] [ 'projects_limit' ] )
. to eq ( [ 'must be greater than or equal to 0' ] )
expect ( json_response [ 'message' ] [ 'username' ] )
. to eq ( [ Gitlab :: PathRegex . namespace_format_message ] )
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
it 'returns 400 if provider is missing for identity update' do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ omniauth_user . id } " , admin ) , params : { extern_uid : '654321' }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
end
it 'returns 400 if external UID is missing for identity update' do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ omniauth_user . id } " , admin ) , params : { provider : 'ldap' }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
end
2014-09-02 18:07:02 +05:30
context " with existing user " do
2015-09-11 14:41:01 +05:30
before do
2019-02-15 15:39:39 +05:30
post api ( " /users " , admin ) , params : { email : 'test@example.com' , password : 'password' , username : 'test' , name : 'test' }
post api ( " /users " , admin ) , params : { email : 'foo@bar.com' , password : 'password' , username : 'john' , name : 'john' }
2015-04-26 12:48:37 +05:30
@user = User . all . last
2015-09-11 14:41:01 +05:30
end
2014-09-02 18:07:02 +05:30
2016-09-13 17:45:13 +05:30
it 'returns 409 conflict error if email address exists' do
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ @user . id } " , admin ) , params : { email : 'test@example.com' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2015-04-26 12:48:37 +05:30
expect ( @user . reload . email ) . to eq ( @user . email )
end
2016-09-13 17:45:13 +05:30
it 'returns 409 conflict error if username taken' do
2015-04-26 12:48:37 +05:30
@user_id = User . all . last . id
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ @user . id } " , admin ) , params : { username : 'test' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2015-04-26 12:48:37 +05:30
expect ( @user . reload . username ) . to eq ( @user . username )
end
2018-12-13 13:39:08 +05:30
it 'returns 409 conflict error if username taken (case insensitive)' do
@user_id = User . all . last . id
2019-02-15 15:39:39 +05:30
put api ( " /users/ #{ @user . id } " , admin ) , params : { username : 'TEST' }
2018-12-13 13:39:08 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2018-12-13 13:39:08 +05:30
expect ( @user . reload . username ) . to eq ( @user . username )
end
2014-09-02 18:07:02 +05:30
end
end
2021-06-08 01:23:25 +05:30
describe " PUT /user/:id/credit_card_validation " do
let ( :credit_card_validated_time ) { Time . utc ( 2020 , 1 , 1 ) }
context 'when unauthenticated' do
it 'returns authentication error' do
put api ( " /user/ #{ user . id } /credit_card_validation " ) , params : { credit_card_validated_at : credit_card_validated_time }
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
context 'when authenticated as non-admin' do
it " does not allow updating user's credit card validation " , :aggregate_failures do
put api ( " /user/ #{ user . id } /credit_card_validation " , user ) , params : { credit_card_validated_at : credit_card_validated_time }
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
context 'when authenticated as admin' do
it " updates user's credit card validation " , :aggregate_failures do
put api ( " /user/ #{ user . id } /credit_card_validation " , admin ) , params : { credit_card_validated_at : credit_card_validated_time }
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . credit_card_validated_at ) . to eq ( credit_card_validated_time )
end
it " returns 400 error if credit_card_validated_at is missing " do
put api ( " /user/ #{ user . id } /credit_card_validation " , admin ) , params : { }
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
it 'returns 404 error if user not found' do
put api ( " /user/ #{ non_existing_record_id } /credit_card_validation " , admin ) , params : { credit_card_validated_at : credit_card_validated_time }
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
end
2020-03-13 15:44:24 +05:30
describe " DELETE /users/:id/identities/:provider " do
let ( :test_user ) { create ( :omniauth_user , provider : 'ldapmain' ) }
context 'when unauthenticated' do
it 'returns authentication error' do
delete api ( " /users/ #{ test_user . id } /identities/ldapmain " )
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
context 'when authenticated' do
it 'deletes identity of given provider' do
expect do
delete api ( " /users/ #{ test_user . id } /identities/ldapmain " , admin )
end . to change { test_user . identities . count } . by ( - 1 )
expect ( response ) . to have_gitlab_http_status ( :no_content )
end
it_behaves_like '412 response' do
let ( :request ) { api ( " /users/ #{ test_user . id } /identities/ldapmain " , admin ) }
end
it 'returns 404 error if user not found' do
delete api ( " /users/0/identities/ldapmain " , admin )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns 404 error if identity not found' do
delete api ( " /users/ #{ test_user . id } /identities/saml " , admin )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 Identity Not Found' )
end
end
end
2014-09-02 18:07:02 +05:30
describe " POST /users/:id/keys " do
2016-09-13 17:45:13 +05:30
it " does not create invalid ssh key " do
2019-02-15 15:39:39 +05:30
post api ( " /users/ #{ user . id } /keys " , admin ) , params : { title : " invalid key " }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'key is missing' )
2015-04-26 12:48:37 +05:30
end
2016-09-13 17:45:13 +05:30
it 'does not create key without title' do
2019-02-15 15:39:39 +05:30
post api ( " /users/ #{ user . id } /keys " , admin ) , params : { key : 'some key' }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'title is missing' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " creates ssh key " do
2014-09-02 18:07:02 +05:30
key_attrs = attributes_for :key
2015-09-11 14:41:01 +05:30
expect do
2019-02-15 15:39:39 +05:30
post api ( " /users/ #{ user . id } /keys " , admin ) , params : key_attrs
2017-08-17 22:00:37 +05:30
end . to change { user . keys . count } . by ( 1 )
2014-09-02 18:07:02 +05:30
end
2015-09-25 12:07:36 +05:30
2020-06-23 00:09:42 +05:30
it 'creates SSH key with `expires_at` attribute' do
optional_attributes = { expires_at : '2016-01-21T00:00:00.000Z' }
attributes = attributes_for ( :key ) . merge ( optional_attributes )
post api ( " /users/ #{ user . id } /keys " , admin ) , params : attributes
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( json_response [ 'expires_at' ] ) . to eq ( optional_attributes [ :expires_at ] )
end
2016-09-13 17:45:13 +05:30
it " returns 400 for invalid ID " do
2019-07-07 11:18:12 +05:30
post api ( " /users/0/keys " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-09-25 12:07:36 +05:30
end
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
describe 'GET /user/:id/keys' do
2018-12-05 23:21:45 +05:30
it 'returns 404 for non-existing user' do
2020-06-23 00:09:42 +05:30
get api ( " /users/ #{ non_existing_record_id } /keys " )
2014-09-02 18:07:02 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-12-05 23:21:45 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2014-09-02 18:07:02 +05:30
2018-12-05 23:21:45 +05:30
it 'returns array of ssh keys' do
user . keys << key
2017-08-17 22:00:37 +05:30
2018-12-05 23:21:45 +05:30
get api ( " /users/ #{ user . id } /keys " )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-12-05 23:21:45 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . first [ 'title' ] ) . to eq ( key . title )
2014-09-02 18:07:02 +05:30
end
2020-06-23 00:09:42 +05:30
it 'returns array of ssh keys with comments replaced with' \
'a simple identifier of username + hostname' do
get api ( " /users/ #{ user . id } /keys " )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
keys = json_response . map { | key_detail | key_detail [ 'key' ] }
expect ( keys ) . to all ( include ( " #{ user . name } ( #{ Gitlab . config . gitlab . host } " ) )
end
context 'N+1 queries' do
before do
get api ( " /users/ #{ user . id } /keys " )
end
it 'avoids N+1 queries' , :request_store do
control_count = ActiveRecord :: QueryRecorder . new ( skip_cached : false ) do
get api ( " /users/ #{ user . id } /keys " )
end . count
create_list ( :key , 2 , user : user )
expect do
get api ( " /users/ #{ user . id } /keys " )
end . not_to exceed_all_query_limit ( control_count )
end
end
2014-09-02 18:07:02 +05:30
end
2020-03-13 15:44:24 +05:30
describe 'GET /user/:user_id/keys' do
it 'returns 404 for non-existing user' do
2020-06-23 00:09:42 +05:30
get api ( " /users/ #{ non_existing_record_id } /keys " )
