2019-12-26 22:10:19 +05:30
# frozen_string_literal: true
2014-09-02 18:07:02 +05:30
require 'spec_helper'
2023-06-20 00:43:36 +05:30
RSpec . describe API :: Users , :aggregate_failures , feature_category : :user_profile do
2022-10-11 01:57:18 +05:30
include WorkhorseHelpers
2020-06-23 00:09:42 +05:30
let_it_be ( :admin ) { create ( :admin ) }
2021-07-02 01:05:55 +05:30
let_it_be ( :user , reload : true ) { create ( :user , username : 'user.withdot' ) }
2020-06-23 00:09:42 +05:30
let_it_be ( :key ) { create ( :key , user : user ) }
let_it_be ( :gpg_key ) { create ( :gpg_key , user : user ) }
let_it_be ( :email ) { create ( :email , user : user ) }
2021-09-30 23:02:18 +05:30
2021-11-11 11:23:49 +05:30
let ( :blocked_user ) { create ( :user , :blocked ) }
2015-10-24 18:46:33 +05:30
let ( :omniauth_user ) { create ( :omniauth_user ) }
2022-05-07 20:08:51 +05:30
let ( :ldap_user ) { create ( :omniauth_user , provider : 'ldapmain' ) }
2016-01-19 16:12:03 +05:30
let ( :ldap_blocked_user ) { create ( :omniauth_user , provider : 'ldapmain' , state : 'ldap_blocked' ) }
2018-11-18 11:00:15 +05:30
let ( :private_user ) { create ( :user , private_profile : true ) }
2021-11-11 11:23:49 +05:30
let ( :deactivated_user ) { create ( :user , state : 'deactivated' ) }
let ( :banned_user ) { create ( :user , :banned ) }
let ( :internal_user ) { create ( :user , :bot ) }
2022-08-13 15:12:31 +05:30
let ( :user_with_2fa ) { create ( :user , :two_factor_via_otp ) }
let ( :admin_with_2fa ) { create ( :admin , :two_factor_via_otp ) }
2018-11-18 11:00:15 +05:30
2020-06-23 00:09:42 +05:30
context 'admin notes' do
let_it_be ( :admin ) { create ( :admin , note : '2019-10-06 | 2FA added | user requested | www.gitlab.com' ) }
let_it_be ( :user , reload : true ) { create ( :user , note : '2018-11-05 | 2FA removed | user requested | www.gitlab.com' ) }
describe 'POST /users' do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/users' }
it_behaves_like 'POST request permissions for admin mode' do
let ( :params ) { attributes_for ( :user ) . merge ( { note : 'Awesome Note' } ) }
end
2020-06-23 00:09:42 +05:30
context 'when unauthenticated' do
it 'return authentication error' do
2023-07-09 08:55:56 +05:30
post api ( path )
2020-06-23 00:09:42 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
context 'when authenticated' do
context 'as an admin' do
it 'contains the note of the user' do
optional_attributes = { note : 'Awesome Note' }
attributes = attributes_for ( :user ) . merge ( optional_attributes )
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes
2020-06-23 00:09:42 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( json_response [ 'note' ] ) . to eq ( optional_attributes [ :note ] )
end
end
context 'as a regular user' do
it 'does not allow creating new user' do
2023-07-09 08:55:56 +05:30
post api ( path , user ) , params : attributes_for ( :user )
2020-06-23 00:09:42 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
end
end
describe " PUT /users/:id " do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } " }
it_behaves_like 'PUT request permissions for admin mode' do
let ( :params ) { { note : 'new note' } }
end
2020-06-23 00:09:42 +05:30
context 'when user is an admin' do
it " updates note of the user " do
new_note = '2019-07-07 | Email changed | user requested | www.gitlab.com'
expect do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { note : new_note }
2020-06-23 00:09:42 +05:30
end . to change { user . reload . note }
. from ( '2018-11-05 | 2FA removed | user requested | www.gitlab.com' )
. to ( new_note )
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response [ 'note' ] ) . to eq ( new_note )
end
end
context 'when user is not an admin' do
it " cannot update their own note " do
expect do
2023-07-09 08:55:56 +05:30
put api ( path , user ) , params : { note : 'new note' }
2020-06-23 00:09:42 +05:30
end . not_to change { user . reload . note }
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
end
2022-08-13 15:12:31 +05:30
describe " PATCH /users/:id/disable_two_factor " do
context " when current user is an admin " do
it " returns a 204 when 2FA is disabled for the target user " do
expect do
2023-06-20 00:43:36 +05:30
patch api ( " /users/ #{ user_with_2fa . id } /disable_two_factor " , admin , admin_mode : true )
2022-08-13 15:12:31 +05:30
end . to change { user_with_2fa . reload . two_factor_enabled? }
. from ( true )
. to ( false )
expect ( response ) . to have_gitlab_http_status ( :no_content )
end
it " uses TwoFactor Destroy Service " do
destroy_service = instance_double ( TwoFactor :: DestroyService , execute : nil )
expect ( TwoFactor :: DestroyService ) . to receive ( :new )
. with ( admin , user : user_with_2fa )
. and_return ( destroy_service )
expect ( destroy_service ) . to receive ( :execute )
2023-06-20 00:43:36 +05:30
patch api ( " /users/ #{ user_with_2fa . id } /disable_two_factor " , admin , admin_mode : true )
2022-08-13 15:12:31 +05:30
end
it " returns a 400 if 2FA is not enabled for the target user " do
expect ( TwoFactor :: DestroyService ) . to receive ( :new ) . and_call_original
expect do
2023-06-20 00:43:36 +05:30
patch api ( " /users/ #{ user . id } /disable_two_factor " , admin , admin_mode : true )
2022-08-13 15:12:31 +05:30
end . not_to change { user . reload . two_factor_enabled? }
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expect ( json_response [ 'message' ] ) . to eq ( " 400 Bad request - Two-factor authentication is not enabled for this user " )
end
it " returns a 403 if the target user is an admin " do
2022-10-11 01:57:18 +05:30
expect ( TwoFactor :: DestroyService ) . not_to receive ( :new )
2022-08-13 15:12:31 +05:30
expect do
2023-06-20 00:43:36 +05:30
patch api ( " /users/ #{ admin_with_2fa . id } /disable_two_factor " , admin , admin_mode : true )
2022-08-13 15:12:31 +05:30
end . not_to change { admin_with_2fa . reload . two_factor_enabled? }
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( " 403 Forbidden - Two-factor authentication for admins cannot be disabled via the API. Use the Rails console " )
end
it " returns a 404 if the target user cannot be found " do
2022-10-11 01:57:18 +05:30
expect ( TwoFactor :: DestroyService ) . not_to receive ( :new )
2022-08-13 15:12:31 +05:30
2023-06-20 00:43:36 +05:30
patch api ( " /users/ #{ non_existing_record_id } /disable_two_factor " , admin , admin_mode : true )
2022-08-13 15:12:31 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( " 404 User Not Found " )
end
end
context " when current user is not an admin " do
it " returns a 403 " do
expect do
patch api ( " /users/ #{ user_with_2fa . id } /disable_two_factor " , user )
end . not_to change { user_with_2fa . reload . two_factor_enabled? }
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( " 403 Forbidden " )
end
end
context " when unauthenticated " do
it " returns a 401 " do
patch api ( " /users/ #{ user_with_2fa . id } /disable_two_factor " )
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
end
2020-06-23 00:09:42 +05:30
describe 'GET /users/' do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/users' }
2020-06-23 00:09:42 +05:30
context 'when unauthenticated' do
2022-06-21 17:19:12 +05:30
it " does not contain certain fields " do
2023-07-09 08:55:56 +05:30
get api ( path ) , params : { username : user . username }
2020-06-23 00:09:42 +05:30
expect ( json_response . first ) . not_to have_key ( 'note' )
2022-06-21 17:19:12 +05:30
expect ( json_response . first ) . not_to have_key ( 'namespace_id' )
2022-11-25 23:54:43 +05:30
expect ( json_response . first ) . not_to have_key ( 'created_by' )
2020-06-23 00:09:42 +05:30
end
end
context 'when authenticated' do
context 'as a regular user' do
2022-06-21 17:19:12 +05:30
it 'does not contain certain fields' do
2023-07-09 08:55:56 +05:30
get api ( path , user ) , params : { username : user . username }
2020-06-23 00:09:42 +05:30
2023-07-09 08:55:56 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-06-23 00:09:42 +05:30
expect ( json_response . first ) . not_to have_key ( 'note' )
2022-06-21 17:19:12 +05:30
expect ( json_response . first ) . not_to have_key ( 'namespace_id' )
2022-11-25 23:54:43 +05:30
expect ( json_response . first ) . not_to have_key ( 'created_by' )
2020-06-23 00:09:42 +05:30
end
end
context 'as an admin' do
it 'contains the note of users' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true ) , params : { username : user . username }
2020-06-23 00:09:42 +05:30
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response . first ) . to have_key ( 'note' )
expect ( json_response . first [ 'note' ] ) . to eq '2018-11-05 | 2FA removed | user requested | www.gitlab.com'
end
2022-11-25 23:54:43 +05:30
context 'with `created_by` details' do
it 'has created_by as nil with a self-registered account' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true ) , params : { username : user . username }
2022-11-25 23:54:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response . first ) . to have_key ( 'created_by' )
expect ( json_response . first [ 'created_by' ] ) . to eq ( nil )
end
it 'is created_by a user and has those details' do
created = create ( :user , created_by_id : user . id )
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true ) , params : { username : created . username }
2022-11-25 23:54:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response . first [ 'created_by' ] . symbolize_keys )
. to eq ( API :: Entities :: UserBasic . new ( user ) . as_json )
end
end
2020-06-23 00:09:42 +05:30
end
2022-08-13 15:12:31 +05:30
context 'N+1 queries' do
before do
create_list ( :user , 2 )
end
it 'avoids N+1 queries when requested by admin' do
control_count = ActiveRecord :: QueryRecorder . new ( skip_cached : false ) do
2023-07-09 08:55:56 +05:30
get api ( path , admin )
2022-08-13 15:12:31 +05:30
end . count
create_list ( :user , 3 )
# There is a still a pending N+1 query related to fetching
# project count for each user.
# Refer issue https://gitlab.com/gitlab-org/gitlab/-/issues/367080
expect do
2023-07-09 08:55:56 +05:30
get api ( path , admin )
2022-08-13 15:12:31 +05:30
end . not_to exceed_all_query_limit ( control_count + 3 )
end
it 'avoids N+1 queries when requested by a regular user' do
control_count = ActiveRecord :: QueryRecorder . new ( skip_cached : false ) do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2022-08-13 15:12:31 +05:30
end . count
create_list ( :user , 3 )
expect do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2022-08-13 15:12:31 +05:30
end . not_to exceed_all_query_limit ( control_count )
end
end
2020-06-23 00:09:42 +05:30
end
end
describe 'GET /user' do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/user' }
2020-06-23 00:09:42 +05:30
context 'when authenticated' do
context 'as an admin' do
context 'accesses their own profile' do
it 'contains the note of the user' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2020-06-23 00:09:42 +05:30
expect ( json_response ) . to have_key ( 'note' )
expect ( json_response [ 'note' ] ) . to eq ( admin . note )
end
end
context 'sudo' do
2023-06-20 00:43:36 +05:30
let ( :admin_personal_access_token ) { create ( :personal_access_token , :admin_mode , user : admin , scopes : %w[ api sudo ] ) . token }
2020-06-23 00:09:42 +05:30
context 'accesses the profile of another regular user' do
it 'does not contain the note of the user' do
get api ( " /user?private_token= #{ admin_personal_access_token } &sudo= #{ user . id } " )
expect ( json_response [ 'id' ] ) . to eq ( user . id )
expect ( json_response ) . not_to have_key ( 'note' )
end
end
context 'accesses the profile of another admin' do
2021-01-29 00:20:46 +05:30
let ( :admin_2 ) { create ( :admin , note : '2010-10-10 | 2FA added | admin requested | www.gitlab.com' ) }
2020-06-23 00:09:42 +05:30
it 'contains the note of the user' do
get api ( " /user?private_token= #{ admin_personal_access_token } &sudo= #{ admin_2 . id } " )
expect ( json_response [ 'id' ] ) . to eq ( admin_2 . id )
expect ( json_response ) . to have_key ( 'note' )
expect ( json_response [ 'note' ] ) . to eq ( admin_2 . note )
end
end
end
end
context 'as a regular user' do
it 'does not contain the note of the user' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2020-06-23 00:09:42 +05:30
expect ( json_response ) . not_to have_key ( 'note' )
2022-06-21 17:19:12 +05:30
expect ( json_response ) . not_to have_key ( 'namespace_id' )
2020-06-23 00:09:42 +05:30
end
end
end
end
end
2018-11-18 11:00:15 +05:30
shared_examples 'rendering user status' do
it 'returns the status if there was one' do
create ( :user_status , user : user )
get api ( path , user )
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response [ 'message' ] ) . to be_present
expect ( json_response [ 'message_html' ] ) . to be_present
expect ( json_response [ 'emoji' ] ) . to be_present
end
it 'returns an empty response if there was no status' do
get api ( path , user )
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response [ 'message' ] ) . to be_nil
expect ( json_response [ 'emoji' ] ) . to be_nil
end
end
2014-09-02 18:07:02 +05:30
2017-08-17 22:00:37 +05:30
describe 'GET /users' do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/users' }
2014-09-02 18:07:02 +05:30
context " when unauthenticated " do
2017-09-10 17:25:29 +05:30
it " returns authorization error when the `username` parameter is not passed " do
2023-07-09 08:55:56 +05:30
get api ( path )
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
end
it " returns the user when a valid `username` parameter is passed " do
2023-07-09 08:55:56 +05:30
get api ( path ) , params : { username : user . username }
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-09-10 17:25:29 +05:30
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response [ 0 ] [ 'id' ] ) . to eq ( user . id )
expect ( json_response [ 0 ] [ 'username' ] ) . to eq ( user . username )
end
2018-12-13 13:39:08 +05:30
it " returns the user when a valid `username` parameter is passed (case insensitive) " do
2023-07-09 08:55:56 +05:30
get api ( path ) , params : { username : user . username . upcase }
2018-12-13 13:39:08 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response [ 0 ] [ 'id' ] ) . to eq ( user . id )
expect ( json_response [ 0 ] [ 'username' ] ) . to eq ( user . username )
end
2017-09-10 17:25:29 +05:30
it " returns an empty response when an invalid `username` parameter is passed " do
2023-07-09 08:55:56 +05:30
get api ( path ) , params : { username : 'invalid' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-09-10 17:25:29 +05:30
expect ( json_response ) . to be_an Array
expect ( json_response . size ) . to eq ( 0 )
end
2019-07-07 11:18:12 +05:30
it " does not return the highest role " do
2023-07-09 08:55:56 +05:30
get api ( path ) , params : { username : user . username }
2019-07-07 11:18:12 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( json_response . first . keys ) . not_to include 'highest_role'
end
2020-03-13 15:44:24 +05:30
it " does not return the current or last sign-in ip addresses " do
2023-07-09 08:55:56 +05:30
get api ( path ) , params : { username : user . username }
2020-03-13 15:44:24 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( json_response . first . keys ) . not_to include 'current_sign_in_ip'
expect ( json_response . first . keys ) . not_to include 'last_sign_in_ip'
end
2017-09-10 17:25:29 +05:30
context " when public level is restricted " do
before do
stub_application_setting ( restricted_visibility_levels : [ Gitlab :: VisibilityLevel :: PUBLIC ] )
end
it " returns authorization error when the `username` parameter refers to an inaccessible user " do
2023-07-09 08:55:56 +05:30
get api ( path ) , params : { username : user . username }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
end
it " returns authorization error when the `username` parameter is not passed " do
2023-07-09 08:55:56 +05:30
get api ( path )
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
end
2014-09-02 18:07:02 +05:30
end
end
context " when authenticated " do
2016-06-16 23:09:34 +05:30
# These specs are written just in case API authentication is not required anymore
2016-06-02 11:05:42 +05:30
context " when public level is restricted " do
before do
stub_application_setting ( restricted_visibility_levels : [ Gitlab :: VisibilityLevel :: PUBLIC ] )
end
2017-09-10 17:25:29 +05:30
context 'when authenticate as a regular user' do
it " renders 200 " do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-09-10 17:25:29 +05:30
end
2016-06-02 11:05:42 +05:30
end
2017-09-10 17:25:29 +05:30
context 'when authenticate as an admin' do
it " renders 200 " do
2023-07-09 08:55:56 +05:30
get api ( path , admin )
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-09-10 17:25:29 +05:30
end
2016-06-02 11:05:42 +05:30
end
end
2016-09-13 17:45:13 +05:30
it " returns an array of users " do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
2015-04-26 12:48:37 +05:30
username = user . username
2015-09-11 14:41:01 +05:30
expect ( json_response . detect do | user |
user [ 'username' ] == username
end [ 'username' ] ) . to eq ( username )
2014-09-02 18:07:02 +05:30
end
2016-01-14 18:37:52 +05:30
2017-08-17 22:00:37 +05:30
it " returns an array of blocked users " do
ldap_blocked_user
create ( :user , state : 'blocked' )
get api ( " /users?blocked=true " , user )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to all ( include ( 'state' = > / (blocked|ldap_blocked) / ) )
end
2021-04-17 20:07:23 +05:30
it " returns an array of external users " do
create ( :user )
external_user = create ( :user , external : true )
get api ( " /users?external=true " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( response ) . to include_pagination_headers
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response [ 0 ] [ 'id' ] ) . to eq ( external_user . id )
end
2016-09-13 17:45:13 +05:30
it " returns one user " do
2016-01-14 18:37:52 +05:30
get api ( " /users?username= #{ omniauth_user . username } " , user )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
2016-01-14 18:37:52 +05:30
expect ( json_response . first [ 'username' ] ) . to eq ( omniauth_user . username )
end
2017-08-17 22:00:37 +05:30
2018-12-13 13:39:08 +05:30
it " returns one user (case insensitive) " do
get api ( " /users?username= #{ omniauth_user . username . upcase } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( response ) . to include_pagination_headers
expect ( json_response . first [ 'username' ] ) . to eq ( omniauth_user . username )
end
2017-08-17 22:00:37 +05:30
it " returns a 403 when non-admin user searches by external UID " do
get api ( " /users?extern_uid= #{ omniauth_user . identities . first . extern_uid } &provider= #{ omniauth_user . identities . first . provider } " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