2020-03-13 15:44:24 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2020-03-13 15:44:24 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns array of ssh keys' do
user . keys << key
get api ( " /users/ #{ user . username } /keys " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . first [ 'title' ] ) . to eq ( key . title )
end
end
2017-08-17 22:00:37 +05:30
describe 'DELETE /user/:id/keys/:key_id' do
2014-09-02 18:07:02 +05:30
context 'when unauthenticated' do
2016-09-13 17:45:13 +05:30
it 'returns authentication error' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ user . id } /keys/ #{ non_existing_record_id } " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2014-09-02 18:07:02 +05:30
end
end
context 'when authenticated' do
2016-09-13 17:45:13 +05:30
it 'deletes existing key' do
2014-09-02 18:07:02 +05:30
user . keys << key
2017-08-17 22:00:37 +05:30
2015-09-11 14:41:01 +05:30
expect do
2014-09-02 18:07:02 +05:30
delete api ( " /users/ #{ user . id } /keys/ #{ key . id } " , admin )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2015-09-11 14:41:01 +05:30
end . to change { user . keys . count } . by ( - 1 )
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
let ( :request ) { api ( " /users/ #{ user . id } /keys/ #{ key . id } " , admin ) }
end
2016-09-13 17:45:13 +05:30
it 'returns 404 error if user not found' do
2014-09-02 18:07:02 +05:30
user . keys << key
2020-06-23 00:09:42 +05:30
2019-07-07 11:18:12 +05:30
delete api ( " /users/0/keys/ #{ key . id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 404 error if key not foud' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ user . id } /keys/ #{ non_existing_record_id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Key Not Found' )
2014-09-02 18:07:02 +05:30
end
end
end
2020-11-24 15:15:51 +05:30
describe 'POST /users/:id/gpg_keys' do
2018-03-17 18:26:18 +05:30
it 'does not create invalid GPG key' do
post api ( " /users/ #{ user . id } /gpg_keys " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'key is missing' )
end
it 'creates GPG key' do
2020-06-23 00:09:42 +05:30
key_attrs = attributes_for :gpg_key , key : GpgHelpers :: User2 . public_key
2018-03-17 18:26:18 +05:30
expect do
2019-02-15 15:39:39 +05:30
post api ( " /users/ #{ user . id } /gpg_keys " , admin ) , params : key_attrs
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2018-03-17 18:26:18 +05:30
end . to change { user . gpg_keys . count } . by ( 1 )
end
it 'returns 400 for invalid ID' do
2019-07-07 11:18:12 +05:30
post api ( '/users/0/gpg_keys' , admin )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2018-03-17 18:26:18 +05:30
end
end
describe 'GET /user/:id/gpg_keys' do
2021-01-03 14:25:43 +05:30
it 'returns 404 for non-existing user' do
get api ( '/users/0/gpg_keys' )
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
2018-03-17 18:26:18 +05:30
end
2021-01-03 14:25:43 +05:30
it 'returns array of GPG keys' do
user . gpg_keys << gpg_key
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
get api ( " /users/ #{ user . id } /gpg_keys " )
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . first [ 'key' ] ) . to eq ( gpg_key . key )
end
end
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
describe 'GET /user/:id/gpg_keys/:key_id' do
it 'returns 404 for non-existing user' do
get api ( '/users/0/gpg_keys/1' )
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
it 'returns 404 for non-existing key' do
get api ( " /users/ #{ user . id } /gpg_keys/0 " )
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
it 'returns a single GPG key' do
user . gpg_keys << gpg_key
get api ( " /users/ #{ user . id } /gpg_keys/ #{ gpg_key . id } " )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ 'key' ] ) . to eq ( gpg_key . key )
2018-03-17 18:26:18 +05:30
end
end
describe 'DELETE /user/:id/gpg_keys/:key_id' do
context 'when unauthenticated' do
it 'returns authentication error' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ user . id } /keys/ #{ non_existing_record_id } " )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
end
context 'when authenticated' do
it 'deletes existing key' do
user . gpg_keys << gpg_key
expect do
delete api ( " /users/ #{ user . id } /gpg_keys/ #{ gpg_key . id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2018-03-17 18:26:18 +05:30
end . to change { user . gpg_keys . count } . by ( - 1 )
end
it 'returns 404 error if user not found' do
user . keys << key
2019-07-07 11:18:12 +05:30
delete api ( " /users/0/gpg_keys/ #{ gpg_key . id } " , admin )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns 404 error if key not foud' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ user . id } /gpg_keys/ #{ non_existing_record_id } " , admin )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
end
end
describe 'POST /user/:id/gpg_keys/:key_id/revoke' do
context 'when unauthenticated' do
it 'returns authentication error' do
2020-06-23 00:09:42 +05:30
post api ( " /users/ #{ user . id } /gpg_keys/ #{ non_existing_record_id } /revoke " )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
end
context 'when authenticated' do
it 'revokes existing key' do
user . gpg_keys << gpg_key
expect do
post api ( " /users/ #{ user . id } /gpg_keys/ #{ gpg_key . id } /revoke " , admin )
expect ( response ) . to have_gitlab_http_status ( :accepted )
end . to change { user . gpg_keys . count } . by ( - 1 )
end
it 'returns 404 error if user not found' do
user . gpg_keys << gpg_key
2019-07-07 11:18:12 +05:30
post api ( " /users/0/gpg_keys/ #{ gpg_key . id } /revoke " , admin )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns 404 error if key not foud' do
2020-06-23 00:09:42 +05:30
post api ( " /users/ #{ user . id } /gpg_keys/ #{ non_existing_record_id } /revoke " , admin )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
end
end
2015-09-11 14:41:01 +05:30
describe " POST /users/:id/emails " do
2016-09-13 17:45:13 +05:30
it " does not create invalid email " do
2019-02-15 15:39:39 +05:30
post api ( " /users/ #{ user . id } /emails " , admin ) , params : { }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'email is missing' )
2015-09-11 14:41:01 +05:30
end
2018-12-05 23:21:45 +05:30
it " creates unverified email " do
2015-09-11 14:41:01 +05:30
email_attrs = attributes_for :email
expect do
2019-02-15 15:39:39 +05:30
post api ( " /users/ #{ user . id } /emails " , admin ) , params : email_attrs
2017-08-17 22:00:37 +05:30
end . to change { user . emails . count } . by ( 1 )
2018-12-05 23:21:45 +05:30
2021-04-29 21:17:54 +05:30
expect ( json_response [ 'confirmed_at' ] ) . to be_nil
2015-09-11 14:41:01 +05:30
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 400 for invalid ID " do
2019-07-07 11:18:12 +05:30
post api ( " /users/0/emails " , admin )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-09-25 12:07:36 +05:30
end
2018-12-05 23:21:45 +05:30
it " creates verified email " do
email_attrs = attributes_for :email
email_attrs [ :skip_confirmation ] = true
2019-02-15 15:39:39 +05:30
post api ( " /users/ #{ user . id } /emails " , admin ) , params : email_attrs
2018-12-05 23:21:45 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2018-12-05 23:21:45 +05:30
2021-04-29 21:17:54 +05:30
expect ( json_response [ 'confirmed_at' ] ) . not_to be_nil
2018-12-05 23:21:45 +05:30
end
2015-09-11 14:41:01 +05:30
end
2017-08-17 22:00:37 +05:30
describe 'GET /user/:id/emails' do
2015-09-11 14:41:01 +05:30
context 'when unauthenticated' do
2016-09-13 17:45:13 +05:30
it 'returns authentication error' do
2015-09-11 14:41:01 +05:30
get api ( " /users/ #{ user . id } /emails " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2015-09-11 14:41:01 +05:30
end
end
context 'when authenticated' do
2016-09-13 17:45:13 +05:30
it 'returns 404 for non-existing user' do
2019-07-07 11:18:12 +05:30
get api ( '/users/0/emails' , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-11 14:41:01 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2016-09-13 17:45:13 +05:30
it 'returns array of emails' do
2015-09-11 14:41:01 +05:30
user . emails << email
2017-08-17 22:00:37 +05:30
2015-09-11 14:41:01 +05:30
get api ( " /users/ #{ user . id } /emails " , admin )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
2015-09-11 14:41:01 +05:30
expect ( json_response ) . to be_an Array
expect ( json_response . first [ 'email' ] ) . to eq ( email . email )
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
2017-09-10 17:25:29 +05:30
get api ( " /users/ASDF/emails " , admin )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2015-09-11 14:41:01 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe 'DELETE /user/:id/emails/:email_id' do
2015-09-11 14:41:01 +05:30
context 'when unauthenticated' do