end
it 'does not reveal the `is_admin` flag of the user' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
2017-08-17 22:00:37 +05:30
expect ( json_response . first . keys ) . not_to include 'is_admin'
end
2022-06-21 17:19:12 +05:30
end
2020-11-24 15:15:51 +05:30
2022-06-21 17:19:12 +05:30
context " when admin " do
2020-11-24 15:15:51 +05:30
context 'exclude_internal param' do
let_it_be ( :internal_user ) { User . alert_bot }
it 'returns all users when it is not set' do
2022-06-21 17:19:12 +05:30
get api ( " /users?exclude_internal=false " , admin )
2020-11-24 15:15:51 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( response ) . to include_pagination_headers
expect ( json_response . map { | u | u [ 'id' ] } ) . to include ( internal_user . id )
end
it 'returns all non internal users when it is set' do
get api ( " /users?exclude_internal=true " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( response ) . to include_pagination_headers
expect ( json_response . map { | u | u [ 'id' ] } ) . not_to include ( internal_user . id )
end
end
2021-03-08 18:12:59 +05:30
2022-06-21 17:19:12 +05:30
context 'without_project_bots param' do
let_it_be ( :project_bot ) { create ( :user , :project_bot ) }
it 'returns all users when it is not set' do
get api ( " /users?without_project_bots=false " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( response ) . to include_pagination_headers
expect ( json_response . map { | u | u [ 'id' ] } ) . to include ( project_bot . id )
end
it 'returns all non project_bot users when it is set' do
get api ( " /users?without_project_bots=true " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( response ) . to include_pagination_headers
expect ( json_response . map { | u | u [ 'id' ] } ) . not_to include ( project_bot . id )
end
end
2021-03-08 18:12:59 +05:30
context 'admins param' do
it 'returns all users' do
get api ( " /users?admins=true " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( json_response . size ) . to eq ( 2 )
expect ( json_response . map { | u | u [ 'id' ] } ) . to include ( user . id , admin . id )
end
end
2014-09-02 18:07:02 +05:30
end
context " when admin " do
2018-03-17 18:26:18 +05:30
context 'when sudo is defined' do
it 'does not return 500' do
2023-06-20 00:43:36 +05:30
admin_personal_access_token = create ( :personal_access_token , :admin_mode , user : admin , scopes : [ :sudo ] )
2018-03-17 18:26:18 +05:30
get api ( " /users?sudo= #{ user . id } " , admin , personal_access_token : admin_personal_access_token )
expect ( response ) . to have_gitlab_http_status ( :success )
end
end
2016-09-13 17:45:13 +05:30
it " returns an array of users " do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
end
2022-06-21 17:19:12 +05:30
it " users contain the `namespace_id` field " do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2022-06-21 17:19:12 +05:30
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
expect ( json_response . size ) . to eq ( 2 )
expect ( json_response . map { | u | u [ 'namespace_id' ] } ) . to include ( user . namespace_id , admin . namespace_id )
end
2017-08-17 22:00:37 +05:30
it " returns an array of external users " do
create ( :user , external : true )
2023-06-20 00:43:36 +05:30
get api ( " /users?external=true " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to all ( include ( 'external' = > true ) )
end
it " returns one user by external UID " do
2023-06-20 00:43:36 +05:30
get api ( " /users?extern_uid= #{ omniauth_user . identities . first . extern_uid } &provider= #{ omniauth_user . identities . first . provider } " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-08-17 22:00:37 +05:30
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'username' ] ) . to eq ( omniauth_user . username )
end
it " returns 400 error if provider with no extern_uid " do
2023-06-20 00:43:36 +05:30
get api ( " /users?extern_uid= #{ omniauth_user . identities . first . extern_uid } " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
end
it " returns 400 error if provider with no extern_uid " do
2023-06-20 00:43:36 +05:30
get api ( " /users?provider= #{ omniauth_user . identities . first . provider } " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2014-09-02 18:07:02 +05:30
end
2017-09-10 17:25:29 +05:30
it " returns a user created before a specific date " do
user = create ( :user , created_at : Date . new ( 2000 , 1 , 1 ) )
2023-06-20 00:43:36 +05:30
get api ( " /users?created_before=2000-01-02T00:00:00.060Z " , admin , admin_mode : true )
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-09-10 17:25:29 +05:30
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'username' ] ) . to eq ( user . username )
end
it " returns no users created before a specific date " do
create ( :user , created_at : Date . new ( 2001 , 1 , 1 ) )
2023-06-20 00:43:36 +05:30
get api ( " /users?created_before=2000-01-02T00:00:00.060Z " , admin , admin_mode : true )
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-09-10 17:25:29 +05:30
expect ( json_response . size ) . to eq ( 0 )
end
it " returns users created before and after a specific date " do
user = create ( :user , created_at : Date . new ( 2001 , 1 , 1 ) )
2023-06-20 00:43:36 +05:30
get api ( " /users?created_before=2001-01-02T00:00:00.060Z&created_after=1999-01-02T00:00:00.060 " , admin , admin_mode : true )
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
2017-09-10 17:25:29 +05:30
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'username' ] ) . to eq ( user . username )
end
2018-03-17 18:26:18 +05:30
it 'returns the correct order when sorted by id' do
2020-06-23 00:09:42 +05:30
# order of let_it_be definitions:
# - admin
# - user
2018-03-17 18:26:18 +05:30
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true ) , params : { order_by : 'id' , sort : 'asc' }
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
expect ( json_response . size ) . to eq ( 2 )
expect ( json_response . first [ 'id' ] ) . to eq ( admin . id )
expect ( json_response . last [ 'id' ] ) . to eq ( user . id )
end
2018-10-15 14:42:47 +05:30
it 'returns users with 2fa enabled' do
user_with_2fa = create ( :user , :two_factor_via_otp )
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true ) , params : { two_factor : 'enabled' }
2018-10-15 14:42:47 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'id' ] ) . to eq ( user_with_2fa . id )
end
2020-04-22 19:07:51 +05:30
it " returns users without projects " do
user_without_projects = create ( :user )
create ( :project , namespace : user . namespace )
create ( :project , namespace : admin . namespace )
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true ) , params : { without_projects : true }
2020-04-22 19:07:51 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admins' )
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'id' ] ) . to eq ( user_without_projects . id )
end
2018-03-17 18:26:18 +05:30
it 'returns 400 when provided incorrect sort params' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true ) , params : { order_by : 'magic' , sort : 'asc' }
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2018-03-17 18:26:18 +05:30
end
2014-09-02 18:07:02 +05:30
end
2021-03-08 18:12:59 +05:30
context 'admins param' do
it 'returns only admins' do
2023-06-20 00:43:36 +05:30
get api ( " /users?admins=true " , admin , admin_mode : true )
2021-03-08 18:12:59 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basics' )
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response . first [ 'id' ] ) . to eq ( admin . id )
end
end
2014-09-02 18:07:02 +05:30
end
describe " GET /users/:id " do
2021-09-30 23:02:18 +05:30
let_it_be ( :user2 , reload : true ) { create ( :user , username : 'another_user' ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } " }
2022-03-02 08:16:31 +05:30
before do
2022-04-04 11:22:00 +05:30
allow ( Gitlab :: ApplicationRateLimiter ) . to receive ( :throttled? )
. with ( :users_get_by_id , scope : user , users_allowlist : [ ] ) . and_return ( false )
2022-03-02 08:16:31 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns a user by id " do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'username' ] ) . to eq ( user . username )
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
it " does not return the user's `is_admin` flag " do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'is_admin'
end
2019-07-07 11:18:12 +05:30
it " does not return the user's `highest_role` " do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2019-07-07 11:18:12 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'highest_role'
end
2020-03-13 15:44:24 +05:30
it " does not return the user's sign in IPs " do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2020-03-13 15:44:24 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'current_sign_in_ip'
expect ( json_response . keys ) . not_to include 'last_sign_in_ip'
end
2020-04-08 14:13:33 +05:30
it " does not contain plan or trial data " do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'plan'
expect ( json_response . keys ) . not_to include 'trial'
end
2021-09-30 23:02:18 +05:30
it 'returns a 404 if the target user is present but inaccessible' do
allow ( Ability ) . to receive ( :allowed? ) . and_call_original
allow ( Ability ) . to receive ( :allowed? ) . with ( user , :read_user , user2 ) . and_return ( false )
get api ( " /users/ #{ user2 . id } " , user )
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
it 'returns the `created_at` field for public users' do
get api ( " /users/ #{ user2 . id } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . to include ( 'created_at' )
end
it 'does not return the `created_at` field for private users' do
get api ( " /users/ #{ private_user . id } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include ( 'created_at' )
end
it 'returns the `followers` field for public users' do
get api ( " /users/ #{ user2 . id } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . to include ( 'followers' )
end
it 'does not return the `followers` field for private users' do
get api ( " /users/ #{ private_user . id } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include ( 'followers' )
end
it 'returns the `following` field for public users' do
get api ( " /users/ #{ user2 . id } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . to include ( 'following' )
end
it 'does not return the `following` field for private users' do
get api ( " /users/ #{ private_user . id } " , user )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include ( 'following' )
end
it 'does not contain the note of the user' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2021-09-30 23:02:18 +05:30
expect ( json_response ) . not_to have_key ( 'note' )
expect ( json_response ) . not_to have_key ( 'sign_in_count' )
end
2022-03-02 08:16:31 +05:30
context 'when the rate limit is not exceeded' do
it 'returns a success status' do
expect ( Gitlab :: ApplicationRateLimiter )
2022-04-04 11:22:00 +05:30
. to receive ( :throttled? ) . with ( :users_get_by_id , scope : user , users_allowlist : [ ] )
2022-03-02 08:16:31 +05:30
. and_return ( false )
2023-07-09 08:55:56 +05:30
get api ( path , user )
2022-03-02 08:16:31 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
end
end
context 'when the rate limit is exceeded' do
context 'when feature flag is enabled' do
it 'returns "too many requests" status' do
expect ( Gitlab :: ApplicationRateLimiter )
2022-04-04 11:22:00 +05:30
. to receive ( :throttled? ) . with ( :users_get_by_id , scope : user , users_allowlist : [ ] )
2022-03-02 08:16:31 +05:30
. and_return ( true )
2023-07-09 08:55:56 +05:30
get api ( path , user )
2022-03-02 08:16:31 +05:30
expect ( response ) . to have_gitlab_http_status ( :too_many_requests )
end
it 'still allows admin users' do
expect ( Gitlab :: ApplicationRateLimiter )
. not_to receive ( :throttled? )
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2022-03-02 08:16:31 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
end
2022-04-04 11:22:00 +05:30
it 'allows users whose username is in the allowlist' do
allowlist = [ user . username ]
current_settings = Gitlab :: CurrentSettings . current_application_settings
# Necessary to ensure the same object is returned on each call
allow ( Gitlab :: CurrentSettings ) . to receive ( :current_application_settings ) . and_return current_settings
allow ( current_settings ) . to receive ( :users_get_by_id_limit_allowlist ) . and_return ( allowlist )
expect ( Gitlab :: ApplicationRateLimiter )
. to receive ( :throttled? ) . with ( :users_get_by_id , scope : user , users_allowlist : allowlist )
. and_call_original
2023-07-09 08:55:56 +05:30
get api ( path , user )
2022-04-04 11:22:00 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
end
2022-03-02 08:16:31 +05:30
end
end
2020-04-08 14:13:33 +05:30
context 'when job title is present' do
let ( :job_title ) { 'Fullstack Engineer' }
before do
create ( :user_detail , user : user , job_title : job_title )
end
it 'returns job title of a user' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response [ 'job_title' ] ) . to eq ( job_title )
end
end
2018-03-17 18:26:18 +05:30
context 'when authenticated as admin' do
2021-09-30 23:02:18 +05:30
it 'contains the note of the user' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2021-09-30 23:02:18 +05:30
expect ( json_response ) . to have_key ( 'note' )
expect ( json_response [ 'note' ] ) . to eq ( user . note )
expect ( json_response ) . to have_key ( 'sign_in_count' )
end
2018-03-17 18:26:18 +05:30
it 'includes the `is_admin` field' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response [ 'is_admin' ] ) . to be ( false )
end
2018-11-18 11:00:15 +05:30
it " includes the `created_at` field for private users " do
2023-06-20 00:43:36 +05:30
get api ( " /users/ #{ private_user . id } " , admin , admin_mode : true )
2018-11-18 11:00:15 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response . keys ) . to include 'created_at'
end
2020-03-13 15:44:24 +05:30
2019-07-07 11:18:12 +05:30
it 'includes the `highest_role` field' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2019-07-07 11:18:12 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response [ 'highest_role' ] ) . to be ( 0 )
end
2020-03-13 15:44:24 +05:30
2022-06-21 17:19:12 +05:30
it 'includes the `namespace_id` field' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2022-06-21 17:19:12 +05:30
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response [ 'namespace_id' ] ) . to eq ( user . namespace_id )
end
2020-04-08 14:13:33 +05:30
if Gitlab . ee?
it 'does not include values for plan or trial' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
end
else
it 'does not include plan or trial data' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/basic' )
expect ( json_response . keys ) . not_to include 'plan'
expect ( json_response . keys ) . not_to include 'trial'
end
end
2020-03-13 15:44:24 +05:30
context 'when user has not logged in' do
it 'does not include the sign in IPs' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2020-03-13 15:44:24 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response ) . to include ( 'current_sign_in_ip' = > nil , 'last_sign_in_ip' = > nil )
end
end
context 'when user has logged in' do
let_it_be ( :signed_in_user ) { create ( :user , :with_sign_ins ) }
it 'includes the sign in IPs' do
2023-06-20 00:43:36 +05:30
get api ( " /users/ #{ signed_in_user . id } " , admin , admin_mode : true )
2020-03-13 15:44:24 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response [ 'current_sign_in_ip' ] ) . to eq ( '127.0.0.1' )
expect ( json_response [ 'last_sign_in_ip' ] ) . to eq ( '127.0.0.1' )
end
end
2017-08-17 22:00:37 +05:30
end
2017-09-10 17:25:29 +05:30
context 'for an anonymous user' do
2021-09-30 23:02:18 +05:30
it 'returns 403' do
2023-07-09 08:55:56 +05:30
get api ( path )
2021-03-11 19:13:27 +05:30
2021-09-30 23:02:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-03-11 19:13:27 +05:30
end
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns a 404 error if user id not found " do
2023-07-09 08:55:56 +05:30
get api ( " /users/ #{ non_existing_record_id } " , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
2014-09-02 18:07:02 +05:30
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
2015-09-25 12:07:36 +05:30
get api ( " /users/1ASDF " , user )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2014-09-02 18:07:02 +05:30
end
2018-11-18 11:00:15 +05:30
describe 'GET /users/:id_or_username/status' do
context 'when finding the user by id' do
it_behaves_like 'rendering user status' do
let ( :path ) { " /users/ #{ user . id } /status " }
end
end
context 'when finding the user by username' do
it_behaves_like 'rendering user status' do
let ( :path ) { " /users/ #{ user . username } /status " }
end
end
2018-12-13 13:39:08 +05:30
context 'when finding the user by username (case insensitive)' do
it_behaves_like 'rendering user status' do
let ( :path ) { " /users/ #{ user . username . upcase } /status " }
end
end
2018-11-18 11:00:15 +05:30
end
2021-03-11 19:13:27 +05:30
describe 'POST /users/:id/follow' do
let ( :followee ) { create ( :user ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ followee . id } /follow " }
2021-03-11 19:13:27 +05:30
context 'on an unfollowed user' do
it 'follows the user' do
2023-07-09 08:55:56 +05:30
post api ( path , user )
2021-03-11 19:13:27 +05:30
expect ( user . followees ) . to contain_exactly ( followee )
expect ( response ) . to have_gitlab_http_status ( :created )
end
2022-11-25 23:54:43 +05:30
it 'alerts and not follow when over followee limit' do
stub_const ( 'Users::UserFollowUser::MAX_FOLLOWEE_LIMIT' , 2 )
Users :: UserFollowUser :: MAX_FOLLOWEE_LIMIT . times { user . follow ( create ( :user ) ) }
2023-07-09 08:55:56 +05:30
post api ( path , user )
2022-11-25 23:54:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expected_message = format ( _ ( " You can't follow more than %{limit} users. To follow more users, unfollow some others. " ) , limit : Users :: UserFollowUser :: MAX_FOLLOWEE_LIMIT )
expect ( json_response [ 'message' ] ) . to eq ( expected_message )
expect ( user . following? ( followee ) ) . to be_falsey
end
2021-03-11 19:13:27 +05:30
end
context 'on a followed user' do
before do
user . follow ( followee )
end
it 'does not change following' do
2023-07-09 08:55:56 +05:30
post api ( path , user )
2021-03-11 19:13:27 +05:30
expect ( user . followees ) . to contain_exactly ( followee )
expect ( response ) . to have_gitlab_http_status ( :not_modified )
end
end
2023-07-09 08:55:56 +05:30
context 'on a user with disabled following' do
before do
user . enabled_following = false
user . save!
end
it 'does not change following' do
post api ( " /users/ #{ followee . id } /follow " , user )
expect ( user . followees ) . to be_empty
expect ( response ) . to have_gitlab_http_status ( :not_modified )
end
end
2021-03-11 19:13:27 +05:30
end
describe 'POST /users/:id/unfollow' do
let ( :followee ) { create ( :user ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ followee . id } /unfollow " }
2021-03-11 19:13:27 +05:30
context 'on a followed user' do
before do
user . follow ( followee )
end
it 'unfollow the user' do
2023-07-09 08:55:56 +05:30
post api ( path , user )
2021-03-11 19:13:27 +05:30
expect ( user . followees ) . to be_empty
expect ( response ) . to have_gitlab_http_status ( :created )
end
end
context 'on an unfollowed user' do
it 'does not change following' do
2023-07-09 08:55:56 +05:30
post api ( path , user )
2021-03-11 19:13:27 +05:30
expect ( user . followees ) . to be_empty
expect ( response ) . to have_gitlab_http_status ( :not_modified )
end
end
end
describe 'GET /users/:id/followers' do
let ( :follower ) { create ( :user ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /followers " }
2021-03-11 19:13:27 +05:30
2021-09-30 23:02:18 +05:30
context 'for an anonymous user' do
it 'returns 403' do
get api ( " /users/ #{ user . id } " )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
2021-03-11 19:13:27 +05:30
context 'user has followers' do
it 'lists followers' do
follower . follow ( user )
2023-07-09 08:55:56 +05:30
get api ( path , user )
2021-03-11 19:13:27 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
end
it 'do not lists followers if profile is private' do
follower . follow ( private_user )
get api ( " /users/ #{ private_user . id } /followers " , user )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
context 'user does not have any follower' do
it 'does list nothing' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2021-03-11 19:13:27 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_empty
end
end
end
describe 'GET /users/:id/following' do
let ( :followee ) { create ( :user ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /followers " }
2021-03-11 19:13:27 +05:30
2021-09-30 23:02:18 +05:30
context 'for an anonymous user' do
it 'returns 403' do
get api ( " /users/ #{ user . id } " )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
2021-03-11 19:13:27 +05:30
context 'user has followers' do
it 'lists following user' do
user . follow ( followee )
2023-07-09 08:55:56 +05:30
get api ( path , user )
2021-03-11 19:13:27 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
end
it 'do not lists following user if profile is private' do
user . follow ( private_user )
get api ( " /users/ #{ private_user . id } /following " , user )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
context 'user does not have any follower' do
it 'does list nothing' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2021-03-11 19:13:27 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_empty
end
end
end
2014-09-02 18:07:02 +05:30
describe " POST /users " do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/users' }
it_behaves_like 'POST request permissions for admin mode' do
let ( :params ) { attributes_for ( :user , projects_limit : 3 ) }
end
2016-09-13 17:45:13 +05:30
it " creates user " do
2015-09-11 14:41:01 +05:30
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user , projects_limit : 3 )
2015-09-11 14:41:01 +05:30
end . to change { User . count } . by ( 1 )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " creates user with correct attributes " do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user , admin : true , can_create_group : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2014-09-02 18:07:02 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
2015-04-26 12:48:37 +05:30
expect ( new_user . admin ) . to eq ( true )
expect ( new_user . can_create_group ) . to eq ( true )
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
it " creates user with optional attributes " do
2020-03-13 15:44:24 +05:30
optional_attributes = { confirm : true , theme_id : 2 , color_scheme_id : 4 }
2017-08-17 22:00:37 +05:30
attributes = attributes_for ( :user ) . merge ( optional_attributes )
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2017-08-17 22:00:37 +05:30
end
2016-09-13 17:45:13 +05:30
it " creates non-admin user " do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user , admin : false , can_create_group : false )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2014-09-02 18:07:02 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
2015-04-26 12:48:37 +05:30
expect ( new_user . admin ) . to eq ( false )
expect ( new_user . can_create_group ) . to eq ( false )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " creates non-admin users by default " do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2014-09-02 18:07:02 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
2015-04-26 12:48:37 +05:30
expect ( new_user . admin ) . to eq ( false )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 201 Created on success " do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user , projects_limit : 3 )
2019-09-30 21:07:59 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2014-09-02 18:07:02 +05:30
end
2016-06-02 11:05:42 +05:30
it 'creates non-external users by default' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2016-06-02 11:05:42 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
expect ( new_user . external ) . to be_falsy
end
2016-09-13 17:45:13 +05:30
it 'allows an external user to be created' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user , external : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2016-06-02 11:05:42 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
expect ( new_user . external ) . to be_truthy
end
2017-08-17 22:00:37 +05:30
it " creates user with reset password " do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user , reset_password : true ) . except ( :password )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2017-08-17 22:00:37 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
2019-09-30 21:07:59 +05:30
expect ( new_user . recently_sent_password_reset? ) . to eq ( true )
end
it " creates user with random password " do
2021-04-29 21:17:54 +05:30
params = attributes_for ( :user , force_random_password : true )
params . delete ( :password )
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : params
2019-09-30 21:07:59 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2019-09-30 21:07:59 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
2021-04-29 21:17:54 +05:30
expect ( new_user . encrypted_password ) . to be_present
2017-08-17 22:00:37 +05:30
end
2018-11-18 11:00:15 +05:30
it " creates user with private profile " do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user , private_profile : true )
2018-11-18 11:00:15 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2018-11-18 11:00:15 +05:30
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
expect ( new_user ) . not_to eq ( nil )
expect ( new_user . private_profile? ) . to eq ( true )
end
2021-04-17 20:07:23 +05:30
it " creates user with view_diffs_file_by_file " do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user , view_diffs_file_by_file : true )
2021-04-17 20:07:23 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
user_id = json_response [ 'id' ]
new_user = User . find ( user_id )
expect ( new_user ) . not_to eq ( nil )
expect ( new_user . user_preference . view_diffs_file_by_file? ) . to eq ( true )
end
2022-10-11 01:57:18 +05:30
it " creates user with avatar " do
workhorse_form_with_file (
2023-07-09 08:55:56 +05:30
api ( path , admin , admin_mode : true ) ,
2022-10-11 01:57:18 +05:30
method : :post ,
file_key : :avatar ,
params : attributes_for ( :user , avatar : fixture_file_upload ( 'spec/fixtures/banana_sample.gif' , 'image/gif' ) )
)
expect ( response ) . to have_gitlab_http_status ( :created )
new_user = User . find_by ( id : json_response [ 'id' ] )
expect ( new_user ) . not_to eq ( nil )
expect ( json_response [ 'avatar_url' ] ) . to include ( new_user . avatar_path )
end
2016-09-13 17:45:13 +05:30
it " does not create user with invalid email " do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) ,
2021-01-29 00:20:46 +05:30
params : {
email : 'invalid email' ,
2022-08-27 11:52:29 +05:30
password : User . random_password ,
2021-01-29 00:20:46 +05:30
name : 'test'
}
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if name not given' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user ) . except ( :name )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-04-26 12:48:37 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if password not given' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user ) . except ( :password )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if email not given' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user ) . except ( :email )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if username not given' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user ) . except ( :username )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-04-26 12:48:37 +05:30
end
2020-03-13 15:44:24 +05:30
it " doesn't create user with invalid optional attributes " do
optional_attributes = { theme_id : 50 , color_scheme_id : 50 }
attributes = attributes_for ( :user ) . merge ( optional_attributes )
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes
2020-03-13 15:44:24 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2020-03-13 15:44:24 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if user does not validate' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) ,
2021-01-29 00:20:46 +05:30
params : {
password : 'pass' ,
email : 'test@example.com' ,
username : 'test!' ,
name : 'test' ,
bio : 'g' * 256 ,
projects_limit : - 1
}
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-09-10 17:25:29 +05:30
expect ( json_response [ 'message' ] [ 'password' ] )
. to eq ( [ 'is too short (minimum is 8 characters)' ] )
expect ( json_response [ 'message' ] [ 'bio' ] )
. to eq ( [ 'is too long (maximum is 255 characters)' ] )
expect ( json_response [ 'message' ] [ 'projects_limit' ] )
. to eq ( [ 'must be greater than or equal to 0' ] )
expect ( json_response [ 'message' ] [ 'username' ] )
2023-05-27 22:25:52 +05:30
. to match_array ( [ Gitlab :: PathRegex . namespace_format_message , Gitlab :: Regex . oci_repository_path_regex_message ] )
2014-09-02 18:07:02 +05:30
end
2023-01-13 00:05:48 +05:30
it 'tracks weak password errors' do
attributes = attributes_for ( :user ) . merge ( { password : " password " } )
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes
2023-01-13 00:05:48 +05:30
expect ( json_response [ 'message' ] [ 'password' ] )
. to eq ( [ 'must not contain commonly used combinations of words and letters' ] )
expect_snowplow_event (
category : 'Gitlab::Tracking::Helpers::WeakPasswordErrorEvent' ,
action : 'track_weak_password_error' ,
controller : 'API::Users' ,
method : 'create'
)
end
2016-09-13 17:45:13 +05:30
it " is not available for non admin users " do
2023-07-09 08:55:56 +05:30
post api ( path , user ) , params : attributes_for ( :user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2014-09-02 18:07:02 +05:30
end
2015-04-26 12:48:37 +05:30
context 'with existing user' do
before do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) ,
2021-01-29 00:20:46 +05:30
params : {
email : 'test@example.com' ,
2022-08-27 11:52:29 +05:30
password : User . random_password ,
2021-01-29 00:20:46 +05:30
username : 'test' ,
name : 'foo'
}
2015-04-26 12:48:37 +05:30
end
2014-09-02 18:07:02 +05:30
2016-09-13 17:45:13 +05:30
it 'returns 409 conflict error if user with same email exists' do
2015-09-11 14:41:01 +05:30
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) ,
2021-01-29 00:20:46 +05:30
params : {
name : 'foo' ,
email : 'test@example.com' ,
2022-08-27 11:52:29 +05:30
password : User . random_password ,
2021-01-29 00:20:46 +05:30
username : 'foo'
}
2015-09-11 14:41:01 +05:30
end . to change { User . count } . by ( 0 )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'Email has already been taken' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 409 conflict error if same username exists' do
2015-04-26 12:48:37 +05:30
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) ,
2021-01-29 00:20:46 +05:30
params : {
name : 'foo' ,
email : 'foo@example.com' ,
2022-08-27 11:52:29 +05:30
password : User . random_password ,
2021-01-29 00:20:46 +05:30
username : 'test'
}
2015-04-26 12:48:37 +05:30
end . to change { User . count } . by ( 0 )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'Username has already been taken' )
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
2018-12-13 13:39:08 +05:30
it 'returns 409 conflict error if same username exists (case insensitive)' do
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) ,
2021-01-29 00:20:46 +05:30
params : {
name : 'foo' ,
email : 'foo@example.com' ,
2022-08-27 11:52:29 +05:30
password : User . random_password ,
2021-01-29 00:20:46 +05:30
username : 'TEST'
}
2018-12-13 13:39:08 +05:30
end . to change { User . count } . by ( 0 )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2018-12-13 13:39:08 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'Username has already been taken' )
end
2017-08-17 22:00:37 +05:30
it 'creates user with new identity' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes_for ( :user , provider : 'github' , extern_uid : '67890' )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'identities' ] . first [ 'extern_uid' ] ) . to eq ( '67890' )
expect ( json_response [ 'identities' ] . first [ 'provider' ] ) . to eq ( 'github' )
end
2014-09-02 18:07:02 +05:30
end
2017-09-10 17:25:29 +05:30
2022-07-29 17:44:30 +05:30
context 'when user with a primary email exists' do
context 'when the primary email is confirmed' do
let! ( :confirmed_user ) { create ( :user , email : 'foo@example.com' ) }
it 'returns 409 conflict error' do
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) ,
2022-07-29 17:44:30 +05:30
params : {
name : 'foo' ,
email : confirmed_user . email ,
password : 'password' ,
username : 'TEST'
}
end . to change { User . count } . by ( 0 )
expect ( response ) . to have_gitlab_http_status ( :conflict )
expect ( json_response [ 'message' ] ) . to eq ( 'Email has already been taken' )
end
end
context 'when the primary email is unconfirmed' do
let! ( :unconfirmed_user ) { create ( :user , :unconfirmed , email : 'foo@example.com' ) }
it 'returns 409 conflict error' do
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) ,
2022-07-29 17:44:30 +05:30
params : {
name : 'foo' ,
email : unconfirmed_user . email ,
password : 'password' ,
username : 'TEST'
}
end . to change { User . count } . by ( 0 )
expect ( response ) . to have_gitlab_http_status ( :conflict )
expect ( json_response [ 'message' ] ) . to eq ( 'Email has already been taken' )
end
end
end
context 'when user with a secondary email exists' do
context 'when the secondary email is confirmed' do
let! ( :email ) { create ( :email , :confirmed , email : 'foo@example.com' ) }
it 'returns 409 conflict error' do
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) ,
2022-07-29 17:44:30 +05:30
params : {
name : 'foo' ,
email : email . email ,
password : 'password' ,
username : 'TEST'
}
end . to change { User . count } . by ( 0 )
expect ( response ) . to have_gitlab_http_status ( :conflict )
expect ( json_response [ 'message' ] ) . to eq ( 'Email has already been taken' )
end
end
context 'when the secondary email is unconfirmed' do
let! ( :email ) { create ( :email , email : 'foo@example.com' ) }
it 'does not create user' do
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) ,
2022-07-29 17:44:30 +05:30
params : {
name : 'foo' ,
email : email . email ,
password : 'password' ,
username : 'TEST'
}
end . to change { User . count } . by ( 0 )
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
end
end
2017-09-10 17:25:29 +05:30
context " scopes " do
let ( :user ) { admin }
let ( :path ) { '/users' }
let ( :api_call ) { method ( :api ) }
include_examples 'does not allow the "read_user" scope'
end
2023-03-17 16:20:25 +05:30
context " `private_profile` attribute " do
context " based on the application setting " do
before do
stub_application_setting ( user_defaults_to_private_profile : true )
end
let ( :params ) { attributes_for ( :user ) }
shared_examples_for 'creates the user with the value of `private_profile` based on the application setting' do
specify do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : params
2023-03-17 16:20:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
user = User . find_by ( id : json_response [ 'id' ] , private_profile : true )
expect ( user ) . to be_present
end
end
context 'when the attribute is not overridden in params' do
it_behaves_like 'creates the user with the value of `private_profile` based on the application setting'
end
context 'when the attribute is overridden in params' do
it 'creates the user with the value of `private_profile` same as the value of the overridden param' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : params . merge ( private_profile : false )
2023-03-17 16:20:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
user = User . find_by ( id : json_response [ 'id' ] , private_profile : false )
expect ( user ) . to be_present
end
context 'overridden as `nil`' do
let ( :params ) { attributes_for ( :user , private_profile : nil ) }
it_behaves_like 'creates the user with the value of `private_profile` based on the application setting'
end
end
end
end
2014-09-02 18:07:02 +05:30
end
describe " PUT /users/:id " do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } " }
it_behaves_like 'PUT request permissions for admin mode' do
let ( :params ) { { bio : 'new test bio' } }
end
2019-09-30 21:07:59 +05:30
it " returns 200 OK on success " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { bio : 'new test bio' }
2019-09-30 21:07:59 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2019-09-30 21:07:59 +05:30
end
2020-11-24 15:15:51 +05:30
context 'updating password' do
def update_password ( user , admin , password = User . random_password )
2023-06-20 00:43:36 +05:30
put api ( " /users/ #{ user . id } " , admin , admin_mode : true ) , params : { password : password }
2020-11-24 15:15:51 +05:30
end
context 'admin updates their own password' do
it 'does not force reset on next login' do
update_password ( admin , admin )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . password_expired? ) . to eq ( false )
end
it 'does not enqueue the `admin changed your password` email' do
expect { update_password ( admin , admin ) }
. not_to have_enqueued_mail ( DeviseMailer , :password_change_by_admin )
end
it 'enqueues the `password changed` email' do
expect { update_password ( admin , admin ) }
. to have_enqueued_mail ( DeviseMailer , :password_change )
end
end
context 'admin updates the password of another user' do
it 'forces reset on next login' do
update_password ( user , admin )
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . password_expired? ) . to eq ( true )
end
it 'enqueues the `admin changed your password` email' do
expect { update_password ( user , admin ) }
. to have_enqueued_mail ( DeviseMailer , :password_change_by_admin )
end
it 'does not enqueue the `password changed` email' do
expect { update_password ( user , admin ) }
. not_to have_enqueued_mail ( DeviseMailer , :password_change )
end
end
2023-01-13 00:05:48 +05:30
context 'with a weak password' do
it 'tracks weak password errors' do
update_password ( user , admin , " password " )
expect ( json_response [ 'message' ] [ 'password' ] )
. to eq ( [ 'must not contain commonly used combinations of words and letters' ] )
expect_snowplow_event (
category : 'Gitlab::Tracking::Helpers::WeakPasswordErrorEvent' ,
action : 'track_weak_password_error' ,
controller : 'API::Users' ,
method : 'update'
)
end
end
2020-11-24 15:15:51 +05:30
end
2016-09-13 17:45:13 +05:30
it " updates user with new bio " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { bio : 'new test bio' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'bio' ] ) . to eq ( 'new test bio' )
expect ( user . reload . bio ) . to eq ( 'new test bio' )
end
2020-04-22 19:07:51 +05:30
it " updates user with empty bio " do
2020-06-23 00:09:42 +05:30
user . update! ( bio : 'previous bio' )
2020-04-22 19:07:51 +05:30
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { bio : '' }
2020-04-22 19:07:51 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ 'bio' ] ) . to eq ( '' )
expect ( user . reload . bio ) . to eq ( '' )
end
2020-07-28 23:09:34 +05:30
it 'updates user with nil bio' do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { bio : nil }
2020-07-28 23:09:34 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ 'bio' ] ) . to eq ( '' )
expect ( user . reload . bio ) . to eq ( '' )
end
2016-11-03 12:29:30 +05:30
it " updates user with organization " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { organization : 'GitLab' }
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2016-11-03 12:29:30 +05:30
expect ( json_response [ 'organization' ] ) . to eq ( 'GitLab' )
expect ( user . reload . organization ) . to eq ( 'GitLab' )
end
2017-09-10 17:25:29 +05:30
it 'updates user with avatar' do
2022-10-11 01:57:18 +05:30
workhorse_form_with_file (
2023-07-09 08:55:56 +05:30
api ( path , admin , admin_mode : true ) ,
2022-10-11 01:57:18 +05:30
method : :put ,
file_key : :avatar ,
params : { avatar : fixture_file_upload ( 'spec/fixtures/banana_sample.gif' , 'image/gif' ) }
)
2017-09-10 17:25:29 +05:30
user . reload
expect ( user . avatar ) . to be_present
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-09-10 17:25:29 +05:30
expect ( json_response [ 'avatar_url' ] ) . to include ( user . avatar_path )
end
it 'updates user with a new email' do
2018-11-08 19:23:39 +05:30
old_email = user . email
2021-11-11 11:23:49 +05:30
old_notification_email = user . notification_email_or_default
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { email : 'new@email.com' }
2017-09-10 17:25:29 +05:30
2018-11-08 19:23:39 +05:30
user . reload
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-11-08 19:23:39 +05:30
expect ( user ) . to be_confirmed
expect ( user . email ) . to eq ( old_email )
2021-11-11 11:23:49 +05:30
expect ( user . notification_email_or_default ) . to eq ( old_notification_email )
2018-11-08 19:23:39 +05:30
expect ( user . unconfirmed_email ) . to eq ( 'new@email.com' )
2017-09-10 17:25:29 +05:30
end
2018-03-17 18:26:18 +05:30
it 'skips reconfirmation when requested' do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { email : 'new@email.com' , skip_reconfirmation : true }
2018-03-17 18:26:18 +05:30
user . reload
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-11-08 19:23:39 +05:30
expect ( user ) . to be_confirmed
expect ( user . email ) . to eq ( 'new@email.com' )