2016-09-13 17:45:13 +05:30
it 'returns authentication error' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ user . id } /emails/ #{ non_existing_record_id } " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2015-09-11 14:41:01 +05:30
end
end
context 'when authenticated' do
2016-09-13 17:45:13 +05:30
it 'deletes existing email' do
2015-09-11 14:41:01 +05:30
user . emails << email
2017-08-17 22:00:37 +05:30
2015-09-11 14:41:01 +05:30
expect do
delete api ( " /users/ #{ user . id } /emails/ #{ email . id } " , admin )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2015-09-11 14:41:01 +05:30
end . to change { user . emails . count } . by ( - 1 )
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
let ( :request ) { api ( " /users/ #{ user . id } /emails/ #{ email . id } " , admin ) }
end
2016-09-13 17:45:13 +05:30
it 'returns 404 error if user not found' do
2015-09-11 14:41:01 +05:30
user . emails << email
2020-06-23 00:09:42 +05:30
2019-07-07 11:18:12 +05:30
delete api ( " /users/0/emails/ #{ email . id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-11 14:41:01 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2016-09-13 17:45:13 +05:30
it 'returns 404 error if email not foud' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ user . id } /emails/ #{ non_existing_record_id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-11 14:41:01 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Email Not Found' )
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
delete api ( " /users/ASDF/emails/bar " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2015-09-11 14:41:01 +05:30
end
end
2014-09-02 18:07:02 +05:30
describe " DELETE /users/:id " do
2020-06-23 00:09:42 +05:30
let_it_be ( :issue ) { create ( :issue , author : user ) }
2014-09-02 18:07:02 +05:30
2019-12-26 22:10:19 +05:30
it " deletes user " , :sidekiq_might_not_need_inline do
2020-06-23 00:09:42 +05:30
namespace_id = user . namespace . id
2018-11-18 11:00:15 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ user . id } " , admin ) }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2014-09-02 18:07:02 +05:30
expect { User . find ( user . id ) } . to raise_error ActiveRecord :: RecordNotFound
2020-06-23 00:09:42 +05:30
expect { Namespace . find ( namespace_id ) } . to raise_error ActiveRecord :: RecordNotFound
2014-09-02 18:07:02 +05:30
end
2020-01-01 13:55:28 +05:30
context " sole owner of a group " do
let! ( :group ) { create ( :group ) . tap { | group | group . add_owner ( user ) } }
context " hard delete disabled " do
it " does not delete user " do
2021-01-29 00:20:46 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ user . id } " , admin ) }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2020-01-01 13:55:28 +05:30
end
end
context " hard delete enabled " do
it " delete user and group " , :sidekiq_might_not_need_inline do
2021-01-29 00:20:46 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ user . id } ?hard_delete=true " , admin ) }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2020-01-01 13:55:28 +05:30
expect ( Group . exists? ( group . id ) ) . to be_falsy
end
end
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
let ( :request ) { api ( " /users/ #{ user . id } " , admin ) }
end
2016-09-13 17:45:13 +05:30
it " does not delete for unauthenticated user " do
2018-11-18 11:00:15 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ user . id } " ) }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " is not available for non admin users " do
2018-11-18 11:00:15 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ user . id } " , user ) }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 404 for non-existing user " do
2019-07-07 11:18:12 +05:30
perform_enqueued_jobs { delete api ( " /users/0 " , admin ) }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
2014-09-02 18:07:02 +05:30
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
2018-11-18 11:00:15 +05:30
perform_enqueued_jobs { delete api ( " /users/ASDF " , admin ) }
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2017-09-10 17:25:29 +05:30
context " hard delete disabled " do
2019-12-26 22:10:19 +05:30
it " moves contributions to the ghost user " , :sidekiq_might_not_need_inline do
2018-11-18 11:00:15 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ user . id } " , admin ) }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2017-09-10 17:25:29 +05:30
expect ( issue . reload ) . to be_persisted
expect ( issue . author . ghost? ) . to be_truthy
end
end
context " hard delete enabled " do
2019-12-26 22:10:19 +05:30
it " removes contributions " , :sidekiq_might_not_need_inline do
2018-11-18 11:00:15 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ user . id } ?hard_delete=true " , admin ) }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2017-09-10 17:25:29 +05:30
expect ( Issue . exists? ( issue . id ) ) . to be_falsy
end
end
2014-09-02 18:07:02 +05:30
end
describe " GET /user " do
2018-11-08 19:23:39 +05:30
shared_examples 'get user info' do | version |
context 'with regular user' do
context 'with personal access token' do
2020-06-23 00:09:42 +05:30
let ( :personal_access_token ) { create ( :personal_access_token , user : user ) . token }
2018-11-08 19:23:39 +05:30
it 'returns 403 without private token when sudo is defined' do
get api ( " /user?private_token= #{ personal_access_token } &sudo=123 " , version : version )
2017-01-15 13:20:01 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2018-11-08 19:23:39 +05:30
end
2017-01-15 13:20:01 +05:30
end
2018-11-08 19:23:39 +05:30
it 'returns current user without private token when sudo not defined' do
get api ( " /user " , user , version : version )
2017-01-15 13:20:01 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-11-08 19:23:39 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/public' )
expect ( json_response [ 'id' ] ) . to eq ( user . id )
end
2017-09-10 17:25:29 +05:30
2018-11-08 19:23:39 +05:30
context " scopes " do
let ( :path ) { " /user " }
let ( :api_call ) { method ( :api ) }
2017-09-10 17:25:29 +05:30
2018-11-08 19:23:39 +05:30
include_examples 'allows the "read_user" scope' , version
end
2017-09-10 17:25:29 +05:30
end
2014-09-02 18:07:02 +05:30
2018-11-08 19:23:39 +05:30
context 'with admin' do
let ( :admin_personal_access_token ) { create ( :personal_access_token , user : admin ) . token }
2017-01-15 13:20:01 +05:30
2018-11-08 19:23:39 +05:30
context 'with personal access token' do
it 'returns 403 without private token when sudo defined' do
get api ( " /user?private_token= #{ admin_personal_access_token } &sudo= #{ user . id } " , version : version )
2017-01-15 13:20:01 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2018-11-08 19:23:39 +05:30
end
2017-01-15 13:20:01 +05:30
2018-11-08 19:23:39 +05:30
it 'returns initial current user without private token but with is_admin when sudo not defined' do
get api ( " /user?private_token= #{ admin_personal_access_token } " , version : version )
2017-01-15 13:20:01 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-11-08 19:23:39 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response [ 'id' ] ) . to eq ( admin . id )
end
2017-01-15 13:20:01 +05:30
end
end
2018-11-08 19:23:39 +05:30
context 'with unauthenticated user' do
it " returns 401 error if user is unauthenticated " do
get api ( " /user " , version : version )
2017-01-15 13:20:01 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-11-08 19:23:39 +05:30
end
2017-01-15 13:20:01 +05:30
end
2014-09-02 18:07:02 +05:30
end
2018-11-08 19:23:39 +05:30
it_behaves_like 'get user info' , 'v3'
it_behaves_like 'get user info' , 'v4'
2014-09-02 18:07:02 +05:30
end
describe " GET /user/keys " do
context " when unauthenticated " do
2016-09-13 17:45:13 +05:30
it " returns authentication error " do
2014-09-02 18:07:02 +05:30
get api ( " /user/keys " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2014-09-02 18:07:02 +05:30
end
end
context " when authenticated " do
2016-09-13 17:45:13 +05:30
it " returns array of ssh keys " do
2014-09-02 18:07:02 +05:30
user . keys << key
2017-08-17 22:00:37 +05:30
2014-09-02 18:07:02 +05:30
get api ( " /user/keys " , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
2015-04-26 12:48:37 +05:30
expect ( json_response ) . to be_an Array
expect ( json_response . first [ " title " ] ) . to eq ( key . title )
2014-09-02 18:07:02 +05:30
end
2017-09-10 17:25:29 +05:30
2020-06-23 00:09:42 +05:30
it 'returns array of ssh keys with comments replaced with' \
'a simple identifier of username + hostname' do
get api ( " /user/keys " , user )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
keys = json_response . map { | key_detail | key_detail [ 'key' ] }
expect ( keys ) . to all ( include ( " #{ user . name } ( #{ Gitlab . config . gitlab . host } " ) )
end
context 'N+1 queries' do
before do
get api ( " /user/keys " , user )
end
it 'avoids N+1 queries' , :request_store do
control_count = ActiveRecord :: QueryRecorder . new ( skip_cached : false ) do
get api ( " /user/keys " , user )
end . count
create_list ( :key , 2 , user : user )
expect do
get api ( " /user/keys " , user )
end . not_to exceed_all_query_limit ( control_count )
end
end
2017-09-10 17:25:29 +05:30
context " scopes " do
let ( :path ) { " /user/keys " }
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
2014-09-02 18:07:02 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe " GET /user/keys/:key_id " do
2016-09-13 17:45:13 +05:30
it " returns single key " do
2014-09-02 18:07:02 +05:30
user . keys << key
2020-06-23 00:09:42 +05:30
2014-09-02 18:07:02 +05:30
get api ( " /user/keys/ #{ key . id } " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-04-26 12:48:37 +05:30
expect ( json_response [ " title " ] ) . to eq ( key . title )
2014-09-02 18:07:02 +05:30
end
2020-06-23 00:09:42 +05:30
it 'exposes SSH key comment as a simple identifier of username + hostname' do
get api ( " /user/keys/ #{ key . id } " , user )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ 'key' ] ) . to include ( " #{ key . user_name } ( #{ Gitlab . config . gitlab . host } ) " )
end
2016-09-13 17:45:13 +05:30
it " returns 404 Not Found within invalid ID " do
2020-06-23 00:09:42 +05:30
get api ( " /user/keys/ #{ non_existing_record_id } " , user )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Key Not Found' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 404 error if admin accesses user's ssh key " do
2014-09-02 18:07:02 +05:30
user . keys << key
admin
2020-06-23 00:09:42 +05:30
2014-09-02 18:07:02 +05:30
get api ( " /user/keys/ #{ key . id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Key Not Found' )
2014-09-02 18:07:02 +05:30
end
2015-09-25 12:07:36 +05:30
2016-09-13 17:45:13 +05:30
it " returns 404 for invalid ID " do
2015-09-25 12:07:36 +05:30
get api ( " /users/keys/ASDF " , admin )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2017-09-10 17:25:29 +05:30
context " scopes " do
let ( :path ) { " /user/keys/ #{ key . id } " }
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
2014-09-02 18:07:02 +05:30
end
describe " POST /user/keys " do
2016-09-13 17:45:13 +05:30
it " creates ssh key " do
2014-09-02 18:07:02 +05:30
key_attrs = attributes_for :key
2015-09-11 14:41:01 +05:30
expect do
2019-02-15 15:39:39 +05:30
post api ( " /user/keys " , user ) , params : key_attrs
2017-08-17 22:00:37 +05:30
end . to change { user . keys . count } . by ( 1 )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2014-09-02 18:07:02 +05:30
end
2020-06-23 00:09:42 +05:30
it 'creates SSH key with `expires_at` attribute' do
optional_attributes = { expires_at : '2016-01-21T00:00:00.000Z' }
attributes = attributes_for ( :key ) . merge ( optional_attributes )
post api ( " /user/keys " , user ) , params : attributes
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( json_response [ 'expires_at' ] ) . to eq ( optional_attributes [ :expires_at ] )
end
2016-09-13 17:45:13 +05:30
it " returns a 401 error if unauthorized " do
2019-02-15 15:39:39 +05:30
post api ( " /user/keys " ) , params : { title : 'some title' , key : 'some key' }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " does not create ssh key without key " do
2019-02-15 15:39:39 +05:30
post api ( " /user/keys " , user ) , params : { title : 'title' }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'key is missing' )
2015-04-26 12:48:37 +05:30
end
2016-09-13 17:45:13 +05:30
it 'does not create ssh key without title' do
2019-02-15 15:39:39 +05:30
post api ( '/user/keys' , user ) , params : { key : 'some key' }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'title is missing' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " does not create ssh key without title " do
2019-02-15 15:39:39 +05:30
post api ( " /user/keys " , user ) , params : { key : " somekey " }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2014-09-02 18:07:02 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe " DELETE /user/keys/:key_id " do
2016-09-13 17:45:13 +05:30
it " deletes existed key " do
2014-09-02 18:07:02 +05:30
user . keys << key
2017-08-17 22:00:37 +05:30
2015-09-11 14:41:01 +05:30
expect do
2014-09-02 18:07:02 +05:30
delete api ( " /user/keys/ #{ key . id } " , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2021-01-29 00:20:46 +05:30
end . to change { user . keys . count } . by ( - 1 )
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
let ( :request ) { api ( " /user/keys/ #{ key . id } " , user ) }
end
2017-08-17 22:00:37 +05:30
it " returns 404 if key ID not found " do
2020-06-23 00:09:42 +05:30
delete api ( " /user/keys/ #{ non_existing_record_id } " , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Key Not Found' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 401 error if unauthorized " do
2014-09-02 18:07:02 +05:30
user . keys << key
2020-06-23 00:09:42 +05:30
2014-09-02 18:07:02 +05:30
delete api ( " /user/keys/ #{ key . id } " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2014-09-02 18:07:02 +05:30
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
delete api ( " /users/keys/ASDF " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
end
end
describe 'GET /user/gpg_keys' do
context 'when unauthenticated' do
it 'returns authentication error' do
get api ( '/user/gpg_keys' )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
end
context 'when authenticated' do
it 'returns array of GPG keys' do
user . gpg_keys << gpg_key
get api ( '/user/gpg_keys' , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-03-17 18:26:18 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . first [ 'key' ] ) . to eq ( gpg_key . key )
end
context 'scopes' do
let ( :path ) { '/user/gpg_keys' }
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
end
end
describe 'GET /user/gpg_keys/:key_id' do
it 'returns a single key' do
user . gpg_keys << gpg_key
get api ( " /user/gpg_keys/ #{ gpg_key . id } " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'key' ] ) . to eq ( gpg_key . key )
end
it 'returns 404 Not Found within invalid ID' do
2020-06-23 00:09:42 +05:30
get api ( " /user/gpg_keys/ #{ non_existing_record_id } " , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
it " returns 404 error if admin accesses user's GPG key " do
user . gpg_keys << gpg_key
get api ( " /user/gpg_keys/ #{ gpg_key . id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
it 'returns 404 for invalid ID' do
get api ( '/users/gpg_keys/ASDF' , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
end
context 'scopes' do
let ( :path ) { " /user/gpg_keys/ #{ gpg_key . id } " }
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
end
describe 'POST /user/gpg_keys' do
it 'creates a GPG key' do
2020-06-23 00:09:42 +05:30
key_attrs = attributes_for :gpg_key , key : GpgHelpers :: User2 . public_key
2018-03-17 18:26:18 +05:30
expect do
2019-02-15 15:39:39 +05:30
post api ( '/user/gpg_keys' , user ) , params : key_attrs
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2018-03-17 18:26:18 +05:30
end . to change { user . gpg_keys . count } . by ( 1 )
end
it 'returns a 401 error if unauthorized' do
2019-02-15 15:39:39 +05:30
post api ( '/user/gpg_keys' ) , params : { key : 'some key' }
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
it 'does not create GPG key without key' do
post api ( '/user/gpg_keys' , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'key is missing' )
end
end
describe 'POST /user/gpg_keys/:key_id/revoke' do
it 'revokes existing GPG key' do
user . gpg_keys << gpg_key
expect do
post api ( " /user/gpg_keys/ #{ gpg_key . id } /revoke " , user )
expect ( response ) . to have_gitlab_http_status ( :accepted )
2021-01-29 00:20:46 +05:30
end . to change { user . gpg_keys . count } . by ( - 1 )
2018-03-17 18:26:18 +05:30
end
it 'returns 404 if key ID not found' do
2020-06-23 00:09:42 +05:30
post api ( " /user/gpg_keys/ #{ non_existing_record_id } /revoke " , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
it 'returns 401 error if unauthorized' do
user . gpg_keys << gpg_key
post api ( " /user/gpg_keys/ #{ gpg_key . id } /revoke " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
it 'returns a 404 for invalid ID' do
post api ( '/users/gpg_keys/ASDF/revoke' , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
end
end
describe 'DELETE /user/gpg_keys/:key_id' do