2018-03-17 18:26:18 +05:30
end
2020-03-13 15:44:24 +05:30
it 'updates user with their own username' do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { username : user . username }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'username' ] ) . to eq ( user . username )
expect ( user . reload . username ) . to eq ( user . username )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " updates user's existing identity " do
2023-06-20 00:43:36 +05:30
put api ( " /users/ #{ ldap_user . id } " , admin , admin_mode : true ) , params : { provider : 'ldapmain' , extern_uid : '654321' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2022-05-07 20:08:51 +05:30
expect ( ldap_user . reload . identities . first . extern_uid ) . to eq ( '654321' )
2015-10-24 18:46:33 +05:30
end
2016-09-13 17:45:13 +05:30
it 'updates user with new identity' do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { provider : 'github' , extern_uid : 'john' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( user . reload . identities . first . extern_uid ) . to eq ( 'john' )
2015-10-24 18:46:33 +05:30
expect ( user . reload . identities . first . provider ) . to eq ( 'github' )
end
2016-09-13 17:45:13 +05:30
it " updates admin status " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { admin : true }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-04-26 12:48:37 +05:30
expect ( user . reload . admin ) . to eq ( true )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " updates external status " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { external : true }
2017-09-10 17:25:29 +05:30
2020-04-22 19:07:51 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2016-06-02 11:05:42 +05:30
expect ( json_response [ 'external' ] ) . to eq ( true )
expect ( user . reload . external? ) . to be_truthy
end
2020-04-08 14:13:33 +05:30
it " does have default values for theme and color-scheme ID " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { }
2020-04-08 14:13:33 +05:30
expect ( user . reload . theme_id ) . to eq ( Gitlab :: Themes . default . id )
expect ( user . reload . color_scheme_id ) . to eq ( Gitlab :: ColorSchemes . default . id )
end
2021-04-17 20:07:23 +05:30
it " updates viewing diffs file by file " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { view_diffs_file_by_file : true }
2021-04-17 20:07:23 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . user_preference . view_diffs_file_by_file? ) . to eq ( true )
end
2023-03-17 16:20:25 +05:30
context 'updating `private_profile`' do
it " updates private profile " do
current_value = user . private_profile
new_value = ! current_value
2019-09-30 21:07:59 +05:30
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { private_profile : new_value }
2019-09-30 21:07:59 +05:30
2023-03-17 16:20:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . private_profile ) . to eq ( new_value )
end
context 'when `private_profile` is set to `nil`' do
before do
stub_application_setting ( user_defaults_to_private_profile : true )
end
2019-09-30 21:07:59 +05:30
2023-03-17 16:20:25 +05:30
it " updates private_profile to value of the application setting " do
user . update! ( private_profile : false )
2020-03-13 15:44:24 +05:30
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { private_profile : nil }
2020-03-13 15:44:24 +05:30
2023-03-17 16:20:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . private_profile ) . to eq ( true )
end
end
it " does not modify private profile when field is not provided " do
user . update! ( private_profile : true )
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { }
2023-03-17 16:20:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . private_profile ) . to eq ( true )
end
2020-03-13 15:44:24 +05:30
end
2020-04-08 14:13:33 +05:30
it " does not modify theme or color-scheme ID when field is not provided " do
theme = Gitlab :: Themes . each . find { | t | t . id != Gitlab :: Themes . default . id }
scheme = Gitlab :: ColorSchemes . each . find { | t | t . id != Gitlab :: ColorSchemes . default . id }
2020-06-23 00:09:42 +05:30
user . update! ( theme_id : theme . id , color_scheme_id : scheme . id )
2020-04-08 14:13:33 +05:30
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( user . reload . theme_id ) . to eq ( theme . id )
expect ( user . reload . color_scheme_id ) . to eq ( scheme . id )
end
2016-09-13 17:45:13 +05:30
it " does not update admin status " do
2020-06-23 00:09:42 +05:30
admin_user = create ( :admin )
2023-06-20 00:43:36 +05:30
put api ( " /users/ #{ admin_user . id } " , admin , admin_mode : true ) , params : { can_create_group : false }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-04-26 12:48:37 +05:30
expect ( admin_user . reload . admin ) . to eq ( true )
expect ( admin_user . can_create_group ) . to eq ( false )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " does not allow invalid update " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { email : 'invalid email' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-04-26 12:48:37 +05:30
expect ( user . reload . email ) . not_to eq ( 'invalid email' )
2014-09-02 18:07:02 +05:30
end
2020-03-13 15:44:24 +05:30
it " updates theme id " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { theme_id : 5 }
2020-03-13 15:44:24 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( user . reload . theme_id ) . to eq ( 5 )
end
it " does not update invalid theme id " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { theme_id : 50 }
2020-03-13 15:44:24 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2020-03-13 15:44:24 +05:30
expect ( user . reload . theme_id ) . not_to eq ( 50 )
end
it " updates color scheme id " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { color_scheme_id : 5 }
2020-03-13 15:44:24 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( user . reload . color_scheme_id ) . to eq ( 5 )
end
it " does not update invalid color scheme id " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { color_scheme_id : 50 }
2020-03-13 15:44:24 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2020-03-13 15:44:24 +05:30
expect ( user . reload . color_scheme_id ) . not_to eq ( 50 )
end
2017-09-10 17:25:29 +05:30
context 'when the current user is not an admin' do
it " is not available " do
expect do
2023-07-09 08:55:56 +05:30
put api ( path , user ) , params : attributes_for ( :user )
2017-09-10 17:25:29 +05:30
end . not_to change { user . reload . attributes }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-09-10 17:25:29 +05:30
end
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 404 for non-existing user " do
2023-07-09 08:55:56 +05:30
put api ( " /users/ #{ non_existing_record_id } " , admin , admin_mode : true ) , params : { bio : 'update should fail' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
2015-04-26 12:48:37 +05:30
end
2016-11-03 12:29:30 +05:30
it " returns a 404 if invalid ID " do
2023-06-20 00:43:36 +05:30
put api ( " /users/ASDF " , admin , admin_mode : true )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 400 error if user does not validate' do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) ,
2021-01-29 00:20:46 +05:30
params : {
password : 'pass' ,
email : 'test@example.com' ,
username : 'test!' ,
name : 'test' ,
bio : 'g' * 256 ,
projects_limit : - 1
}
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-09-10 17:25:29 +05:30
expect ( json_response [ 'message' ] [ 'password' ] )
. to eq ( [ 'is too short (minimum is 8 characters)' ] )
expect ( json_response [ 'message' ] [ 'bio' ] )
. to eq ( [ 'is too long (maximum is 255 characters)' ] )
expect ( json_response [ 'message' ] [ 'projects_limit' ] )
. to eq ( [ 'must be greater than or equal to 0' ] )
expect ( json_response [ 'message' ] [ 'username' ] )
2023-05-27 22:25:52 +05:30
. to match_array ( [ Gitlab :: PathRegex . namespace_format_message , Gitlab :: Regex . oci_repository_path_regex_message ] )
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
it 'returns 400 if provider is missing for identity update' do
2023-06-20 00:43:36 +05:30
put api ( " /users/ #{ omniauth_user . id } " , admin , admin_mode : true ) , params : { extern_uid : '654321' }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
end
it 'returns 400 if external UID is missing for identity update' do
2023-06-20 00:43:36 +05:30
put api ( " /users/ #{ omniauth_user . id } " , admin , admin_mode : true ) , params : { provider : 'ldap' }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
end
2014-09-02 18:07:02 +05:30
context " with existing user " do
2015-09-11 14:41:01 +05:30
before do
2023-06-20 00:43:36 +05:30
post api ( " /users " , admin , admin_mode : true ) , params : { email : 'test@example.com' , password : User . random_password , username : 'test' , name : 'test' }
post api ( " /users " , admin , admin_mode : true ) , params : { email : 'foo@bar.com' , password : User . random_password , username : 'john' , name : 'john' }
2015-04-26 12:48:37 +05:30
@user = User . all . last
2015-09-11 14:41:01 +05:30
end
2014-09-02 18:07:02 +05:30
2016-09-13 17:45:13 +05:30
it 'returns 409 conflict error if email address exists' do
2023-06-20 00:43:36 +05:30
put api ( " /users/ #{ @user . id } " , admin , admin_mode : true ) , params : { email : 'test@example.com' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2015-04-26 12:48:37 +05:30
expect ( @user . reload . email ) . to eq ( @user . email )
end
2016-09-13 17:45:13 +05:30
it 'returns 409 conflict error if username taken' do
2015-04-26 12:48:37 +05:30
@user_id = User . all . last . id
2023-06-20 00:43:36 +05:30
put api ( " /users/ #{ @user . id } " , admin , admin_mode : true ) , params : { username : 'test' }
2017-09-10 17:25:29 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2015-04-26 12:48:37 +05:30
expect ( @user . reload . username ) . to eq ( @user . username )
end
2018-12-13 13:39:08 +05:30
it 'returns 409 conflict error if username taken (case insensitive)' do
@user_id = User . all . last . id
2023-06-20 00:43:36 +05:30
put api ( " /users/ #{ @user . id } " , admin , admin_mode : true ) , params : { username : 'TEST' }
2018-12-13 13:39:08 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2018-12-13 13:39:08 +05:30
expect ( @user . reload . username ) . to eq ( @user . username )
end
2014-09-02 18:07:02 +05:30
end
2022-07-29 17:44:30 +05:30
context 'when user with a primary email exists' do
context 'when the primary email is confirmed' do
let! ( :confirmed_user ) { create ( :user , email : 'foo@example.com' ) }
it 'returns 409 conflict error' do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { email : confirmed_user . email }
2022-07-29 17:44:30 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
expect ( user . reload . email ) . not_to eq ( confirmed_user . email )
end
end
context 'when the primary email is unconfirmed' do
let! ( :unconfirmed_user ) { create ( :user , :unconfirmed , email : 'foo@example.com' ) }
it 'returns 409 conflict error' do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { email : unconfirmed_user . email }
2022-07-29 17:44:30 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
expect ( user . reload . email ) . not_to eq ( unconfirmed_user . email )
end
end
end
context 'when user with a secondary email exists' do
context 'when the secondary email is confirmed' do
let! ( :email ) { create ( :email , :confirmed , email : 'foo@example.com' ) }
it 'returns 409 conflict error' do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { email : email . email }
2022-07-29 17:44:30 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
expect ( user . reload . email ) . not_to eq ( email . email )
end
end
context 'when the secondary email is unconfirmed' do
let! ( :email ) { create ( :email , email : 'foo@example.com' ) }
it 'does not update email' do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { email : email . email }
2022-07-29 17:44:30 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expect ( user . reload . email ) . not_to eq ( email . email )
end
end
end
2014-09-02 18:07:02 +05:30
end
2021-06-08 01:23:25 +05:30
describe " PUT /user/:id/credit_card_validation " do
let ( :credit_card_validated_time ) { Time . utc ( 2020 , 1 , 1 ) }
2021-11-18 22:05:49 +05:30
let ( :expiration_year ) { Date . today . year + 10 }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /user/ #{ user . id } /credit_card_validation " }
2021-11-18 22:05:49 +05:30
let ( :params ) do
{
credit_card_validated_at : credit_card_validated_time ,
credit_card_expiration_year : expiration_year ,
credit_card_expiration_month : 1 ,
credit_card_holder_name : 'John Smith' ,
2021-12-11 22:18:48 +05:30
credit_card_type : 'AmericanExpress' ,
2021-11-18 22:05:49 +05:30
credit_card_mask_number : '1111'
}
end
2021-06-08 01:23:25 +05:30
2023-07-09 08:55:56 +05:30
it_behaves_like 'PUT request permissions for admin mode'
2021-06-08 01:23:25 +05:30
context 'when unauthenticated' do
it 'returns authentication error' do
2023-07-09 08:55:56 +05:30
put api ( path ) , params : { }
2021-06-08 01:23:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
context 'when authenticated as non-admin' do
2023-06-20 00:43:36 +05:30
it " does not allow updating user's credit card validation " do
2023-07-09 08:55:56 +05:30
put api ( path , user ) , params : params
2021-06-08 01:23:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
context 'when authenticated as admin' do
2023-06-20 00:43:36 +05:30
it " updates user's credit card validation " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : params
2021-11-18 22:05:49 +05:30
user . reload
2021-06-08 01:23:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2021-11-18 22:05:49 +05:30
expect ( user . credit_card_validation ) . to have_attributes (
credit_card_validated_at : credit_card_validated_time ,
expiration_date : Date . new ( expiration_year , 1 , 31 ) ,
last_digits : 1111 ,
2021-12-11 22:18:48 +05:30
network : 'AmericanExpress' ,
2021-11-18 22:05:49 +05:30
holder_name : 'John Smith'
)
2021-06-08 01:23:25 +05:30
end
it " returns 400 error if credit_card_validated_at is missing " do
2023-07-09 08:55:56 +05:30
put api ( path , admin , admin_mode : true ) , params : { }
2021-06-08 01:23:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
it 'returns 404 error if user not found' do
2023-06-20 00:43:36 +05:30
put api ( " /user/ #{ non_existing_record_id } /credit_card_validation " , admin , admin_mode : true ) , params : params
2021-06-08 01:23:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
end
2020-03-13 15:44:24 +05:30
describe " DELETE /users/:id/identities/:provider " do
let ( :test_user ) { create ( :omniauth_user , provider : 'ldapmain' ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ test_user . id } /identities/ldapmain " }
it_behaves_like 'DELETE request permissions for admin mode'
2020-03-13 15:44:24 +05:30
context 'when unauthenticated' do
it 'returns authentication error' do
2023-07-09 08:55:56 +05:30
delete api ( path )
2020-03-13 15:44:24 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
context 'when authenticated' do
it 'deletes identity of given provider' do
expect do
2023-07-09 08:55:56 +05:30
delete api ( path , admin , admin_mode : true )
2020-03-13 15:44:24 +05:30
end . to change { test_user . identities . count } . by ( - 1 )
expect ( response ) . to have_gitlab_http_status ( :no_content )
end
it_behaves_like '412 response' do
2023-07-09 08:55:56 +05:30
let ( :request ) { api ( path , admin , admin_mode : true ) }
2020-03-13 15:44:24 +05:30
end
it 'returns 404 error if user not found' do
2023-07-09 08:55:56 +05:30
delete api ( " /users/ #{ non_existing_record_id } /identities/ldapmain " , admin , admin_mode : true )
2020-03-13 15:44:24 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns 404 error if identity not found' do
2023-06-20 00:43:36 +05:30
delete api ( " /users/ #{ test_user . id } /identities/saml " , admin , admin_mode : true )
2020-03-13 15:44:24 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 Identity Not Found' )
end
end
end
2014-09-02 18:07:02 +05:30
describe " POST /users/:id/keys " do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /keys " }
it_behaves_like 'POST request permissions for admin mode' do
let ( :params ) { attributes_for ( :key , usage_type : :signing ) }
end
2016-09-13 17:45:13 +05:30
it " does not create invalid ssh key " do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : { title : " invalid key " }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'key is missing' )
2015-04-26 12:48:37 +05:30
end
2016-09-13 17:45:13 +05:30
it 'does not create key without title' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : { key : 'some key' }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'title is missing' )
2014-09-02 18:07:02 +05:30
end
2023-06-20 00:43:36 +05:30
it " creates ssh key " do
2023-03-04 22:38:38 +05:30
key_attrs = attributes_for ( :key , usage_type : :signing )
2015-09-11 14:41:01 +05:30
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : key_attrs
2017-08-17 22:00:37 +05:30
end . to change { user . keys . count } . by ( 1 )
2023-03-04 22:38:38 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
key = user . keys . last
expect ( key . title ) . to eq ( key_attrs [ :title ] )
expect ( key . key ) . to eq ( key_attrs [ :key ] )
expect ( key . usage_type ) . to eq ( key_attrs [ :usage_type ] . to_s )
2014-09-02 18:07:02 +05:30
end
2015-09-25 12:07:36 +05:30
2020-06-23 00:09:42 +05:30
it 'creates SSH key with `expires_at` attribute' do
2022-07-16 23:28:13 +05:30
optional_attributes = { expires_at : 3 . weeks . from_now }
2020-06-23 00:09:42 +05:30
attributes = attributes_for ( :key ) . merge ( optional_attributes )
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : attributes
2020-06-23 00:09:42 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2022-07-16 23:28:13 +05:30
expect ( json_response [ 'expires_at' ] . to_date ) . to eq ( optional_attributes [ :expires_at ] . to_date )
2020-06-23 00:09:42 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 400 for invalid ID " do
2023-07-09 08:55:56 +05:30
post api ( " /users/ #{ non_existing_record_id } /keys " , admin , admin_mode : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-09-25 12:07:36 +05:30
end
2014-09-02 18:07:02 +05:30
end
2022-07-23 23:45:48 +05:30
describe 'GET /users/:id/project_deploy_keys' do
let ( :project ) { create ( :project ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /project_deploy_keys " }
2022-07-23 23:45:48 +05:30
before do
project . add_maintainer ( user )
deploy_key = create ( :deploy_key , user : user )
create ( :deploy_keys_project , project : project , deploy_key_id : deploy_key . id )
end
it 'returns 404 for non-existing user' do
get api ( " /users/ #{ non_existing_record_id } /project_deploy_keys " )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns array of project deploy keys with pagination' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2022-07-23 23:45:48 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . first [ 'title' ] ) . to eq ( user . deploy_keys . first . title )
end
it 'forbids when a developer fetches maintainer keys' do
dev_user = create ( :user )
project . add_developer ( dev_user )
2023-07-09 08:55:56 +05:30
get api ( path , dev_user )
2022-07-23 23:45:48 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden - No common authorized project found' )
end
context 'with multiple projects' do
let ( :second_project ) { create ( :project ) }
let ( :second_user ) { create ( :user ) }
before do
second_project . add_maintainer ( second_user )
deploy_key = create ( :deploy_key , user : second_user )
create ( :deploy_keys_project , project : second_project , deploy_key_id : deploy_key . id )
end
context 'when no common projects for user and current_user' do
it 'forbids' do
2023-07-09 08:55:56 +05:30
get api ( path , second_user )
2022-07-23 23:45:48 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden - No common authorized project found' )
end
end
context 'when there are common projects for user and current_user' do
before do
project . add_maintainer ( second_user )
end
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ second_user . id } /project_deploy_keys " }
2022-07-23 23:45:48 +05:30
it 'lists only common project keys' do
expect ( second_user . project_deploy_keys ) . to contain_exactly (
project . deploy_keys . first , second_project . deploy_keys . first )
2023-07-09 08:55:56 +05:30
get api ( path , user )
2022-07-23 23:45:48 +05:30
expect ( json_response . count ) . to eq ( 1 )
expect ( json_response . first [ 'key' ] ) . to eq ( project . deploy_keys . first . key )
end
it 'lists only project_deploy_keys and not user deploy_keys' do
third_user = create ( :user )
project . add_maintainer ( third_user )
second_project . add_maintainer ( third_user )
create ( :deploy_key , user : second_user )
create ( :deploy_key , user : third_user )
2023-07-09 08:55:56 +05:30
get api ( path , third_user )
2022-07-23 23:45:48 +05:30
expect ( json_response . count ) . to eq ( 2 )
expect ( [ json_response . first [ 'key' ] , json_response . second [ 'key' ] ] ) . to contain_exactly (
project . deploy_keys . first . key , second_project . deploy_keys . first . key )
end
it 'avoids N+1 queries' do
second_project . add_maintainer ( user )
control_count = ActiveRecord :: QueryRecorder . new do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2022-07-23 23:45:48 +05:30
end . count
deploy_key = create ( :deploy_key , user : second_user )
create ( :deploy_keys_project , project : second_project , deploy_key_id : deploy_key . id )
expect do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2022-07-23 23:45:48 +05:30
end . not_to exceed_query_limit ( control_count )
end
end
end
end
2017-08-17 22:00:37 +05:30
describe 'GET /user/:id/keys' do
2023-07-09 08:55:56 +05:30
subject ( :request ) { get api ( path ) }
let ( :path ) { " /users/ #{ user . id } /keys " }
2018-12-05 23:21:45 +05:30
it 'returns 404 for non-existing user' do
2020-06-23 00:09:42 +05:30
get api ( " /users/ #{ non_existing_record_id } /keys " )
2014-09-02 18:07:02 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-12-05 23:21:45 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2014-09-02 18:07:02 +05:30
2018-12-05 23:21:45 +05:30
it 'returns array of ssh keys' do
user . keys << key
2017-08-17 22:00:37 +05:30
2023-07-09 08:55:56 +05:30
request
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-12-05 23:21:45 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . first [ 'title' ] ) . to eq ( key . title )
2014-09-02 18:07:02 +05:30
end
2020-06-23 00:09:42 +05:30
it 'returns array of ssh keys with comments replaced with' \
'a simple identifier of username + hostname' do
2023-07-09 08:55:56 +05:30
request
2020-06-23 00:09:42 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
keys = json_response . map { | key_detail | key_detail [ 'key' ] }
expect ( keys ) . to all ( include ( " #{ user . name } ( #{ Gitlab . config . gitlab . host } " ) )
end
context 'N+1 queries' do
before do