it 'deletes existing GPG key' do
user . gpg_keys << gpg_key
expect do
delete api ( " /user/gpg_keys/ #{ gpg_key . id } " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2021-01-29 00:20:46 +05:30
end . to change { user . gpg_keys . count } . by ( - 1 )
2018-03-17 18:26:18 +05:30
end
it 'returns 404 if key ID not found' do
2020-06-23 00:09:42 +05:30
delete api ( " /user/gpg_keys/ #{ non_existing_record_id } " , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
it 'returns 401 error if unauthorized' do
user . gpg_keys << gpg_key
delete api ( " /user/gpg_keys/ #{ gpg_key . id } " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
it 'returns a 404 for invalid ID' do
delete api ( '/users/gpg_keys/ASDF' , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2014-09-02 18:07:02 +05:30
end
2015-09-11 14:41:01 +05:30
describe " GET /user/emails " do
context " when unauthenticated " do
2016-09-13 17:45:13 +05:30
it " returns authentication error " do
2015-09-11 14:41:01 +05:30
get api ( " /user/emails " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2015-09-11 14:41:01 +05:30
end
end
context " when authenticated " do
2016-09-13 17:45:13 +05:30
it " returns array of emails " do
2015-09-11 14:41:01 +05:30
user . emails << email
2017-08-17 22:00:37 +05:30
2015-09-11 14:41:01 +05:30
get api ( " /user/emails " , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
2015-09-11 14:41:01 +05:30
expect ( json_response ) . to be_an Array
expect ( json_response . first [ " email " ] ) . to eq ( email . email )
end
2017-09-10 17:25:29 +05:30
context " scopes " do
let ( :path ) { " /user/emails " }
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
2015-09-11 14:41:01 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe " GET /user/emails/:email_id " do
2016-09-13 17:45:13 +05:30
it " returns single email " do
2015-09-11 14:41:01 +05:30
user . emails << email
2020-06-23 00:09:42 +05:30
2015-09-11 14:41:01 +05:30
get api ( " /user/emails/ #{ email . id } " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-09-11 14:41:01 +05:30
expect ( json_response [ " email " ] ) . to eq ( email . email )
end
2016-09-13 17:45:13 +05:30
it " returns 404 Not Found within invalid ID " do
2020-06-23 00:09:42 +05:30
get api ( " /user/emails/ #{ non_existing_record_id } " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Email Not Found' )
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 404 error if admin accesses user's email " do
2015-09-11 14:41:01 +05:30
user . emails << email
admin
2020-06-23 00:09:42 +05:30
2015-09-11 14:41:01 +05:30
get api ( " /user/emails/ #{ email . id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Email Not Found' )
2015-09-11 14:41:01 +05:30
end
2015-09-25 12:07:36 +05:30
2016-09-13 17:45:13 +05:30
it " returns 404 for invalid ID " do
2015-09-25 12:07:36 +05:30
get api ( " /users/emails/ASDF " , admin )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2017-09-10 17:25:29 +05:30
context " scopes " do
let ( :path ) { " /user/emails/ #{ email . id } " }
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
2015-09-11 14:41:01 +05:30
end
describe " POST /user/emails " do
2016-09-13 17:45:13 +05:30
it " creates email " do
2015-09-11 14:41:01 +05:30
email_attrs = attributes_for :email
expect do
2019-02-15 15:39:39 +05:30
post api ( " /user/emails " , user ) , params : email_attrs
2017-08-17 22:00:37 +05:30
end . to change { user . emails . count } . by ( 1 )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns a 401 error if unauthorized " do
2019-02-15 15:39:39 +05:30
post api ( " /user/emails " ) , params : { email : 'some email' }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it " does not create email with invalid email " do
2019-02-15 15:39:39 +05:30
post api ( " /user/emails " , user ) , params : { }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'email is missing' )
2015-09-11 14:41:01 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe " DELETE /user/emails/:email_id " do
2016-09-13 17:45:13 +05:30
it " deletes existed email " do
2015-09-11 14:41:01 +05:30
user . emails << email
2017-08-17 22:00:37 +05:30
2015-09-11 14:41:01 +05:30
expect do
delete api ( " /user/emails/ #{ email . id } " , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2021-01-29 00:20:46 +05:30
end . to change { user . emails . count } . by ( - 1 )
2015-09-11 14:41:01 +05:30
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
let ( :request ) { api ( " /user/emails/ #{ email . id } " , user ) }
end
2017-08-17 22:00:37 +05:30
it " returns 404 if email ID not found " do
2020-06-23 00:09:42 +05:30
delete api ( " /user/emails/ #{ non_existing_record_id } " , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Email Not Found' )
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 401 error if unauthorized " do
2015-09-11 14:41:01 +05:30
user . emails << email
2020-06-23 00:09:42 +05:30
2015-09-11 14:41:01 +05:30
delete api ( " /user/emails/ #{ email . id } " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2015-09-11 14:41:01 +05:30
end
2015-09-25 12:07:36 +05:30
2017-08-17 22:00:37 +05:30
it " returns 400 for invalid ID " do
delete api ( " /user/emails/ASDF " , admin )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-09-25 12:07:36 +05:30
end
2015-09-11 14:41:01 +05:30
end
2019-12-21 20:55:43 +05:30
context 'activate and deactivate' do
shared_examples '404' do
it 'returns 404' do
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2019-12-21 20:55:43 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
describe 'POST /users/:id/activate' do
2021-01-03 14:25:43 +05:30
subject ( :activate ) { post api ( " /users/ #{ user_id } /activate " , api_user ) }
let ( :user_id ) { user . id }
2019-12-21 20:55:43 +05:30
context 'performed by a non-admin user' do
2021-01-03 14:25:43 +05:30
let ( :api_user ) { user }
2019-12-21 20:55:43 +05:30
it 'is not authorized to perform the action' do
2021-01-03 14:25:43 +05:30
activate
2019-12-21 20:55:43 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2019-12-21 20:55:43 +05:30
end
end
context 'performed by an admin user' do
2021-01-03 14:25:43 +05:30
let ( :api_user ) { admin }
2019-12-21 20:55:43 +05:30
context 'for a deactivated user' do
before do
user . deactivate
end
it 'activates a deactivated user' do
2021-01-03 14:25:43 +05:30
activate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'active' )
end
end
context 'for an active user' do
before do
user . activate
end
it 'returns 201' do
2021-01-03 14:25:43 +05:30
activate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'active' )
end
end
context 'for a blocked user' do
before do
user . block
end
it 'returns 403' do
2021-01-03 14:25:43 +05:30
activate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-03-08 18:12:59 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden - A blocked user must be unblocked to be activated' )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'blocked' )
end
end
context 'for a ldap blocked user' do
before do
user . ldap_block
end
it 'returns 403' do
2021-01-03 14:25:43 +05:30
activate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-03-08 18:12:59 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden - A blocked user must be unblocked to be activated' )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'ldap_blocked' )
end
end
context 'for a user that does not exist' do
2021-01-03 14:25:43 +05:30
let ( :user_id ) { 0 }
2019-12-21 20:55:43 +05:30
before do
2021-01-03 14:25:43 +05:30
activate
2019-12-21 20:55:43 +05:30
end
it_behaves_like '404'
end
end
end
describe 'POST /users/:id/deactivate' do
2021-01-03 14:25:43 +05:30
subject ( :deactivate ) { post api ( " /users/ #{ user_id } /deactivate " , api_user ) }
let ( :user_id ) { user . id }
2019-12-21 20:55:43 +05:30
context 'performed by a non-admin user' do
2021-01-03 14:25:43 +05:30
let ( :api_user ) { user }
2019-12-21 20:55:43 +05:30
it 'is not authorized to perform the action' do
2021-01-03 14:25:43 +05:30
deactivate
2019-12-21 20:55:43 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2019-12-21 20:55:43 +05:30
end
end
context 'performed by an admin user' do
2021-01-03 14:25:43 +05:30
let ( :api_user ) { admin }
2019-12-21 20:55:43 +05:30
context 'for an active user' do
let ( :activity ) { { } }
2020-06-23 00:09:42 +05:30
let ( :user ) { create ( :user , ** activity ) }
2019-12-21 20:55:43 +05:30
context 'with no recent activity' do
let ( :activity ) { { last_activity_on : :: User :: MINIMUM_INACTIVE_DAYS . next . days . ago } }
it 'deactivates an active user' do
2021-01-03 14:25:43 +05:30
deactivate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'deactivated' )
end
end
context 'with recent activity' do
let ( :activity ) { { last_activity_on : :: User :: MINIMUM_INACTIVE_DAYS . pred . days . ago } }
it 'does not deactivate an active user' do
2021-01-03 14:25:43 +05:30
deactivate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-03-08 18:12:59 +05:30
expect ( json_response [ 'message' ] ) . to eq ( " 403 Forbidden - The user you are trying to deactivate has been active in the past #{ :: User :: MINIMUM_INACTIVE_DAYS } days and cannot be deactivated " )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'active' )
end
end
end
context 'for a deactivated user' do
before do
user . deactivate
end
it 'returns 201' do
2021-01-03 14:25:43 +05:30
deactivate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'deactivated' )
end
end
context 'for a blocked user' do
before do
user . block
end
it 'returns 403' do
2021-01-03 14:25:43 +05:30
deactivate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-03-08 18:12:59 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden - A blocked user cannot be deactivated by the API' )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'blocked' )
end
end
context 'for a ldap blocked user' do
before do
user . ldap_block
end
it 'returns 403' do
2021-01-03 14:25:43 +05:30
deactivate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-03-08 18:12:59 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden - A blocked user cannot be deactivated by the API' )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'ldap_blocked' )
end
end
2021-01-03 14:25:43 +05:30
context 'for an internal user' do
let ( :user ) { User . alert_bot }
it 'returns 403' do
deactivate
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-03-08 18:12:59 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden - An internal user cannot be deactivated by the API' )
2021-01-03 14:25:43 +05:30
end
end
2019-12-21 20:55:43 +05:30
context 'for a user that does not exist' do
2021-01-03 14:25:43 +05:30
let ( :user_id ) { 0 }
2019-12-21 20:55:43 +05:30
before do
2021-01-03 14:25:43 +05:30
deactivate
2019-12-21 20:55:43 +05:30
end
it_behaves_like '404'
end
end
end
end
2021-02-22 17:27:13 +05:30
context 'approve pending user' do
shared_examples '404' do
it 'returns 404' do
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
describe 'POST /users/:id/approve' do
subject ( :approve ) { post api ( " /users/ #{ user_id } /approve " , api_user ) }
let_it_be ( :pending_user ) { create ( :user , :blocked_pending_approval ) }
let_it_be ( :deactivated_user ) { create ( :user , :deactivated ) }
let_it_be ( :blocked_user ) { create ( :user , :blocked ) }
context 'performed by a non-admin user' do
let ( :api_user ) { user }
let ( :user_id ) { pending_user . id }
it 'is not authorized to perform the action' do
expect { approve } . not_to change { pending_user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'You are not allowed to approve a user' )
end
end
context 'performed by an admin user' do
let ( :api_user ) { admin }
context 'for a deactivated user' do
let ( :user_id ) { deactivated_user . id }
it 'does not approve a deactivated user' do
expect { approve } . not_to change { deactivated_user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :conflict )
2021-03-11 19:13:27 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'The user you are trying to approve is not pending approval' )
2021-02-22 17:27:13 +05:30
end
end
context 'for an pending approval user' do
let ( :user_id ) { pending_user . id }
it 'returns 201' do
expect { approve } . to change { pending_user . reload . state } . to ( 'active' )
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( json_response [ 'message' ] ) . to eq ( 'Success' )
end
end
context 'for an active user' do
let ( :user_id ) { user . id }
it 'returns 201' do
expect { approve } . not_to change { user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :conflict )
2021-03-11 19:13:27 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'The user you are trying to approve is not pending approval' )
2021-02-22 17:27:13 +05:30
end
end
context 'for a blocked user' do
let ( :user_id ) { blocked_user . id }
it 'returns 403' do
expect { approve } . not_to change { blocked_user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :conflict )
2021-03-11 19:13:27 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'The user you are trying to approve is not pending approval' )
2021-02-22 17:27:13 +05:30
end
end
context 'for a ldap blocked user' do
let ( :user_id ) { ldap_blocked_user . id }
it 'returns 403' do
expect { approve } . not_to change { ldap_blocked_user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :conflict )
2021-03-11 19:13:27 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'The user you are trying to approve is not pending approval' )
2021-02-22 17:27:13 +05:30
end
end
context 'for a user that does not exist' do
let ( :user_id ) { non_existing_record_id }
before do
approve
end
it_behaves_like '404'
end
end
end
end
2017-08-17 22:00:37 +05:30
describe 'POST /users/:id/block' do
2020-04-08 14:13:33 +05:30
let ( :blocked_user ) { create ( :user , state : 'blocked' ) }
2016-09-13 17:45:13 +05:30
it 'blocks existing user' do
2017-08-17 22:00:37 +05:30
post api ( " /users/ #{ user . id } /block " , admin )
2020-04-08 14:13:33 +05:30
aggregate_failures do
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( response . body ) . to eq ( 'true' )
expect ( user . reload . state ) . to eq ( 'blocked' )
end
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it 'does not re-block ldap blocked users' do
2017-08-17 22:00:37 +05:30
post api ( " /users/ #{ ldap_blocked_user . id } /block " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2016-01-19 16:12:03 +05:30
expect ( ldap_blocked_user . reload . state ) . to eq ( 'ldap_blocked' )
end
2016-09-13 17:45:13 +05:30
it 'does not be available for non admin users' do
2017-08-17 22:00:37 +05:30
post api ( " /users/ #{ user . id } /block " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2015-09-11 14:41:01 +05:30
expect ( user . reload . state ) . to eq ( 'active' )
end
2016-09-13 17:45:13 +05:30
it 'returns a 404 error if user id not found' do
2019-07-07 11:18:12 +05:30
post api ( '/users/0/block' , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-11 14:41:01 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2020-04-08 14:13:33 +05:30
2021-01-03 14:25:43 +05:30
it 'returns a 403 error if user is internal' do
internal_user = create ( :user , :bot )
post api ( " /users/ #{ internal_user . id } /block " , admin )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'An internal user cannot be blocked' )
end
2020-04-08 14:13:33 +05:30
it 'returns a 201 if user is already blocked' do
post api ( " /users/ #{ blocked_user . id } /block " , admin )
aggregate_failures do
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( response . body ) . to eq ( 'null' )
end
end
2015-09-11 14:41:01 +05:30
end
2017-08-17 22:00:37 +05:30
describe 'POST /users/:id/unblock' do
2019-03-02 22:35:43 +05:30
let ( :blocked_user ) { create ( :user , state : 'blocked' ) }
2019-12-21 20:55:43 +05:30
let ( :deactivated_user ) { create ( :user , state : 'deactivated' ) }
2017-09-10 17:25:29 +05:30
2016-09-13 17:45:13 +05:30
it 'unblocks existing user' do
2017-08-17 22:00:37 +05:30
post api ( " /users/ #{ user . id } /unblock " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2015-09-11 14:41:01 +05:30
expect ( user . reload . state ) . to eq ( 'active' )
end
2016-09-13 17:45:13 +05:30
it 'unblocks a blocked user' do
2017-08-17 22:00:37 +05:30
post api ( " /users/ #{ blocked_user . id } /unblock " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2016-01-19 16:12:03 +05:30
expect ( blocked_user . reload . state ) . to eq ( 'active' )
end
2016-09-13 17:45:13 +05:30
it 'does not unblock ldap blocked users' do
2017-08-17 22:00:37 +05:30
post api ( " /users/ #{ ldap_blocked_user . id } /unblock " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2016-01-19 16:12:03 +05:30
expect ( ldap_blocked_user . reload . state ) . to eq ( 'ldap_blocked' )
2015-09-11 14:41:01 +05:30
end
2019-12-21 20:55:43 +05:30
it 'does not unblock deactivated users' do
post api ( " /users/ #{ deactivated_user . id } /unblock " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2019-12-21 20:55:43 +05:30
expect ( deactivated_user . reload . state ) . to eq ( 'deactivated' )
end
it 'is not available for non admin users' do
2017-08-17 22:00:37 +05:30
post api ( " /users/ #{ user . id } /unblock " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2015-09-11 14:41:01 +05:30
expect ( user . reload . state ) . to eq ( 'active' )
end