2023-07-09 08:55:56 +05:30
request
2020-06-23 00:09:42 +05:30
end
it 'avoids N+1 queries' , :request_store do
control_count = ActiveRecord :: QueryRecorder . new ( skip_cached : false ) do
2023-07-09 08:55:56 +05:30
request
2020-06-23 00:09:42 +05:30
end . count
create_list ( :key , 2 , user : user )
expect do
2023-07-09 08:55:56 +05:30
request
2020-06-23 00:09:42 +05:30
end . not_to exceed_all_query_limit ( control_count )
end
end
2014-09-02 18:07:02 +05:30
end
2020-03-13 15:44:24 +05:30
describe 'GET /user/:user_id/keys' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . username } /keys " }
2020-03-13 15:44:24 +05:30
it 'returns 404 for non-existing user' do
2020-06-23 00:09:42 +05:30
get api ( " /users/ #{ non_existing_record_id } /keys " )
2020-03-13 15:44:24 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2020-03-13 15:44:24 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns array of ssh keys' do
user . keys << key
2023-07-09 08:55:56 +05:30
get api ( path )
2020-03-13 15:44:24 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . first [ 'title' ] ) . to eq ( key . title )
end
end
2022-05-07 20:08:51 +05:30
describe 'GET /user/:id/keys/:key_id' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /keys/ #{ key . id } " }
2023-06-20 00:43:36 +05:30
it 'gets existing key' do
2022-05-07 20:08:51 +05:30
user . keys << key
2023-07-09 08:55:56 +05:30
get api ( path )
2022-05-07 20:08:51 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ 'title' ] ) . to eq ( key . title )
end
2023-06-20 00:43:36 +05:30
it 'returns 404 error if user not found' do
2022-05-07 20:08:51 +05:30
user . keys << key
2023-07-09 08:55:56 +05:30
get api ( " /users/ #{ non_existing_record_id } /keys/ #{ key . id } " )
2022-05-07 20:08:51 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2023-06-20 00:43:36 +05:30
it 'returns 404 error if key not found' do
2022-05-07 20:08:51 +05:30
get api ( " /users/ #{ user . id } /keys/ #{ non_existing_record_id } " )
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 Key Not Found' )
end
end
2017-08-17 22:00:37 +05:30
describe 'DELETE /user/:id/keys/:key_id' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /keys/ #{ key . id } " }
it_behaves_like 'DELETE request permissions for admin mode'
2014-09-02 18:07:02 +05:30
context 'when unauthenticated' do
2016-09-13 17:45:13 +05:30
it 'returns authentication error' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ user . id } /keys/ #{ non_existing_record_id } " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2014-09-02 18:07:02 +05:30
end
end
context 'when authenticated' do
2016-09-13 17:45:13 +05:30
it 'deletes existing key' do
2014-09-02 18:07:02 +05:30
user . keys << key
2017-08-17 22:00:37 +05:30
2015-09-11 14:41:01 +05:30
expect do
2023-07-09 08:55:56 +05:30
delete api ( path , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2015-09-11 14:41:01 +05:30
end . to change { user . keys . count } . by ( - 1 )
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
2023-07-09 08:55:56 +05:30
let ( :request ) { api ( path , admin , admin_mode : true ) }
2018-03-17 18:26:18 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 404 error if user not found' do
2014-09-02 18:07:02 +05:30
user . keys << key
2020-06-23 00:09:42 +05:30
2023-07-09 08:55:56 +05:30
delete api ( " /users/ #{ non_existing_record_id } /keys/ #{ key . id } " , admin , admin_mode : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 404 error if key not foud' do
2023-06-20 00:43:36 +05:30
delete api ( " /users/ #{ user . id } /keys/ #{ non_existing_record_id } " , admin , admin_mode : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Key Not Found' )
2014-09-02 18:07:02 +05:30
end
end
end
2020-11-24 15:15:51 +05:30
describe 'POST /users/:id/gpg_keys' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /gpg_keys " }
it_behaves_like 'POST request permissions for admin mode' do
let ( :params ) { attributes_for :gpg_key , key : GpgHelpers :: User2 . public_key }
end
2018-03-17 18:26:18 +05:30
it 'does not create invalid GPG key' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'key is missing' )
end
it 'creates GPG key' do
2020-06-23 00:09:42 +05:30
key_attrs = attributes_for :gpg_key , key : GpgHelpers :: User2 . public_key
2018-03-17 18:26:18 +05:30
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : key_attrs
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2018-03-17 18:26:18 +05:30
end . to change { user . gpg_keys . count } . by ( 1 )
end
it 'returns 400 for invalid ID' do
2023-07-09 08:55:56 +05:30
post api ( " /users/ #{ non_existing_record_id } /gpg_keys " , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2018-03-17 18:26:18 +05:30
end
end
describe 'GET /user/:id/gpg_keys' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /gpg_keys " }
2021-01-03 14:25:43 +05:30
it 'returns 404 for non-existing user' do
2023-07-09 08:55:56 +05:30
get api ( " /users/ #{ non_existing_record_id } /gpg_keys " )
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
2018-03-17 18:26:18 +05:30
end
2021-01-03 14:25:43 +05:30
it 'returns array of GPG keys' do
user . gpg_keys << gpg_key
2018-03-17 18:26:18 +05:30
2023-07-09 08:55:56 +05:30
get api ( path )
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . first [ 'key' ] ) . to eq ( gpg_key . key )
end
end
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
describe 'GET /user/:id/gpg_keys/:key_id' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /gpg_keys/ #{ gpg_key . id } " }
2021-01-03 14:25:43 +05:30
it 'returns 404 for non-existing user' do
2023-07-09 08:55:56 +05:30
get api ( " /users/ #{ non_existing_record_id } /gpg_keys/1 " )
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
it 'returns 404 for non-existing key' do
2023-07-09 08:55:56 +05:30
get api ( " /users/ #{ user . id } /gpg_keys/ #{ non_existing_record_id } " )
2018-03-17 18:26:18 +05:30
2021-01-03 14:25:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
it 'returns a single GPG key' do
user . gpg_keys << gpg_key
2023-07-09 08:55:56 +05:30
get api ( path )
2021-01-03 14:25:43 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ 'key' ] ) . to eq ( gpg_key . key )
2018-03-17 18:26:18 +05:30
end
end
describe 'DELETE /user/:id/gpg_keys/:key_id' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /gpg_keys/ #{ gpg_key . id } " }
it_behaves_like 'DELETE request permissions for admin mode'
2018-03-17 18:26:18 +05:30
context 'when unauthenticated' do
it 'returns authentication error' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ user . id } /keys/ #{ non_existing_record_id } " )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
end
context 'when authenticated' do
it 'deletes existing key' do
user . gpg_keys << gpg_key
expect do
2023-07-09 08:55:56 +05:30
delete api ( path , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2018-03-17 18:26:18 +05:30
end . to change { user . gpg_keys . count } . by ( - 1 )
end
it 'returns 404 error if user not found' do
user . keys << key
2023-07-09 08:55:56 +05:30
delete api ( " /users/ #{ non_existing_record_id } /gpg_keys/ #{ gpg_key . id } " , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns 404 error if key not foud' do
2023-06-20 00:43:36 +05:30
delete api ( " /users/ #{ user . id } /gpg_keys/ #{ non_existing_record_id } " , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
end
end
describe 'POST /user/:id/gpg_keys/:key_id/revoke' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /gpg_keys/ #{ gpg_key . id } /revoke " }
it_behaves_like 'POST request permissions for admin mode' do
let ( :params ) { { } }
let ( :success_status_code ) { :accepted }
end
2018-03-17 18:26:18 +05:30
context 'when unauthenticated' do
it 'returns authentication error' do
2020-06-23 00:09:42 +05:30
post api ( " /users/ #{ user . id } /gpg_keys/ #{ non_existing_record_id } /revoke " )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
end
context 'when authenticated' do
it 'revokes existing key' do
user . gpg_keys << gpg_key
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
expect ( response ) . to have_gitlab_http_status ( :accepted )
end . to change { user . gpg_keys . count } . by ( - 1 )
end
it 'returns 404 error if user not found' do
user . gpg_keys << gpg_key
2023-07-09 08:55:56 +05:30
post api ( " /users/ #{ non_existing_record_id } /gpg_keys/ #{ gpg_key . id } /revoke " , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns 404 error if key not foud' do
2023-06-20 00:43:36 +05:30
post api ( " /users/ #{ user . id } /gpg_keys/ #{ non_existing_record_id } /revoke " , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
end
end
2022-06-21 17:19:12 +05:30
describe " POST /users/:id/emails " , :mailer do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /emails " }
it_behaves_like 'POST request permissions for admin mode' do
before do
email_attrs [ :skip_confirmation ] = true
end
let ( :email_attrs ) { attributes_for :email }
let ( :params ) { email_attrs }
end
2016-09-13 17:45:13 +05:30
it " does not create invalid email " do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : { }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'email is missing' )
2015-09-11 14:41:01 +05:30
end
2018-12-05 23:21:45 +05:30
it " creates unverified email " do
2015-09-11 14:41:01 +05:30
email_attrs = attributes_for :email
2022-06-21 17:19:12 +05:30
perform_enqueued_jobs do
expect do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : email_attrs
2022-06-21 17:19:12 +05:30
end . to change { user . emails . count } . by ( 1 )
end
2018-12-05 23:21:45 +05:30
2021-04-29 21:17:54 +05:30
expect ( json_response [ 'confirmed_at' ] ) . to be_nil
2022-06-21 17:19:12 +05:30
should_email ( user )
2015-09-11 14:41:01 +05:30
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 400 for invalid ID " do
2023-07-09 08:55:56 +05:30
post api ( " /users/ #{ non_existing_record_id } /emails " , admin , admin_mode : true )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-09-25 12:07:36 +05:30
end
2018-12-05 23:21:45 +05:30
it " creates verified email " do
email_attrs = attributes_for :email
email_attrs [ :skip_confirmation ] = true
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : email_attrs
2018-12-05 23:21:45 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2018-12-05 23:21:45 +05:30
2021-04-29 21:17:54 +05:30
expect ( json_response [ 'confirmed_at' ] ) . not_to be_nil
2018-12-05 23:21:45 +05:30
end
2022-07-29 17:44:30 +05:30
context 'when user with a primary email exists' do
context 'when the primary email is confirmed' do
let! ( :confirmed_user ) { create ( :user , email : 'foo@example.com' ) }
it 'returns 400 error' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : { email : confirmed_user . email }
2022-07-29 17:44:30 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
end
context 'when the primary email is unconfirmed' do
let! ( :unconfirmed_user ) { create ( :user , :unconfirmed , email : 'foo@example.com' ) }
it 'returns 400 error' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : { email : unconfirmed_user . email }
2022-07-29 17:44:30 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
end
end
context 'when user with a secondary email exists' do
context 'when the secondary email is confirmed' do
let! ( :email ) { create ( :email , :confirmed , email : 'foo@example.com' ) }
it 'returns 400 error' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : { email : email . email }
2022-07-29 17:44:30 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
end
context 'when the secondary email is unconfirmed' do
let! ( :email ) { create ( :email , email : 'foo@example.com' ) }
it 'returns 400 error' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : { email : email . email }
2022-07-29 17:44:30 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
end
end
2015-09-11 14:41:01 +05:30
end
2017-08-17 22:00:37 +05:30
describe 'GET /user/:id/emails' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /emails " }
2015-09-11 14:41:01 +05:30
context 'when unauthenticated' do
2016-09-13 17:45:13 +05:30
it 'returns authentication error' do
2023-07-09 08:55:56 +05:30
get api ( path )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2015-09-11 14:41:01 +05:30
end
end
context 'when authenticated' do
2016-09-13 17:45:13 +05:30
it 'returns 404 for non-existing user' do
2023-07-09 08:55:56 +05:30
get api ( " /users/ #{ non_existing_record_id } /emails " , admin , admin_mode : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-11 14:41:01 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2016-09-13 17:45:13 +05:30
it 'returns array of emails' do
2015-09-11 14:41:01 +05:30
user . emails << email
2017-08-17 22:00:37 +05:30
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
2015-09-11 14:41:01 +05:30
expect ( json_response ) . to be_an Array
2021-12-11 22:18:48 +05:30
expect ( json_response . first [ 'email' ] ) . to eq ( user . email )
expect ( json_response . second [ 'email' ] ) . to eq ( email . email )
2015-09-11 14:41:01 +05:30
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
2023-06-20 00:43:36 +05:30
get api ( " /users/ASDF/emails " , admin , admin_mode : true )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2015-09-11 14:41:01 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe 'DELETE /user/:id/emails/:email_id' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /emails/ #{ email . id } " }
it_behaves_like 'DELETE request permissions for admin mode'
2015-09-11 14:41:01 +05:30
context 'when unauthenticated' do
2016-09-13 17:45:13 +05:30
it 'returns authentication error' do
2020-06-23 00:09:42 +05:30
delete api ( " /users/ #{ user . id } /emails/ #{ non_existing_record_id } " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2015-09-11 14:41:01 +05:30
end
end
context 'when authenticated' do
2016-09-13 17:45:13 +05:30
it 'deletes existing email' do
2015-09-11 14:41:01 +05:30
user . emails << email
2017-08-17 22:00:37 +05:30
2015-09-11 14:41:01 +05:30
expect do
2023-07-09 08:55:56 +05:30
delete api ( path , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2015-09-11 14:41:01 +05:30
end . to change { user . emails . count } . by ( - 1 )
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
2023-07-09 08:55:56 +05:30
subject ( :request ) { api ( path , admin , admin_mode : true ) }
2018-03-17 18:26:18 +05:30
end
2016-09-13 17:45:13 +05:30
it 'returns 404 error if user not found' do
2015-09-11 14:41:01 +05:30
user . emails << email
2020-06-23 00:09:42 +05:30
2023-07-09 08:55:56 +05:30
delete api ( " /users/ #{ non_existing_record_id } /emails/ #{ email . id } " , admin , admin_mode : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-11 14:41:01 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2016-09-13 17:45:13 +05:30
it 'returns 404 error if email not foud' do
2023-06-20 00:43:36 +05:30
delete api ( " /users/ #{ user . id } /emails/ #{ non_existing_record_id } " , admin , admin_mode : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-11 14:41:01 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Email Not Found' )
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
delete api ( " /users/ASDF/emails/bar " , admin )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2015-09-11 14:41:01 +05:30
end
end
2014-09-02 18:07:02 +05:30
describe " DELETE /users/:id " do
2020-06-23 00:09:42 +05:30
let_it_be ( :issue ) { create ( :issue , author : user ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } " }
it_behaves_like 'DELETE request permissions for admin mode'
2014-09-02 18:07:02 +05:30
2023-01-13 00:05:48 +05:30
it " deletes user " , :sidekiq_inline do
2023-07-09 08:55:56 +05:30
perform_enqueued_jobs { delete api ( path , admin , admin_mode : true ) }
2022-10-11 01:57:18 +05:30
2023-01-13 00:05:48 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
expect ( Users :: GhostUserMigration . where ( user : user ,
initiator_user : admin ) ) . to be_exists
2014-09-02 18:07:02 +05:30
end
2020-01-01 13:55:28 +05:30
context " sole owner of a group " do
let! ( :group ) { create ( :group ) . tap { | group | group . add_owner ( user ) } }
context " hard delete disabled " do
it " does not delete user " do
2023-07-09 08:55:56 +05:30
perform_enqueued_jobs { delete api ( path , admin , admin_mode : true ) }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
2020-01-01 13:55:28 +05:30
end
end
context " hard delete enabled " do
2022-07-16 23:28:13 +05:30
it " delete user and group " , :sidekiq_inline do
2023-06-20 00:43:36 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ user . id } ?hard_delete=true " , admin , admin_mode : true ) }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2020-01-01 13:55:28 +05:30
expect ( Group . exists? ( group . id ) ) . to be_falsy
end
2022-07-16 23:28:13 +05:30
context " with subgroup owning " do
let ( :parent_group ) { create ( :group ) }
let ( :subgroup ) { create ( :group , parent : parent_group ) }
before do
parent_group . add_owner ( create ( :user ) )
subgroup . add_owner ( user )
end
it " delete only user " , :sidekiq_inline do
2023-06-20 00:43:36 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ user . id } ?hard_delete=true " , admin , admin_mode : true ) }
2022-07-16 23:28:13 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
expect ( Group . exists? ( subgroup . id ) ) . to be_truthy
end
end
2020-01-01 13:55:28 +05:30
end
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
2023-07-09 08:55:56 +05:30
let ( :request ) { api ( path , admin , admin_mode : true ) }
2018-03-17 18:26:18 +05:30
end
2016-09-13 17:45:13 +05:30
it " does not delete for unauthenticated user " do
2023-07-09 08:55:56 +05:30
perform_enqueued_jobs { delete api ( path ) }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " is not available for non admin users " do
2023-07-09 08:55:56 +05:30
perform_enqueued_jobs { delete api ( path , user ) }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 404 for non-existing user " do
2023-07-09 08:55:56 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ non_existing_record_id } " , admin , admin_mode : true ) }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-04-26 12:48:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
2014-09-02 18:07:02 +05:30
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
2023-06-20 00:43:36 +05:30
perform_enqueued_jobs { delete api ( " /users/ASDF " , admin , admin_mode : true ) }
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2017-09-10 17:25:29 +05:30
2023-01-13 00:05:48 +05:30
context " hard delete disabled " do
it " moves contributions to the ghost user " , :sidekiq_might_not_need_inline do
2023-07-09 08:55:56 +05:30
perform_enqueued_jobs { delete api ( path , admin , admin_mode : true ) }
2022-10-11 01:57:18 +05:30
2023-01-13 00:05:48 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
expect ( issue . reload ) . to be_persisted
expect ( Users :: GhostUserMigration . where ( user : user ,
initiator_user : admin ,
hard_delete : false ) ) . to be_exists
2017-09-10 17:25:29 +05:30
end
2023-01-13 00:05:48 +05:30
end
2017-09-10 17:25:29 +05:30
2023-01-13 00:05:48 +05:30
context " hard delete enabled " do
it " removes contributions " , :sidekiq_might_not_need_inline do
2023-06-20 00:43:36 +05:30
perform_enqueued_jobs { delete api ( " /users/ #{ user . id } ?hard_delete=true " , admin , admin_mode : true ) }
2022-10-11 01:57:18 +05:30
2023-01-13 00:05:48 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
expect ( Users :: GhostUserMigration . where ( user : user ,
initiator_user : admin ,
hard_delete : true ) ) . to be_exists
2017-09-10 17:25:29 +05:30
end
end
2014-09-02 18:07:02 +05:30
end
describe " GET /user " do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/user' }
2018-11-08 19:23:39 +05:30
shared_examples 'get user info' do | version |
context 'with regular user' do
context 'with personal access token' do
2020-06-23 00:09:42 +05:30
let ( :personal_access_token ) { create ( :personal_access_token , user : user ) . token }
2018-11-08 19:23:39 +05:30
it 'returns 403 without private token when sudo is defined' do
get api ( " /user?private_token= #{ personal_access_token } &sudo=123 " , version : version )
2017-01-15 13:20:01 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2018-11-08 19:23:39 +05:30
end
2017-01-15 13:20:01 +05:30
end
2018-11-08 19:23:39 +05:30
it 'returns current user without private token when sudo not defined' do
2023-07-09 08:55:56 +05:30
get api ( path , user , version : version )
2017-01-15 13:20:01 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-11-08 19:23:39 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/public' )
expect ( json_response [ 'id' ] ) . to eq ( user . id )
end
2017-09-10 17:25:29 +05:30
2018-11-08 19:23:39 +05:30
context " scopes " do
let ( :api_call ) { method ( :api ) }
2017-09-10 17:25:29 +05:30
2018-11-08 19:23:39 +05:30
include_examples 'allows the "read_user" scope' , version
end
2017-09-10 17:25:29 +05:30
end
2014-09-02 18:07:02 +05:30
2018-11-08 19:23:39 +05:30
context 'with admin' do
2023-06-20 00:43:36 +05:30
let ( :admin_personal_access_token ) { create ( :personal_access_token , :admin_mode , user : admin ) . token }
2017-01-15 13:20:01 +05:30
2018-11-08 19:23:39 +05:30
context 'with personal access token' do
it 'returns 403 without private token when sudo defined' do
get api ( " /user?private_token= #{ admin_personal_access_token } &sudo= #{ user . id } " , version : version )
2017-01-15 13:20:01 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2018-11-08 19:23:39 +05:30
end
2017-01-15 13:20:01 +05:30
2018-11-08 19:23:39 +05:30
it 'returns initial current user without private token but with is_admin when sudo not defined' do
get api ( " /user?private_token= #{ admin_personal_access_token } " , version : version )
2017-01-15 13:20:01 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-11-08 19:23:39 +05:30
expect ( response ) . to match_response_schema ( 'public_api/v4/user/admin' )
expect ( json_response [ 'id' ] ) . to eq ( admin . id )
end
2017-01-15 13:20:01 +05:30
end
end
2018-11-08 19:23:39 +05:30
context 'with unauthenticated user' do
it " returns 401 error if user is unauthenticated " do
2023-07-09 08:55:56 +05:30
get api ( path , version : version )
2017-01-15 13:20:01 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-11-08 19:23:39 +05:30
end
2017-01-15 13:20:01 +05:30
end
2014-09-02 18:07:02 +05:30
end
2018-11-08 19:23:39 +05:30
it_behaves_like 'get user info' , 'v3'
it_behaves_like 'get user info' , 'v4'
2014-09-02 18:07:02 +05:30
end
2021-09-04 01:27:46 +05:30
describe " GET /user/preferences " do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/user/preferences' }
2021-09-04 01:27:46 +05:30
context " when unauthenticated " do
it " returns authentication error " do
2023-07-09 08:55:56 +05:30
get api ( path )
2021-09-04 01:27:46 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
context " when authenticated " do
it " returns user preferences " do
user . user_preference . view_diffs_file_by_file = false
user . user_preference . show_whitespace_in_diffs = true
user . save!
2023-07-09 08:55:56 +05:30
get api ( path , user )
2021-09-04 01:27:46 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ " view_diffs_file_by_file " ] ) . to eq ( user . user_preference . view_diffs_file_by_file )
expect ( json_response [ " show_whitespace_in_diffs " ] ) . to eq ( user . user_preference . show_whitespace_in_diffs )
end
end
end
2014-09-02 18:07:02 +05:30
describe " GET /user/keys " do
2023-07-09 08:55:56 +05:30
subject ( :request ) { get api ( path , user ) }
let ( :path ) { " /user/keys " }
2014-09-02 18:07:02 +05:30
context " when unauthenticated " do
2016-09-13 17:45:13 +05:30
it " returns authentication error " do
2014-09-02 18:07:02 +05:30
get api ( " /user/keys " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2014-09-02 18:07:02 +05:30
end
end
context " when authenticated " do
2016-09-13 17:45:13 +05:30
it " returns array of ssh keys " do
2014-09-02 18:07:02 +05:30
user . keys << key
2017-08-17 22:00:37 +05:30
2023-07-09 08:55:56 +05:30
request
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
2015-04-26 12:48:37 +05:30
expect ( json_response ) . to be_an Array
expect ( json_response . first [ " title " ] ) . to eq ( key . title )
2014-09-02 18:07:02 +05:30
end
2017-09-10 17:25:29 +05:30
2020-06-23 00:09:42 +05:30
it 'returns array of ssh keys with comments replaced with' \
'a simple identifier of username + hostname' do
2023-07-09 08:55:56 +05:30
request
2020-06-23 00:09:42 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
keys = json_response . map { | key_detail | key_detail [ 'key' ] }
expect ( keys ) . to all ( include ( " #{ user . name } ( #{ Gitlab . config . gitlab . host } " ) )
end
context 'N+1 queries' do
before do
2023-07-09 08:55:56 +05:30
request
2020-06-23 00:09:42 +05:30
end
it 'avoids N+1 queries' , :request_store do
control_count = ActiveRecord :: QueryRecorder . new ( skip_cached : false ) do
2023-07-09 08:55:56 +05:30
request
2020-06-23 00:09:42 +05:30
end . count
create_list ( :key , 2 , user : user )
expect do
2023-07-09 08:55:56 +05:30
request
2020-06-23 00:09:42 +05:30
end . not_to exceed_all_query_limit ( control_count )
end
end
2017-09-10 17:25:29 +05:30
context " scopes " do
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
2014-09-02 18:07:02 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe " GET /user/keys/:key_id " do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /user/keys/ #{ key . id } " }
2016-09-13 17:45:13 +05:30
it " returns single key " do
2014-09-02 18:07:02 +05:30
user . keys << key
2020-06-23 00:09:42 +05:30
2023-07-09 08:55:56 +05:30
get api ( path , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-04-26 12:48:37 +05:30
expect ( json_response [ " title " ] ) . to eq ( key . title )
2014-09-02 18:07:02 +05:30
end
2020-06-23 00:09:42 +05:30
it 'exposes SSH key comment as a simple identifier of username + hostname' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2020-06-23 00:09:42 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ 'key' ] ) . to include ( " #{ key . user_name } ( #{ Gitlab . config . gitlab . host } ) " )
end
2016-09-13 17:45:13 +05:30
it " returns 404 Not Found within invalid ID " do
2020-06-23 00:09:42 +05:30
get api ( " /user/keys/ #{ non_existing_record_id } " , user )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Key Not Found' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 404 error if admin accesses user's ssh key " do
2014-09-02 18:07:02 +05:30
user . keys << key
admin
2020-06-23 00:09:42 +05:30
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Key Not Found' )
2014-09-02 18:07:02 +05:30
end
2015-09-25 12:07:36 +05:30
2016-09-13 17:45:13 +05:30
it " returns 404 for invalid ID " do
2023-06-20 00:43:36 +05:30
get api ( " /users/keys/ASDF " , admin , admin_mode : true )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2017-09-10 17:25:29 +05:30
context " scopes " do
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
2014-09-02 18:07:02 +05:30
end
describe " POST /user/keys " do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /user/keys " }
2023-06-20 00:43:36 +05:30
it " creates ssh key " do
2023-03-04 22:38:38 +05:30
key_attrs = attributes_for ( :key , usage_type : :signing )
2015-09-11 14:41:01 +05:30
expect do
2023-07-09 08:55:56 +05:30
post api ( path , user ) , params : key_attrs
2017-08-17 22:00:37 +05:30
end . to change { user . keys . count } . by ( 1 )
2023-03-04 22:38:38 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2023-03-04 22:38:38 +05:30
key = user . keys . last
expect ( key . title ) . to eq ( key_attrs [ :title ] )
expect ( key . key ) . to eq ( key_attrs [ :key ] )
expect ( key . usage_type ) . to eq ( key_attrs [ :usage_type ] . to_s )
2014-09-02 18:07:02 +05:30
end
2020-06-23 00:09:42 +05:30
it 'creates SSH key with `expires_at` attribute' do
2022-07-16 23:28:13 +05:30
optional_attributes = { expires_at : 3 . weeks . from_now }
2020-06-23 00:09:42 +05:30
attributes = attributes_for ( :key ) . merge ( optional_attributes )
2023-07-09 08:55:56 +05:30
post api ( path , user ) , params : attributes
2020-06-23 00:09:42 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2022-07-16 23:28:13 +05:30
expect ( json_response [ 'expires_at' ] . to_date ) . to eq ( optional_attributes [ :expires_at ] . to_date )
2020-06-23 00:09:42 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns a 401 error if unauthorized " do
2023-07-09 08:55:56 +05:30
post api ( path ) , params : { title : 'some title' , key : 'some key' }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " does not create ssh key without key " do
2023-07-09 08:55:56 +05:30
post api ( path , user ) , params : { title : 'title' }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'key is missing' )
2015-04-26 12:48:37 +05:30
end
2016-09-13 17:45:13 +05:30
it 'does not create ssh key without title' do
2019-02-15 15:39:39 +05:30
post api ( '/user/keys' , user ) , params : { key : 'some key' }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'title is missing' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " does not create ssh key without title " do
2023-07-09 08:55:56 +05:30
post api ( path , user ) , params : { key : " somekey " }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2014-09-02 18:07:02 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe " DELETE /user/keys/:key_id " do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /user/keys/ #{ key . id } " }
2016-09-13 17:45:13 +05:30
it " deletes existed key " do
2014-09-02 18:07:02 +05:30
user . keys << key
2017-08-17 22:00:37 +05:30
2015-09-11 14:41:01 +05:30
expect do
2023-07-09 08:55:56 +05:30
delete api ( path , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2021-01-29 00:20:46 +05:30
end . to change { user . keys . count } . by ( - 1 )
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
2023-07-09 08:55:56 +05:30
let ( :request ) { api ( path , user ) }
2018-03-17 18:26:18 +05:30
end
2017-08-17 22:00:37 +05:30
it " returns 404 if key ID not found " do
2020-06-23 00:09:42 +05:30
delete api ( " /user/keys/ #{ non_existing_record_id } " , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Key Not Found' )
2014-09-02 18:07:02 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 401 error if unauthorized " do
2014-09-02 18:07:02 +05:30
user . keys << key
2020-06-23 00:09:42 +05:30
2023-07-09 08:55:56 +05:30
delete api ( path )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2014-09-02 18:07:02 +05:30
end
2015-09-25 12:07:36 +05:30
2016-11-03 12:29:30 +05:30
it " returns a 404 for invalid ID " do
2023-06-20 00:43:36 +05:30
delete api ( " /users/keys/ASDF " , admin , admin_mode : true )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
end
end
describe 'GET /user/gpg_keys' do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/user/gpg_keys' }
2018-03-17 18:26:18 +05:30
context 'when unauthenticated' do
it 'returns authentication error' do
2023-07-09 08:55:56 +05:30
get api ( path )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
end
context 'when authenticated' do
it 'returns array of GPG keys' do
user . gpg_keys << gpg_key
2023-07-09 08:55:56 +05:30
get api ( path , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-03-17 18:26:18 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . first [ 'key' ] ) . to eq ( gpg_key . key )
end
context 'scopes' do
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
end
end
describe 'GET /user/gpg_keys/:key_id' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /user/gpg_keys/ #{ gpg_key . id } " }
2018-03-17 18:26:18 +05:30
it 'returns a single key' do
user . gpg_keys << gpg_key
2023-07-09 08:55:56 +05:30
get api ( path , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'key' ] ) . to eq ( gpg_key . key )
end
it 'returns 404 Not Found within invalid ID' do
2020-06-23 00:09:42 +05:30
get api ( " /user/gpg_keys/ #{ non_existing_record_id } " , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
it " returns 404 error if admin accesses user's GPG key " do
user . gpg_keys << gpg_key
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
it 'returns 404 for invalid ID' do
2023-06-20 00:43:36 +05:30
get api ( '/users/gpg_keys/ASDF' , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
end
context 'scopes' do
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
end
describe 'POST /user/gpg_keys' do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/user/gpg_keys' }
2018-03-17 18:26:18 +05:30
it 'creates a GPG key' do
2020-06-23 00:09:42 +05:30
key_attrs = attributes_for :gpg_key , key : GpgHelpers :: User2 . public_key
2018-03-17 18:26:18 +05:30
expect do
2023-07-09 08:55:56 +05:30
post api ( path , user ) , params : key_attrs
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2018-03-17 18:26:18 +05:30
end . to change { user . gpg_keys . count } . by ( 1 )
end
it 'returns a 401 error if unauthorized' do
2023-07-09 08:55:56 +05:30
post api ( path ) , params : { key : 'some key' }
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
it 'does not create GPG key without key' do
2023-07-09 08:55:56 +05:30
post api ( path , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'key is missing' )
end
end
describe 'POST /user/gpg_keys/:key_id/revoke' do
it 'revokes existing GPG key' do
user . gpg_keys << gpg_key
expect do
post api ( " /user/gpg_keys/ #{ gpg_key . id } /revoke " , user )
expect ( response ) . to have_gitlab_http_status ( :accepted )
2021-01-29 00:20:46 +05:30
end . to change { user . gpg_keys . count } . by ( - 1 )
2018-03-17 18:26:18 +05:30
end
it 'returns 404 if key ID not found' do
2020-06-23 00:09:42 +05:30
post api ( " /user/gpg_keys/ #{ non_existing_record_id } /revoke " , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
it 'returns 401 error if unauthorized' do
user . gpg_keys << gpg_key
post api ( " /user/gpg_keys/ #{ gpg_key . id } /revoke " )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
it 'returns a 404 for invalid ID' do
2023-06-20 00:43:36 +05:30
post api ( '/users/gpg_keys/ASDF/revoke' , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
end
end
describe 'DELETE /user/gpg_keys/:key_id' do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /user/gpg_keys/ #{ gpg_key . id } " }
2018-03-17 18:26:18 +05:30
it 'deletes existing GPG key' do
user . gpg_keys << gpg_key
expect do
2023-07-09 08:55:56 +05:30
delete api ( path , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2021-01-29 00:20:46 +05:30
end . to change { user . gpg_keys . count } . by ( - 1 )
2018-03-17 18:26:18 +05:30
end
it 'returns 404 if key ID not found' do
2020-06-23 00:09:42 +05:30
delete api ( " /user/gpg_keys/ #{ non_existing_record_id } " , user )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2018-03-17 18:26:18 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 GPG Key Not Found' )
end
it 'returns 401 error if unauthorized' do
user . gpg_keys << gpg_key
2023-07-09 08:55:56 +05:30
delete api ( path )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2018-03-17 18:26:18 +05:30
end
it 'returns a 404 for invalid ID' do
2023-06-20 00:43:36 +05:30
delete api ( '/users/gpg_keys/ASDF' , admin , admin_mode : true )
2018-03-17 18:26:18 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2014-09-02 18:07:02 +05:30
end
2015-09-11 14:41:01 +05:30
describe " GET /user/emails " do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/user/emails' }
2015-09-11 14:41:01 +05:30
context " when unauthenticated " do
2016-09-13 17:45:13 +05:30
it " returns authentication error " do
2023-07-09 08:55:56 +05:30
get api ( path )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2015-09-11 14:41:01 +05:30
end
end
context " when authenticated " do
2016-09-13 17:45:13 +05:30
it " returns array of emails " do
2015-09-11 14:41:01 +05:30
user . emails << email
2017-08-17 22:00:37 +05:30
2023-07-09 08:55:56 +05:30
get api ( path , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
2015-09-11 14:41:01 +05:30
expect ( json_response ) . to be_an Array
2021-12-11 22:18:48 +05:30
expect ( json_response . first [ 'email' ] ) . to eq ( user . email )
expect ( json_response . second [ 'email' ] ) . to eq ( email . email )
2015-09-11 14:41:01 +05:30
end
2017-09-10 17:25:29 +05:30
context " scopes " do
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
2015-09-11 14:41:01 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe " GET /user/emails/:email_id " do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /user/emails/ #{ email . id } " }
2016-09-13 17:45:13 +05:30
it " returns single email " do
2015-09-11 14:41:01 +05:30
user . emails << email
2020-06-23 00:09:42 +05:30
2023-07-09 08:55:56 +05:30
get api ( path , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2015-09-11 14:41:01 +05:30
expect ( json_response [ " email " ] ) . to eq ( email . email )
end
2016-09-13 17:45:13 +05:30
it " returns 404 Not Found within invalid ID " do
2020-06-23 00:09:42 +05:30
get api ( " /user/emails/ #{ non_existing_record_id } " , user )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Email Not Found' )
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 404 error if admin accesses user's email " do
2015-09-11 14:41:01 +05:30
user . emails << email
admin
2020-06-23 00:09:42 +05:30
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Email Not Found' )
2015-09-11 14:41:01 +05:30
end
2015-09-25 12:07:36 +05:30
2016-09-13 17:45:13 +05:30
it " returns 404 for invalid ID " do
2023-06-20 00:43:36 +05:30
get api ( " /users/emails/ASDF " , admin , admin_mode : true )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2015-09-25 12:07:36 +05:30
end
2017-09-10 17:25:29 +05:30
context " scopes " do
let ( :api_call ) { method ( :api ) }
include_examples 'allows the "read_user" scope'
end
2015-09-11 14:41:01 +05:30
end
describe " POST /user/emails " do
2023-07-09 08:55:56 +05:30
let ( :path ) { '/user/emails' }
2016-09-13 17:45:13 +05:30
it " creates email " do
2015-09-11 14:41:01 +05:30
email_attrs = attributes_for :email
expect do
2023-07-09 08:55:56 +05:30
post api ( path , user ) , params : email_attrs
2017-08-17 22:00:37 +05:30
end . to change { user . emails . count } . by ( 1 )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns a 401 error if unauthorized " do
2023-07-09 08:55:56 +05:30
post api ( path ) , params : { email : 'some email' }
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it " does not create email with invalid email " do
2023-07-09 08:55:56 +05:30
post api ( path , user ) , params : { }
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'email is missing' )
2015-09-11 14:41:01 +05:30
end
end
2017-08-17 22:00:37 +05:30
describe " DELETE /user/emails/:email_id " do
2023-07-09 08:55:56 +05:30
let ( :path ) { " /user/emails/ #{ email . id } " }
2016-09-13 17:45:13 +05:30
it " deletes existed email " do
2015-09-11 14:41:01 +05:30
user . emails << email
2017-08-17 22:00:37 +05:30
2015-09-11 14:41:01 +05:30
expect do
2023-07-09 08:55:56 +05:30
delete api ( path , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2021-01-29 00:20:46 +05:30
end . to change { user . emails . count } . by ( - 1 )
2015-09-11 14:41:01 +05:30
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
2023-07-09 08:55:56 +05:30
let ( :request ) { api ( path , user ) }
2018-03-17 18:26:18 +05:30
end
2017-08-17 22:00:37 +05:30
it " returns 404 if email ID not found " do
2020-06-23 00:09:42 +05:30
delete api ( " /user/emails/ #{ non_existing_record_id } " , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Email Not Found' )
2015-09-11 14:41:01 +05:30
end
2016-09-13 17:45:13 +05:30
it " returns 401 error if unauthorized " do
2015-09-11 14:41:01 +05:30
user . emails << email
2020-06-23 00:09:42 +05:30
2023-07-09 08:55:56 +05:30
delete api ( path )
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
2015-09-11 14:41:01 +05:30
end
2015-09-25 12:07:36 +05:30
2017-08-17 22:00:37 +05:30
it " returns 400 for invalid ID " do
2023-06-20 00:43:36 +05:30
delete api ( " /user/emails/ASDF " , admin , admin_mode : true )
2016-11-03 12:29:30 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2015-09-25 12:07:36 +05:30
end
2015-09-11 14:41:01 +05:30
end
2019-12-21 20:55:43 +05:30
context 'activate and deactivate' do
shared_examples '404' do
it 'returns 404' do
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2019-12-21 20:55:43 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
describe 'POST /users/:id/activate' do
2023-07-09 08:55:56 +05:30
subject ( :activate ) { post api ( path , api_user , ** params ) }
2021-01-03 14:25:43 +05:30
let ( :user_id ) { user . id }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user_id } /activate " }
it_behaves_like 'POST request permissions for admin mode' do
let ( :params ) { { } }
end
2021-01-03 14:25:43 +05:30
2019-12-21 20:55:43 +05:30
context 'performed by a non-admin user' do
2021-01-03 14:25:43 +05:30
let ( :api_user ) { user }
2023-07-09 08:55:56 +05:30
let ( :params ) { { admin_mode : false } }
2021-01-03 14:25:43 +05:30
2019-12-21 20:55:43 +05:30
it 'is not authorized to perform the action' do
2021-01-03 14:25:43 +05:30
activate
2019-12-21 20:55:43 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2019-12-21 20:55:43 +05:30
end
end
context 'performed by an admin user' do
2021-01-03 14:25:43 +05:30
let ( :api_user ) { admin }
2023-07-09 08:55:56 +05:30
let ( :params ) { { admin_mode : true } }
2021-01-03 14:25:43 +05:30
2019-12-21 20:55:43 +05:30
context 'for a deactivated user' do
2021-11-11 11:23:49 +05:30
let ( :user_id ) { deactivated_user . id }
2019-12-21 20:55:43 +05:30
it 'activates a deactivated user' do
2021-01-03 14:25:43 +05:30
activate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2021-11-11 11:23:49 +05:30
expect ( deactivated_user . reload . state ) . to eq ( 'active' )
2019-12-21 20:55:43 +05:30
end
end
context 'for an active user' do
before do
user . activate
end
it 'returns 201' do
2021-01-03 14:25:43 +05:30
activate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'active' )
end
end
context 'for a blocked user' do
2021-11-11 11:23:49 +05:30
let ( :user_id ) { blocked_user . id }
2019-12-21 20:55:43 +05:30
it 'returns 403' do
2021-01-03 14:25:43 +05:30
activate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-03-08 18:12:59 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden - A blocked user must be unblocked to be activated' )
2021-11-11 11:23:49 +05:30
expect ( blocked_user . reload . state ) . to eq ( 'blocked' )
2019-12-21 20:55:43 +05:30
end
end
context 'for a ldap blocked user' do
before do
user . ldap_block
end
it 'returns 403' do
2021-01-03 14:25:43 +05:30
activate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2021-03-08 18:12:59 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden - A blocked user must be unblocked to be activated' )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'ldap_blocked' )