2016-09-13 17:45:13 +05:30
it 'returns a 404 error if user id not found' do
2019-07-07 11:18:12 +05:30
post api ( '/users/0/block' , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-11 14:41:01 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
2017-08-17 22:00:37 +05:30
post api ( " /users/ASDF/block " , admin )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2016-11-03 12:29:30 +05:30
end
end
2020-03-13 15:44:24 +05:30
describe " GET /users/:id/memberships " do
let_it_be ( :user ) { create ( :user ) }
let_it_be ( :project ) { create ( :project ) }
let_it_be ( :group ) { create ( :group ) }
let ( :requesting_user ) { create ( :user ) }
before_all do
project . add_guest ( user )
group . add_guest ( user )
end
it " responses with 403 " do
get api ( " /users/ #{ user . id } /memberships " , requesting_user )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
context 'requested by admin user' do
let ( :requesting_user ) { create ( :user , :admin ) }
it " responses successfully " do
get api ( " /users/ #{ user . id } /memberships " , requesting_user )
aggregate_failures 'expect successful response including groups and projects' do
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to match_response_schema ( 'public_api/v4/memberships' )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to contain_exactly (
a_hash_including ( 'source_type' = > 'Project' ) ,
a_hash_including ( 'source_type' = > 'Namespace' )
)
end
end
it 'does not submit N+1 DB queries' do
# Avoid setup queries
get api ( " /users/ #{ user . id } /memberships " , requesting_user )
control = ActiveRecord :: QueryRecorder . new do
get api ( " /users/ #{ user . id } /memberships " , requesting_user )
end
create_list ( :project , 5 ) . map { | project | project . add_guest ( user ) }
expect do
get api ( " /users/ #{ user . id } /memberships " , requesting_user )
end . not_to exceed_query_limit ( control )
end
context 'with type filter' do
it " only returns project memberships " do
get api ( " /users/ #{ user . id } /memberships?type=Project " , requesting_user )
aggregate_failures do
expect ( json_response ) . to contain_exactly ( a_hash_including ( 'source_type' = > 'Project' ) )
expect ( json_response ) . not_to include ( a_hash_including ( 'source_type' = > 'Namespace' ) )
end
end
it " only returns group memberships " do
get api ( " /users/ #{ user . id } /memberships?type=Namespace " , requesting_user )
aggregate_failures do
expect ( json_response ) . to contain_exactly ( a_hash_including ( 'source_type' = > 'Namespace' ) )
expect ( json_response ) . not_to include ( a_hash_including ( 'source_type' = > 'Project' ) )
end
end
it " recognizes unsupported types " do
get api ( " /users/ #{ user . id } /memberships?type=foo " , requesting_user )
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
end
end
end
2017-09-10 17:25:29 +05:30
context " user activities " , :clean_gitlab_redis_shared_state do
2020-05-24 23:13:21 +05:30
let_it_be ( :old_active_user ) { create ( :user , last_activity_on : Time . utc ( 2000 , 1 , 1 ) ) }
let_it_be ( :newly_active_user ) { create ( :user , last_activity_on : 2 . days . ago . midday ) }
2017-08-17 22:00:37 +05:30
context 'last activity as normal user' do
it 'has no permission' do
get api ( " /user/activities " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
end
end
context 'as admin' do
it 'returns the activities from the last 6 months' do
get api ( " /user/activities " , admin )
expect ( response ) . to include_pagination_headers
expect ( json_response . size ) . to eq ( 1 )
activity = json_response . last
expect ( activity [ 'username' ] ) . to eq ( newly_active_user . username )
expect ( activity [ 'last_activity_on' ] ) . to eq ( 2 . days . ago . to_date . to_s )
expect ( activity [ 'last_activity_at' ] ) . to eq ( 2 . days . ago . to_date . to_s )
end
context 'passing a :from parameter' do
it 'returns the activities from the given date' do
get api ( " /user/activities?from=2000-1-1 " , admin )
expect ( response ) . to include_pagination_headers
expect ( json_response . size ) . to eq ( 2 )
activity = json_response . first
expect ( activity [ 'username' ] ) . to eq ( old_active_user . username )
expect ( activity [ 'last_activity_on' ] ) . to eq ( Time . utc ( 2000 , 1 , 1 ) . to_date . to_s )
expect ( activity [ 'last_activity_at' ] ) . to eq ( Time . utc ( 2000 , 1 , 1 ) . to_date . to_s )
end
end
end
end
2018-11-18 11:00:15 +05:30
describe 'GET /user/status' do
let ( :path ) { '/user/status' }
2020-01-01 13:55:28 +05:30
2018-11-18 11:00:15 +05:30
it_behaves_like 'rendering user status'
end
describe 'PUT /user/status' do
it 'saves the status' do
2019-02-15 15:39:39 +05:30
put api ( '/user/status' , user ) , params : { emoji : 'smirk' , message : 'hello world' }
2018-11-18 11:00:15 +05:30
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response [ 'emoji' ] ) . to eq ( 'smirk' )
end
it 'renders errors when the status was invalid' do
2019-02-15 15:39:39 +05:30
put api ( '/user/status' , user ) , params : { emoji : 'does not exist' , message : 'hello world' }
2018-11-18 11:00:15 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2018-11-18 11:00:15 +05:30
expect ( json_response [ 'message' ] [ 'emoji' ] ) . to be_present
end
it 'deletes the status when passing empty values' do
put api ( '/user/status' , user )
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( user . reload . status ) . to be_nil
end
2021-03-11 19:13:27 +05:30
context 'when clear_status_after is given' do
it 'sets the clear_status_at column' do
freeze_time do
expected_clear_status_at = 3 . hours . from_now
put api ( '/user/status' , user ) , params : { emoji : 'smirk' , message : 'hello world' , clear_status_after : '3_hours' }
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( user . status . reload . clear_status_at ) . to be_within ( 1 . minute ) . of ( expected_clear_status_at )
expect ( Time . parse ( json_response [ " clear_status_at " ] ) ) . to be_within ( 1 . minute ) . of ( expected_clear_status_at )
end
end
it 'unsets the clear_status_at column' do
user . create_status! ( clear_status_at : 5 . hours . ago )
put api ( '/user/status' , user ) , params : { emoji : 'smirk' , message : 'hello world' , clear_status_after : nil }
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( user . status . reload . clear_status_at ) . to be_nil
end
it 'raises error when unknown status value is given' do
put api ( '/user/status' , user ) , params : { emoji : 'smirk' , message : 'hello world' , clear_status_after : 'wrong' }
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
end
2018-11-18 11:00:15 +05:30
end
2021-01-29 00:20:46 +05:30
describe 'POST /users/:user_id/personal_access_tokens' do
let ( :name ) { 'new pat' }
let ( :expires_at ) { 3 . days . from_now . to_date . to_s }
let ( :scopes ) { %w( api read_user ) }
2021-03-08 18:12:59 +05:30
it 'returns error if required attributes are missing' do
post api ( " /users/ #{ user . id } /personal_access_tokens " , admin )
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expect ( json_response [ 'error' ] ) . to eq ( 'name is missing, scopes is missing, scopes does not have a valid value' )
end
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
it 'returns a 404 error if user not found' do
post api ( " /users/ #{ non_existing_record_id } /personal_access_tokens " , admin ) ,
params : {
name : name ,
scopes : scopes ,
expires_at : expires_at
}
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
it 'returns a 401 error when not authenticated' do
post api ( " /users/ #{ user . id } /personal_access_tokens " ) ,
params : {
name : name ,
scopes : scopes ,
expires_at : expires_at
}
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
expect ( json_response [ 'message' ] ) . to eq ( '401 Unauthorized' )
end
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
it 'returns a 403 error when authenticated as normal user' do
post api ( " /users/ #{ user . id } /personal_access_tokens " , user ) ,
params : {
name : name ,
scopes : scopes ,
expires_at : expires_at
}
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden' )
end
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
it 'creates a personal access token when authenticated as admin' do
post api ( " /users/ #{ user . id } /personal_access_tokens " , admin ) ,
params : {
name : name ,
expires_at : expires_at ,
scopes : scopes
}
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( json_response [ 'name' ] ) . to eq ( name )
expect ( json_response [ 'scopes' ] ) . to eq ( scopes )
expect ( json_response [ 'expires_at' ] ) . to eq ( expires_at )
expect ( json_response [ 'id' ] ) . to be_present