end
end
context 'for a user that does not exist' do
2023-07-09 08:55:56 +05:30
let ( :user_id ) { non_existing_record_id }
2021-01-03 14:25:43 +05:30
2019-12-21 20:55:43 +05:30
before do
2021-01-03 14:25:43 +05:30
activate
2019-12-21 20:55:43 +05:30
end
it_behaves_like '404'
end
end
end
describe 'POST /users/:id/deactivate' do
2023-07-09 08:55:56 +05:30
subject ( :deactivate ) { post api ( path , api_user , ** params ) }
2021-01-03 14:25:43 +05:30
let ( :user_id ) { user . id }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user_id } /deactivate " }
it_behaves_like 'POST request permissions for admin mode' do
let ( :params ) { { } }
end
2021-01-03 14:25:43 +05:30
2019-12-21 20:55:43 +05:30
context 'performed by a non-admin user' do
2021-01-03 14:25:43 +05:30
let ( :api_user ) { user }
2023-07-09 08:55:56 +05:30
let ( :params ) { { admin_mode : false } }
2021-01-03 14:25:43 +05:30
2019-12-21 20:55:43 +05:30
it 'is not authorized to perform the action' do
2021-01-03 14:25:43 +05:30
deactivate
2019-12-21 20:55:43 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2019-12-21 20:55:43 +05:30
end
end
context 'performed by an admin user' do
2021-01-03 14:25:43 +05:30
let ( :api_user ) { admin }
2023-07-09 08:55:56 +05:30
let ( :params ) { { admin_mode : true } }
2021-01-03 14:25:43 +05:30
2019-12-21 20:55:43 +05:30
context 'for an active user' do
let ( :activity ) { { } }
2020-06-23 00:09:42 +05:30
let ( :user ) { create ( :user , ** activity ) }
2019-12-21 20:55:43 +05:30
context 'with no recent activity' do
2022-10-11 01:57:18 +05:30
let ( :activity ) { { last_activity_on : Gitlab :: CurrentSettings . deactivate_dormant_users_period . next . days . ago } }
2019-12-21 20:55:43 +05:30
it 'deactivates an active user' do
2021-01-03 14:25:43 +05:30
deactivate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'deactivated' )
end
end
context 'with recent activity' do
2022-10-11 01:57:18 +05:30
let ( :activity ) { { last_activity_on : Gitlab :: CurrentSettings . deactivate_dormant_users_period . pred . days . ago } }
2019-12-21 20:55:43 +05:30
it 'does not deactivate an active user' do
2021-01-03 14:25:43 +05:30
deactivate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2023-07-09 08:55:56 +05:30
expect ( json_response [ 'message' ] ) . to eq ( " The user you are trying to deactivate has been active in the past #{ Gitlab :: CurrentSettings . deactivate_dormant_users_period } days and cannot be deactivated " )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'active' )
end
end
end
context 'for a deactivated user' do
2021-11-11 11:23:49 +05:30
let ( :user_id ) { deactivated_user . id }
2019-12-21 20:55:43 +05:30
it 'returns 201' do
2021-01-03 14:25:43 +05:30
deactivate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2021-11-11 11:23:49 +05:30
expect ( deactivated_user . reload . state ) . to eq ( 'deactivated' )
2019-12-21 20:55:43 +05:30
end
end
context 'for a blocked user' do
2021-11-11 11:23:49 +05:30
let ( :user_id ) { blocked_user . id }
2019-12-21 20:55:43 +05:30
it 'returns 403' do
2021-01-03 14:25:43 +05:30
deactivate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2023-07-09 08:55:56 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'Error occurred. A blocked user cannot be deactivated' )
2021-11-11 11:23:49 +05:30
expect ( blocked_user . reload . state ) . to eq ( 'blocked' )
2019-12-21 20:55:43 +05:30
end
end
context 'for a ldap blocked user' do
before do
user . ldap_block
end
it 'returns 403' do
2021-01-03 14:25:43 +05:30
deactivate
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2023-07-09 08:55:56 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'Error occurred. A blocked user cannot be deactivated' )
2019-12-21 20:55:43 +05:30
expect ( user . reload . state ) . to eq ( 'ldap_blocked' )
end
end
2021-01-03 14:25:43 +05:30
context 'for an internal user' do
let ( :user ) { User . alert_bot }
it 'returns 403' do
deactivate
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2023-07-09 08:55:56 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'Internal users cannot be deactivated' )
2021-01-03 14:25:43 +05:30
end
end
2019-12-21 20:55:43 +05:30
context 'for a user that does not exist' do
2023-07-09 08:55:56 +05:30
let ( :user_id ) { non_existing_record_id }
2021-01-03 14:25:43 +05:30
2019-12-21 20:55:43 +05:30
before do
2021-01-03 14:25:43 +05:30
deactivate
2019-12-21 20:55:43 +05:30
end
it_behaves_like '404'
end
end
end
end
2021-11-11 11:23:49 +05:30
context 'approve and reject pending user' do
let ( :pending_user ) { create ( :user , :blocked_pending_approval ) }
2021-02-22 17:27:13 +05:30
shared_examples '404' do
it 'returns 404' do
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
describe 'POST /users/:id/approve' do
2023-07-09 08:55:56 +05:30
subject ( :approve ) { post api ( path , api_user , ** params ) }
let ( :path ) { " /users/ #{ user_id } /approve " }
it_behaves_like 'POST request permissions for admin mode' do
let ( :user_id ) { pending_user . id }
let ( :params ) { { } }
end
2021-02-22 17:27:13 +05:30
context 'performed by a non-admin user' do
let ( :api_user ) { user }
let ( :user_id ) { pending_user . id }
2023-07-09 08:55:56 +05:30
let ( :params ) { { admin_mode : false } }
2021-02-22 17:27:13 +05:30
it 'is not authorized to perform the action' do
expect { approve } . not_to change { pending_user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'You are not allowed to approve a user' )
end
end
context 'performed by an admin user' do
let ( :api_user ) { admin }
2023-07-09 08:55:56 +05:30
let ( :params ) { { admin_mode : true } }
2021-02-22 17:27:13 +05:30
context 'for a deactivated user' do
let ( :user_id ) { deactivated_user . id }
it 'does not approve a deactivated user' do
expect { approve } . not_to change { deactivated_user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :conflict )
2021-03-11 19:13:27 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'The user you are trying to approve is not pending approval' )
2021-02-22 17:27:13 +05:30
end
end
context 'for an pending approval user' do
let ( :user_id ) { pending_user . id }
it 'returns 201' do
expect { approve } . to change { pending_user . reload . state } . to ( 'active' )
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( json_response [ 'message' ] ) . to eq ( 'Success' )
end
end
context 'for an active user' do
let ( :user_id ) { user . id }
it 'returns 201' do
expect { approve } . not_to change { user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :conflict )
2021-03-11 19:13:27 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'The user you are trying to approve is not pending approval' )
2021-02-22 17:27:13 +05:30
end
end
context 'for a blocked user' do
let ( :user_id ) { blocked_user . id }
it 'returns 403' do
expect { approve } . not_to change { blocked_user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :conflict )
2021-03-11 19:13:27 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'The user you are trying to approve is not pending approval' )
2021-02-22 17:27:13 +05:30
end
end
context 'for a ldap blocked user' do
let ( :user_id ) { ldap_blocked_user . id }
it 'returns 403' do
expect { approve } . not_to change { ldap_blocked_user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :conflict )
2021-03-11 19:13:27 +05:30
expect ( json_response [ 'message' ] ) . to eq ( 'The user you are trying to approve is not pending approval' )
2021-02-22 17:27:13 +05:30
end
end
context 'for a user that does not exist' do
let ( :user_id ) { non_existing_record_id }
before do
approve
end
it_behaves_like '404'
end
end
end
2023-06-20 00:43:36 +05:30
describe 'POST /users/:id/reject' do
2023-07-09 08:55:56 +05:30
subject ( :reject ) { post api ( path , api_user , ** params ) }
let ( :path ) { " /users/ #{ user_id } /reject " }
it_behaves_like 'POST request permissions for admin mode' do
let ( :user_id ) { pending_user . id }
let ( :params ) { { } }
let ( :success_status_code ) { :success }
end
2020-04-08 14:13:33 +05:30
2021-11-11 11:23:49 +05:30
shared_examples 'returns 409' do
it 'returns 409' do
reject
2020-04-08 14:13:33 +05:30
2021-11-11 11:23:49 +05:30
expect ( response ) . to have_gitlab_http_status ( :conflict )
expect ( json_response [ 'message' ] ) . to eq ( 'User does not have a pending request' )
end
end
context 'performed by a non-admin user' do
let ( :api_user ) { user }
let ( :user_id ) { pending_user . id }
2023-07-09 08:55:56 +05:30
let ( :params ) { { admin_mode : false } }
2021-11-11 11:23:49 +05:30
it 'returns 403' do
expect { reject } . not_to change { pending_user . reload . state }
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'You are not allowed to reject a user' )
end
end
context 'performed by an admin user' do
let ( :api_user ) { admin }
2023-07-09 08:55:56 +05:30
let ( :params ) { { admin_mode : true } }
2021-11-11 11:23:49 +05:30
context 'for an pending approval user' do
let ( :user_id ) { pending_user . id }
it 'returns 200' do
reject
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response [ 'message' ] ) . to eq ( 'Success' )
end
end
context 'for a deactivated user' do
let ( :user_id ) { deactivated_user . id }
it 'does not reject a deactivated user' do
expect { reject } . not_to change { deactivated_user . reload . state }
end
it_behaves_like 'returns 409'
end
context 'for an active user' do
let ( :user_id ) { user . id }
it 'does not reject an active user' do
expect { reject } . not_to change { user . reload . state }
end
it_behaves_like 'returns 409'
end
context 'for a blocked user' do
let ( :user_id ) { blocked_user . id }
it 'does not reject a blocked user' do
expect { reject } . not_to change { blocked_user . reload . state }
end
it_behaves_like 'returns 409'
end
context 'for a ldap blocked user' do
let ( :user_id ) { ldap_blocked_user . id }
it 'does not reject a ldap blocked user' do
expect { reject } . not_to change { ldap_blocked_user . reload . state }
end
it_behaves_like 'returns 409'
end
context 'for a user that does not exist' do
let ( :user_id ) { non_existing_record_id }
before do
reject
end
it_behaves_like '404'
end
2020-04-08 14:13:33 +05:30
end
2015-09-11 14:41:01 +05:30
end
2021-11-11 11:23:49 +05:30
end
2015-09-11 14:41:01 +05:30
2023-06-20 00:43:36 +05:30
describe 'POST /users/:id/block' do
2023-07-09 08:55:56 +05:30
subject ( :block_user ) { post api ( path , api_user , ** params ) }
let ( :user_id ) { user . id }
let ( :path ) { " /users/ #{ user_id } /block " }
it_behaves_like 'POST request permissions for admin mode' do
let ( :params ) { { } }
end
2021-11-11 11:23:49 +05:30
context 'when admin' do
2023-07-09 08:55:56 +05:30
let ( :api_user ) { admin }
let ( :params ) { { admin_mode : true } }
2021-11-11 11:23:49 +05:30
context 'with an existing user' do
it 'blocks existing user' do
block_user
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( response . body ) . to eq ( 'true' )
expect ( user . reload . state ) . to eq ( 'blocked' )
end
2023-03-17 16:20:25 +05:30
it 'saves a custom attribute' , :freeze_time , feature_category : :insider_threat do
block_user
custom_attribute = user . custom_attributes . last
expect ( custom_attribute . key ) . to eq ( UserCustomAttribute :: BLOCKED_BY )
expect ( custom_attribute . value ) . to eq ( " #{ admin . username } / #{ admin . id } + #{ Time . current } " )
end
2021-11-11 11:23:49 +05:30
end
context 'with an ldap blocked user' do
let ( :user_id ) { ldap_blocked_user . id }
it 'does not re-block ldap blocked users' do
block_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( ldap_blocked_user . reload . state ) . to eq ( 'ldap_blocked' )
end
end
context 'with a non existent user' do
let ( :user_id ) { non_existing_record_id }
it 'does not block non existent user, returns 404' do
block_user
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
context 'with an internal user' do
let ( :user_id ) { internal_user . id }
it 'does not block internal user, returns 403' do
block_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'An internal user cannot be blocked' )
end
end
context 'with a blocked user' do
let ( :user_id ) { blocked_user . id }
it 'returns a 201 if user is already blocked' do
block_user
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( response . body ) . to eq ( 'null' )
end
end
2022-05-07 20:08:51 +05:30
context 'with the API initiating user' do
let ( :user_id ) { admin . id }
it 'does not block the API initiating user, returns 403' do
block_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden - The API initiating user cannot be blocked by the API' )
expect ( admin . reload . state ) . to eq ( 'active' )
end
end
2016-01-19 16:12:03 +05:30
end
2023-07-09 08:55:56 +05:30
context 'performed by a non-admin user' do
let ( :api_user ) { user }
let ( :params ) { { admin_mode : false } }
2021-11-11 11:23:49 +05:30
2023-07-09 08:55:56 +05:30
it 'returns 403' do
block_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( user . reload . state ) . to eq ( 'active' )
end
2015-09-11 14:41:01 +05:30
end
2021-11-11 11:23:49 +05:30
end
2015-09-11 14:41:01 +05:30
2023-06-20 00:43:36 +05:30
describe 'POST /users/:id/unblock' do
2023-07-09 08:55:56 +05:30
subject ( :unblock_user ) { post api ( path , api_user , ** params ) }
let ( :path ) { " /users/ #{ user_id } /unblock " }
let ( :user_id ) { user . id }
it_behaves_like 'POST request permissions for admin mode' do
let ( :params ) { { } }
end
2021-11-11 11:23:49 +05:30
context 'when admin' do
2023-07-09 08:55:56 +05:30
let ( :api_user ) { admin }
let ( :params ) { { admin_mode : true } }
2020-04-08 14:13:33 +05:30
2021-11-11 11:23:49 +05:30
context 'with an existing user' do
it 'unblocks existing user' do
unblock_user
2021-01-03 14:25:43 +05:30
2021-11-11 11:23:49 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( user . reload . state ) . to eq ( 'active' )
end
end
2021-01-03 14:25:43 +05:30
2021-11-11 11:23:49 +05:30
context 'with a blocked user' do
let ( :user_id ) { blocked_user . id }
2020-04-08 14:13:33 +05:30
2021-11-11 11:23:49 +05:30
it 'unblocks a blocked user' do
unblock_user
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( blocked_user . reload . state ) . to eq ( 'active' )
end
2023-03-17 16:20:25 +05:30
it 'saves a custom attribute' , :freeze_time , feature_category : :insider_threat do
unblock_user
custom_attribute = blocked_user . custom_attributes . last
expect ( custom_attribute . key ) . to eq ( UserCustomAttribute :: UNBLOCKED_BY )
expect ( custom_attribute . value ) . to eq ( " #{ admin . username } / #{ admin . id } + #{ Time . current } " )
end
2020-04-08 14:13:33 +05:30
end
2015-09-11 14:41:01 +05:30
2021-11-11 11:23:49 +05:30
context 'with a ldap blocked user' do
let ( :user_id ) { ldap_blocked_user . id }
2017-09-10 17:25:29 +05:30
2021-11-11 11:23:49 +05:30
it 'does not unblock ldap blocked users' do
unblock_user
2015-09-11 14:41:01 +05:30
2021-11-11 11:23:49 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( ldap_blocked_user . reload . state ) . to eq ( 'ldap_blocked' )
end
end
context 'with a deactivated user' do
let ( :user_id ) { deactivated_user . id }
it 'does not unblock deactivated users' do
unblock_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( deactivated_user . reload . state ) . to eq ( 'deactivated' )
end
end
context 'with a non existent user' do
let ( :user_id ) { non_existing_record_id }
it 'returns a 404 error if user id not found' do
unblock_user
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
context 'with an invalid user id' do
let ( :user_id ) { 'ASDF' }
it 'returns a 404' do
unblock_user
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
2016-01-19 16:12:03 +05:30
end
2023-07-09 08:55:56 +05:30
context 'performed by a non-admin user' do
let ( :api_user ) { user }
let ( :params ) { { admin_mode : false } }
it 'returns 403' do
unblock_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( user . reload . state ) . to eq ( 'active' )
end
2015-09-11 14:41:01 +05:30
end
2021-11-11 11:23:49 +05:30
end
2015-09-11 14:41:01 +05:30
2023-06-20 00:43:36 +05:30
describe 'POST /users/:id/ban' do
2023-07-09 08:55:56 +05:30
subject ( :ban_user ) { post api ( path , api_user , ** params ) }
let ( :path ) { " /users/ #{ user_id } /ban " }
let ( :user_id ) { user . id }
it_behaves_like 'POST request permissions for admin mode' do
let ( :params ) { { } }
end
2021-11-11 11:23:49 +05:30
context 'when admin' do
2023-07-09 08:55:56 +05:30
let ( :api_user ) { admin }
let ( :params ) { { admin_mode : true } }
2021-11-11 11:23:49 +05:30
context 'with an active user' do
it 'bans an active user' do
ban_user
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( response . body ) . to eq ( 'true' )
expect ( user . reload . state ) . to eq ( 'banned' )
end
end
context 'with an ldap blocked user' do
let ( :user_id ) { ldap_blocked_user . id }
it 'does not ban ldap blocked users' do
ban_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'You cannot ban ldap_blocked users.' )
expect ( ldap_blocked_user . reload . state ) . to eq ( 'ldap_blocked' )
end
end
context 'with a deactivated user' do
let ( :user_id ) { deactivated_user . id }
it 'does not ban deactivated users' do
ban_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'You cannot ban deactivated users.' )
expect ( deactivated_user . reload . state ) . to eq ( 'deactivated' )
end
end
context 'with a banned user' do
let ( :user_id ) { banned_user . id }
it 'does not ban banned users' do
ban_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'You cannot ban banned users.' )
expect ( banned_user . reload . state ) . to eq ( 'banned' )
end
end
context 'with a non existent user' do
let ( :user_id ) { non_existing_record_id }
it 'does not ban non existent users' do
ban_user
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
context 'with an invalid id' do
let ( :user_id ) { 'ASDF' }
it 'does not ban invalid id users' do
ban_user
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
2019-12-21 20:55:43 +05:30
end
2023-07-09 08:55:56 +05:30
context 'performed by a non-admin user' do
let ( :api_user ) { user }
let ( :params ) { { admin_mode : false } }
2021-11-11 11:23:49 +05:30
2023-07-09 08:55:56 +05:30
it 'returns 403' do
ban_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( user . reload . state ) . to eq ( 'active' )
end
2015-09-11 14:41:01 +05:30
end
2021-11-11 11:23:49 +05:30
end
2015-09-11 14:41:01 +05:30
2023-06-20 00:43:36 +05:30
describe 'POST /users/:id/unban' do
2023-07-09 08:55:56 +05:30
subject ( :unban_user ) { post api ( path , api_user , ** params ) }
let ( :path ) { " /users/ #{ user_id } /unban " }
it_behaves_like 'POST request permissions for admin mode' do
let ( :user_id ) { banned_user . id }
let ( :params ) { { } }
end
2021-11-11 11:23:49 +05:30
context 'when admin' do
2023-07-09 08:55:56 +05:30
let ( :api_user ) { admin }
let ( :params ) { { admin_mode : true } }
2021-11-11 11:23:49 +05:30
context 'with a banned user' do
let ( :user_id ) { banned_user . id }
it 'activates a banned user' do
unban_user
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( banned_user . reload . state ) . to eq ( 'active' )
end
end
context 'with an ldap_blocked user' do
let ( :user_id ) { ldap_blocked_user . id }
it 'does not unban ldap_blocked users' do
unban_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'You cannot unban ldap_blocked users.' )
expect ( ldap_blocked_user . reload . state ) . to eq ( 'ldap_blocked' )
end
end
context 'with a deactivated user' do
let ( :user_id ) { deactivated_user . id }
it 'does not unban deactivated users' do
unban_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'You cannot unban deactivated users.' )
expect ( deactivated_user . reload . state ) . to eq ( 'deactivated' )
end
end
context 'with an active user' do