expect ( json_response [ 'created_at' ] ) . to be_present
expect ( json_response [ 'active' ] ) . to be_truthy
expect ( json_response [ 'revoked' ] ) . to be_falsey
expect ( json_response [ 'token' ] ) . to be_present
end
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
context 'when an error is thrown by the model' do
let! ( :admin_personal_access_token ) { create ( :personal_access_token , user : admin ) }
let ( :error_message ) { 'error message' }
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
before do
allow_next_instance_of ( PersonalAccessToken ) do | personal_access_token |
allow ( personal_access_token ) . to receive_message_chain ( :errors , :full_messages )
. and_return ( [ error_message ] )
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
allow ( personal_access_token ) . to receive ( :save ) . and_return ( false )
2021-01-29 00:20:46 +05:30
end
end
2021-03-08 18:12:59 +05:30
it 'returns the error' do
post api ( " /users/ #{ user . id } /personal_access_tokens " , personal_access_token : admin_personal_access_token ) ,
2021-01-29 00:20:46 +05:30
params : {
name : name ,
expires_at : expires_at ,
scopes : scopes
}
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :unprocessable_entity )
expect ( json_response [ 'message' ] ) . to eq ( error_message )
2021-01-29 00:20:46 +05:30
end
end
end
2017-08-17 22:00:37 +05:30
describe 'GET /users/:user_id/impersonation_tokens' do
2020-06-23 00:09:42 +05:30
let_it_be ( :active_personal_access_token ) { create ( :personal_access_token , user : user ) }
let_it_be ( :revoked_personal_access_token ) { create ( :personal_access_token , :revoked , user : user ) }
let_it_be ( :expired_personal_access_token ) { create ( :personal_access_token , :expired , user : user ) }
let_it_be ( :impersonation_token ) { create ( :personal_access_token , :impersonation , user : user ) }
let_it_be ( :revoked_impersonation_token ) { create ( :personal_access_token , :impersonation , :revoked , user : user ) }
2017-08-17 22:00:37 +05:30
it 'returns a 404 error if user not found' do
2020-06-23 00:09:42 +05:30
get api ( " /users/ #{ non_existing_record_id } /impersonation_tokens " , admin )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns a 403 error when authenticated as normal user' do
2020-06-23 00:09:42 +05:30
get api ( " /users/ #{ non_existing_record_id } /impersonation_tokens " , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden' )
end
it 'returns an array of all impersonated tokens' do
get api ( " /users/ #{ user . id } /impersonation_tokens " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . size ) . to eq ( 2 )
end
it 'returns an array of active impersonation tokens if state active' do
get api ( " /users/ #{ user . id } /impersonation_tokens?state=active " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response ) . to all ( include ( 'active' = > true ) )
end
it 'returns an array of inactive personal access tokens if active is set to false' do
get api ( " /users/ #{ user . id } /impersonation_tokens?state=inactive " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( json_response ) . to be_an Array
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response ) . to all ( include ( 'active' = > false ) )
end
end
describe 'POST /users/:user_id/impersonation_tokens' do
let ( :name ) { 'my new pat' }
let ( :expires_at ) { '2016-12-28' }
let ( :scopes ) { %w( api read_user ) }
let ( :impersonation ) { true }
it 'returns validation error if impersonation token misses some attributes' do
post api ( " /users/ #{ user . id } /impersonation_tokens " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'name is missing' )
end
it 'returns a 404 error if user not found' do
2020-06-23 00:09:42 +05:30
post api ( " /users/ #{ non_existing_record_id } /impersonation_tokens " , admin ) ,
2019-02-15 15:39:39 +05:30
params : {
name : name ,
expires_at : expires_at
}
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns a 403 error when authenticated as normal user' do
post api ( " /users/ #{ user . id } /impersonation_tokens " , user ) ,
2019-02-15 15:39:39 +05:30
params : {
name : name ,
expires_at : expires_at
}
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden' )
end
it 'creates a impersonation token' do
post api ( " /users/ #{ user . id } /impersonation_tokens " , admin ) ,
2019-02-15 15:39:39 +05:30
params : {
name : name ,
expires_at : expires_at ,
scopes : scopes ,
impersonation : impersonation
}
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'name' ] ) . to eq ( name )
expect ( json_response [ 'scopes' ] ) . to eq ( scopes )
expect ( json_response [ 'expires_at' ] ) . to eq ( expires_at )
expect ( json_response [ 'id' ] ) . to be_present
expect ( json_response [ 'created_at' ] ) . to be_present
expect ( json_response [ 'active' ] ) . to be_falsey
expect ( json_response [ 'revoked' ] ) . to be_falsey
expect ( json_response [ 'token' ] ) . to be_present
expect ( json_response [ 'impersonation' ] ) . to eq ( impersonation )
end
end
describe 'GET /users/:user_id/impersonation_tokens/:impersonation_token_id' do
2020-06-23 00:09:42 +05:30
let_it_be ( :personal_access_token ) { create ( :personal_access_token , user : user ) }
let_it_be ( :impersonation_token ) { create ( :personal_access_token , :impersonation , user : user ) }
2017-08-17 22:00:37 +05:30
it 'returns 404 error if user not found' do
2020-06-23 00:09:42 +05:30
get api ( " /users/ #{ non_existing_record_id } /impersonation_tokens/1 " , admin )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns a 404 error if impersonation token not found' do
2020-06-23 00:09:42 +05:30
get api ( " /users/ #{ user . id } /impersonation_tokens/ #{ non_existing_record_id } " , admin )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Impersonation Token Not Found' )
end
it 'returns a 404 error if token is not impersonation token' do
get api ( " /users/ #{ user . id } /impersonation_tokens/ #{ personal_access_token . id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Impersonation Token Not Found' )
end
it 'returns a 403 error when authenticated as normal user' do
get api ( " /users/ #{ user . id } /impersonation_tokens/ #{ impersonation_token . id } " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden' )
end
2018-12-05 23:21:45 +05:30
it 'returns an impersonation token' do
2017-08-17 22:00:37 +05:30
get api ( " /users/ #{ user . id } /impersonation_tokens/ #{ impersonation_token . id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-12-05 23:21:45 +05:30
expect ( json_response [ 'token' ] ) . not_to be_present
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'impersonation' ] ) . to be_truthy
end
end
describe 'DELETE /users/:user_id/impersonation_tokens/:impersonation_token_id' do
2020-06-23 00:09:42 +05:30
let_it_be ( :personal_access_token ) { create ( :personal_access_token , user : user ) }
let_it_be ( :impersonation_token ) { create ( :personal_access_token , :impersonation , user : user ) }
2017-08-17 22:00:37 +05:30
it 'returns a 404 error if user not found' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ non_existing_record_id } /impersonation_tokens/1 " , admin )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns a 404 error if impersonation token not found' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ user . id } /impersonation_tokens/ #{ non_existing_record_id } " , admin )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Impersonation Token Not Found' )
end
it 'returns a 404 error if token is not impersonation token' do
delete api ( " /users/ #{ user . id } /impersonation_tokens/ #{ personal_access_token . id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Impersonation Token Not Found' )
end
it 'returns a 403 error when authenticated as normal user' do
delete api ( " /users/ #{ user . id } /impersonation_tokens/ #{ impersonation_token . id } " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden' )
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
let ( :request ) { api ( " /users/ #{ user . id } /impersonation_tokens/ #{ impersonation_token . id } " , admin ) }
end
2017-08-17 22:00:37 +05:30
it 'revokes a impersonation token' do
delete api ( " /users/ #{ user . id } /impersonation_tokens/ #{ impersonation_token . id } " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2017-08-17 22:00:37 +05:30
expect ( impersonation_token . revoked ) . to be_falsey
expect ( impersonation_token . reload . revoked ) . to be_truthy
end
end
2018-03-17 18:26:18 +05:30
it_behaves_like 'custom attributes endpoints' , 'users' do
let ( :attributable ) { user }
let ( :other_attributable ) { admin }
end
2014-09-02 18:07:02 +05:30
end