let ( :user_id ) { user . id }
it 'does not unban active users' do
unban_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( 'You cannot unban active users.' )
expect ( user . reload . state ) . to eq ( 'active' )
end
end
context 'with a non existent user' do
let ( :user_id ) { non_existing_record_id }
it 'does not unban non existent users' do
unban_user
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
end
context 'with an invalid id user' do
let ( :user_id ) { 'ASDF' }
it 'does not unban invalid id users' do
unban_user
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
2015-09-11 14:41:01 +05:30
end
2015-09-25 12:07:36 +05:30
2023-07-09 08:55:56 +05:30
context 'performed by a non-admin user' do
let ( :api_user ) { user }
let ( :params ) { { admin_mode : false } }
let ( :user_id ) { banned_user . id }
2016-11-03 12:29:30 +05:30
2023-07-09 08:55:56 +05:30
it 'returns 403' do
unban_user
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( user . reload . state ) . to eq ( 'active' )
end
2016-11-03 12:29:30 +05:30
end
end
2020-03-13 15:44:24 +05:30
describe " GET /users/:id/memberships " do
2023-07-09 08:55:56 +05:30
subject ( :request ) { get api ( path , requesting_user , admin_mode : true ) }
2020-03-13 15:44:24 +05:30
let_it_be ( :user ) { create ( :user ) }
let_it_be ( :project ) { create ( :project ) }
let_it_be ( :group ) { create ( :group ) }
2021-09-30 23:02:18 +05:30
2020-03-13 15:44:24 +05:30
let ( :requesting_user ) { create ( :user ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /memberships " }
2020-03-13 15:44:24 +05:30
before_all do
project . add_guest ( user )
group . add_guest ( user )
end
2023-07-09 08:55:56 +05:30
it_behaves_like 'GET request permissions for admin mode'
2020-03-13 15:44:24 +05:30
context 'requested by admin user' do
let ( :requesting_user ) { create ( :user , :admin ) }
it " responses successfully " do
2023-07-09 08:55:56 +05:30
request
2020-03-13 15:44:24 +05:30
aggregate_failures 'expect successful response including groups and projects' do
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( response ) . to match_response_schema ( 'public_api/v4/memberships' )
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to contain_exactly (
a_hash_including ( 'source_type' = > 'Project' ) ,
a_hash_including ( 'source_type' = > 'Namespace' )
)
end
end
it 'does not submit N+1 DB queries' do
# Avoid setup queries
2023-07-09 08:55:56 +05:30
request
2023-06-20 00:43:36 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2020-03-13 15:44:24 +05:30
control = ActiveRecord :: QueryRecorder . new do
2023-07-09 08:55:56 +05:30
request
2020-03-13 15:44:24 +05:30
end
create_list ( :project , 5 ) . map { | project | project . add_guest ( user ) }
expect do
2023-07-09 08:55:56 +05:30
request
2020-03-13 15:44:24 +05:30
end . not_to exceed_query_limit ( control )
end
context 'with type filter' do
it " only returns project memberships " do
2023-06-20 00:43:36 +05:30
get api ( " /users/ #{ user . id } /memberships?type=Project " , requesting_user , admin_mode : true )
2020-03-13 15:44:24 +05:30
aggregate_failures do
expect ( json_response ) . to contain_exactly ( a_hash_including ( 'source_type' = > 'Project' ) )
expect ( json_response ) . not_to include ( a_hash_including ( 'source_type' = > 'Namespace' ) )
end
end
it " only returns group memberships " do
2023-06-20 00:43:36 +05:30
get api ( " /users/ #{ user . id } /memberships?type=Namespace " , requesting_user , admin_mode : true )
2020-03-13 15:44:24 +05:30
aggregate_failures do
expect ( json_response ) . to contain_exactly ( a_hash_including ( 'source_type' = > 'Namespace' ) )
expect ( json_response ) . not_to include ( a_hash_including ( 'source_type' = > 'Project' ) )
end
end
it " recognizes unsupported types " do
2023-06-20 00:43:36 +05:30
get api ( " /users/ #{ user . id } /memberships?type=foo " , requesting_user , admin_mode : true )
2020-03-13 15:44:24 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
end
end
end
2017-09-10 17:25:29 +05:30
context " user activities " , :clean_gitlab_redis_shared_state do
2020-05-24 23:13:21 +05:30
let_it_be ( :old_active_user ) { create ( :user , last_activity_on : Time . utc ( 2000 , 1 , 1 ) ) }
let_it_be ( :newly_active_user ) { create ( :user , last_activity_on : 2 . days . ago . midday ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { '/user/activities' }
it_behaves_like 'GET request permissions for admin mode'
2017-08-17 22:00:37 +05:30
context 'last activity as normal user' do
it 'has no permission' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
end
end
context 'as admin' do
it 'returns the activities from the last 6 months' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response . size ) . to eq ( 1 )
activity = json_response . last
expect ( activity [ 'username' ] ) . to eq ( newly_active_user . username )
expect ( activity [ 'last_activity_on' ] ) . to eq ( 2 . days . ago . to_date . to_s )
expect ( activity [ 'last_activity_at' ] ) . to eq ( 2 . days . ago . to_date . to_s )
end
context 'passing a :from parameter' do
it 'returns the activities from the given date' do
2023-07-09 08:55:56 +05:30
get api ( " #{ path } ?from=2000-1-1 " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response . size ) . to eq ( 2 )
activity = json_response . first
expect ( activity [ 'username' ] ) . to eq ( old_active_user . username )
expect ( activity [ 'last_activity_on' ] ) . to eq ( Time . utc ( 2000 , 1 , 1 ) . to_date . to_s )
expect ( activity [ 'last_activity_at' ] ) . to eq ( Time . utc ( 2000 , 1 , 1 ) . to_date . to_s )
end
end
end
end
2023-03-17 16:20:25 +05:30
describe '/user/status' do
let ( :user_status ) { create ( :user_status , clear_status_at : 8 . hours . from_now ) }
let ( :user_with_status ) { user_status . user }
let ( :params ) { { } }
let ( :request_user ) { user }
2023-07-09 08:55:56 +05:30
let ( :path ) { '/user/status' }
2020-01-01 13:55:28 +05:30
2023-03-17 16:20:25 +05:30
shared_examples '/user/status successful response' do
context 'when request is successful' do
let ( :params ) { { emoji : 'smirk' , message : 'hello world' } }
2018-11-18 11:00:15 +05:30
2023-03-17 16:20:25 +05:30
it 'saves the status' do
set_user_status
2018-11-18 11:00:15 +05:30
2023-03-17 16:20:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( json_response [ 'emoji' ] ) . to eq ( 'smirk' )
expect ( json_response [ 'message' ] ) . to eq ( 'hello world' )
end
end
2018-11-18 11:00:15 +05:30
end
2023-03-17 16:20:25 +05:30
shared_examples '/user/status unsuccessful response' do
context 'when request is unsuccessful' do
let ( :params ) { { emoji : 'does not exist' , message : 'hello world' } }
2018-11-18 11:00:15 +05:30
2023-03-17 16:20:25 +05:30
it 'renders errors' do
set_user_status
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expect ( json_response [ 'message' ] [ 'emoji' ] ) . to be_present
end
end
2018-11-18 11:00:15 +05:30
end
2023-03-17 16:20:25 +05:30
shared_examples '/user/status passing nil for params' do
context 'when passing nil for params' do
let ( :params ) { { emoji : nil , message : nil , clear_status_after : nil } }
let ( :request_user ) { user_with_status }
2018-11-18 11:00:15 +05:30
2023-03-17 16:20:25 +05:30
it 'deletes the status' do
set_user_status
expect ( response ) . to have_gitlab_http_status ( :success )
2023-05-27 22:25:52 +05:30
expect ( user_with_status . reset . status ) . to be_nil
2023-03-17 16:20:25 +05:30
end
end
2018-11-18 11:00:15 +05:30
end
2021-03-11 19:13:27 +05:30
2023-03-17 16:20:25 +05:30
shared_examples '/user/status clear_status_after field' do
context 'when clear_status_after is valid' , :freeze_time do
let ( :params ) { { emoji : 'smirk' , message : 'hello world' , clear_status_after : '3_hours' } }
it 'sets the clear_status_at column' do
2021-03-11 19:13:27 +05:30
expected_clear_status_at = 3 . hours . from_now
2023-03-17 16:20:25 +05:30
set_user_status
2021-03-11 19:13:27 +05:30
expect ( response ) . to have_gitlab_http_status ( :success )
2023-03-17 16:20:25 +05:30
expect ( user . status . clear_status_at ) . to be_like_time ( expected_clear_status_at )
expect ( Time . parse ( json_response [ " clear_status_at " ] ) ) . to be_like_time ( expected_clear_status_at )
2021-03-11 19:13:27 +05:30
end
end
2023-03-17 16:20:25 +05:30
context 'when clear_status_after is nil' do
let ( :params ) { { emoji : 'smirk' , message : 'hello world' , clear_status_after : nil } }
let ( :request_user ) { user_with_status }
2021-03-11 19:13:27 +05:30
2023-03-17 16:20:25 +05:30
it 'unsets the clear_status_at column' do
set_user_status
2021-03-11 19:13:27 +05:30
2023-03-17 16:20:25 +05:30
expect ( response ) . to have_gitlab_http_status ( :success )
2023-05-27 22:25:52 +05:30
expect ( user_with_status . reset . status . clear_status_at ) . to be_nil
2023-03-17 16:20:25 +05:30
end
2021-03-11 19:13:27 +05:30
end
2023-03-17 16:20:25 +05:30
context 'when clear_status_after is invalid' do
let ( :params ) { { emoji : 'smirk' , message : 'hello world' , clear_status_after : 'invalid' } }
2021-03-11 19:13:27 +05:30
2023-03-17 16:20:25 +05:30
it 'raises error when unknown status value is given' do
set_user_status
expect ( response ) . to have_gitlab_http_status ( :bad_request )
end
end
end
describe 'GET' do
it_behaves_like 'rendering user status'
end
describe 'PUT' do
2023-07-09 08:55:56 +05:30
subject ( :set_user_status ) { put api ( path , request_user ) , params : params }
2023-03-17 16:20:25 +05:30
include_examples '/user/status successful response'
include_examples '/user/status unsuccessful response'
include_examples '/user/status passing nil for params'
include_examples '/user/status clear_status_after field'
context 'when passing empty params' do
let ( :request_user ) { user_with_status }
it 'deletes the status' do
set_user_status
expect ( response ) . to have_gitlab_http_status ( :success )
2023-05-27 22:25:52 +05:30
expect ( user_with_status . reset . status ) . to be_nil
2023-03-17 16:20:25 +05:30
end
end
context 'when clear_status_after is not given' do
let ( :params ) { { emoji : 'smirk' , message : 'hello world' } }
let ( :request_user ) { user_with_status }
it 'unsets clear_status_at column' do
set_user_status
expect ( response ) . to have_gitlab_http_status ( :success )
2023-05-27 22:25:52 +05:30
expect ( user_with_status . reset . status . clear_status_at ) . to be_nil
2023-03-17 16:20:25 +05:30
end
end
end
describe 'PATCH' do
2023-07-09 08:55:56 +05:30
subject ( :set_user_status ) { patch api ( path , request_user ) , params : params }
2023-03-17 16:20:25 +05:30
include_examples '/user/status successful response'
include_examples '/user/status unsuccessful response'
include_examples '/user/status passing nil for params'
include_examples '/user/status clear_status_after field'
context 'when passing empty params' do
let ( :request_user ) { user_with_status }
it 'does not update the status' do
set_user_status
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( user_with_status . status ) . to eq ( user_status )
end
end
context 'when clear_status_after is not given' do
let ( :params ) { { emoji : 'smirk' , message : 'hello world' } }
let ( :request_user ) { user_with_status }
it 'does not unset clear_status_at column' do
set_user_status
expect ( response ) . to have_gitlab_http_status ( :success )
expect ( user_with_status . status . clear_status_at ) . not_to be_nil
end
2021-03-11 19:13:27 +05:30
end
end
2018-11-18 11:00:15 +05:30
end
2021-01-29 00:20:46 +05:30
describe 'POST /users/:user_id/personal_access_tokens' do
let ( :name ) { 'new pat' }
let ( :expires_at ) { 3 . days . from_now . to_date . to_s }
let ( :scopes ) { %w( api read_user ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /personal_access_tokens " }
let ( :params ) { { name : name , scopes : scopes , expires_at : expires_at } }
it_behaves_like 'POST request permissions for admin mode'
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
it 'returns error if required attributes are missing' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true )
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expect ( json_response [ 'error' ] ) . to eq ( 'name is missing, scopes is missing, scopes does not have a valid value' )
end
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
it 'returns a 404 error if user not found' do
2023-07-09 08:55:56 +05:30
post api ( " /users/ #{ non_existing_record_id } /personal_access_tokens " , admin , admin_mode : true ) , params : params
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
it 'returns a 401 error when not authenticated' do
2023-07-09 08:55:56 +05:30
post api ( path ) , params : params
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
expect ( json_response [ 'message' ] ) . to eq ( '401 Unauthorized' )
end
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
it 'returns a 403 error when authenticated as normal user' do
2023-07-09 08:55:56 +05:30
post api ( path , user ) , params : params
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden' )
end
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
it 'creates a personal access token when authenticated as admin' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : params
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
expect ( json_response [ 'name' ] ) . to eq ( name )
expect ( json_response [ 'scopes' ] ) . to eq ( scopes )
expect ( json_response [ 'expires_at' ] ) . to eq ( expires_at )
expect ( json_response [ 'id' ] ) . to be_present
expect ( json_response [ 'created_at' ] ) . to be_present
expect ( json_response [ 'active' ] ) . to be_truthy
expect ( json_response [ 'revoked' ] ) . to be_falsey
expect ( json_response [ 'token' ] ) . to be_present
end
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
context 'when an error is thrown by the model' do
2023-06-20 00:43:36 +05:30
let! ( :admin_personal_access_token ) { create ( :personal_access_token , :admin_mode , user : admin ) }
2021-03-08 18:12:59 +05:30
let ( :error_message ) { 'error message' }
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
before do
allow_next_instance_of ( PersonalAccessToken ) do | personal_access_token |
allow ( personal_access_token ) . to receive_message_chain ( :errors , :full_messages )
. and_return ( [ error_message ] )
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
allow ( personal_access_token ) . to receive ( :save ) . and_return ( false )
2021-01-29 00:20:46 +05:30
end
end
2021-03-08 18:12:59 +05:30
it 'returns the error' do
2023-07-09 08:55:56 +05:30
post api ( path , personal_access_token : admin_personal_access_token ) , params : params
2021-01-29 00:20:46 +05:30
2021-03-08 18:12:59 +05:30
expect ( response ) . to have_gitlab_http_status ( :unprocessable_entity )
expect ( json_response [ 'message' ] ) . to eq ( error_message )
2021-01-29 00:20:46 +05:30
end
end
end
2017-08-17 22:00:37 +05:30
describe 'GET /users/:user_id/impersonation_tokens' do
2020-06-23 00:09:42 +05:30
let_it_be ( :active_personal_access_token ) { create ( :personal_access_token , user : user ) }
let_it_be ( :revoked_personal_access_token ) { create ( :personal_access_token , :revoked , user : user ) }
let_it_be ( :expired_personal_access_token ) { create ( :personal_access_token , :expired , user : user ) }
let_it_be ( :impersonation_token ) { create ( :personal_access_token , :impersonation , user : user ) }
let_it_be ( :revoked_impersonation_token ) { create ( :personal_access_token , :impersonation , :revoked , user : user ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /impersonation_tokens " }
it_behaves_like 'GET request permissions for admin mode'
2017-08-17 22:00:37 +05:30
it 'returns a 404 error if user not found' do
2023-06-20 00:43:36 +05:30
get api ( " /users/ #{ non_existing_record_id } /impersonation_tokens " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns a 403 error when authenticated as normal user' do
2020-06-23 00:09:42 +05:30
get api ( " /users/ #{ non_existing_record_id } /impersonation_tokens " , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden' )
end
it 'returns an array of all impersonated tokens' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . size ) . to eq ( 2 )
end
it 'returns an array of active impersonation tokens if state active' do
2023-07-09 08:55:56 +05:30
get api ( " #{ path } ?state=active " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( response ) . to include_pagination_headers
expect ( json_response ) . to be_an Array
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response ) . to all ( include ( 'active' = > true ) )
end
it 'returns an array of inactive personal access tokens if active is set to false' do
2023-07-09 08:55:56 +05:30
get api ( " #{ path } ?state=inactive " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2017-08-17 22:00:37 +05:30
expect ( json_response ) . to be_an Array
expect ( json_response . size ) . to eq ( 1 )
expect ( json_response ) . to all ( include ( 'active' = > false ) )
end
end
describe 'POST /users/:user_id/impersonation_tokens' do
let ( :name ) { 'my new pat' }
let ( :expires_at ) { '2016-12-28' }
let ( :scopes ) { %w( api read_user ) }
let ( :impersonation ) { true }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /impersonation_tokens " }
let ( :params ) { { name : name , expires_at : expires_at , scopes : scopes , impersonation : impersonation } }
it_behaves_like 'POST request permissions for admin mode'
2017-08-17 22:00:37 +05:30
it 'returns validation error if impersonation token misses some attributes' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :bad_request )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'error' ] ) . to eq ( 'name is missing' )
end
it 'returns a 404 error if user not found' do
2023-06-20 00:43:36 +05:30
post api ( " /users/ #{ non_existing_record_id } /impersonation_tokens " , admin , admin_mode : true ) ,
2019-02-15 15:39:39 +05:30
params : {
name : name ,
expires_at : expires_at
}
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns a 403 error when authenticated as normal user' do
2023-07-09 08:55:56 +05:30
post api ( path , user ) ,
2019-02-15 15:39:39 +05:30
params : {
name : name ,
expires_at : expires_at
}
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden' )
end
it 'creates a impersonation token' do
2023-07-09 08:55:56 +05:30
post api ( path , admin , admin_mode : true ) , params : params
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :created )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'name' ] ) . to eq ( name )
expect ( json_response [ 'scopes' ] ) . to eq ( scopes )
expect ( json_response [ 'expires_at' ] ) . to eq ( expires_at )
expect ( json_response [ 'id' ] ) . to be_present
expect ( json_response [ 'created_at' ] ) . to be_present
expect ( json_response [ 'active' ] ) . to be_falsey
expect ( json_response [ 'revoked' ] ) . to be_falsey
expect ( json_response [ 'token' ] ) . to be_present
expect ( json_response [ 'impersonation' ] ) . to eq ( impersonation )
end
end
describe 'GET /users/:user_id/impersonation_tokens/:impersonation_token_id' do
2020-06-23 00:09:42 +05:30
let_it_be ( :personal_access_token ) { create ( :personal_access_token , user : user ) }
let_it_be ( :impersonation_token ) { create ( :personal_access_token , :impersonation , user : user ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /impersonation_tokens/ #{ impersonation_token . id } " }
it_behaves_like 'GET request permissions for admin mode'
2017-08-17 22:00:37 +05:30
it 'returns 404 error if user not found' do
2023-06-20 00:43:36 +05:30
get api ( " /users/ #{ non_existing_record_id } /impersonation_tokens/1 " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns a 404 error if impersonation token not found' do
2023-06-20 00:43:36 +05:30
get api ( " /users/ #{ user . id } /impersonation_tokens/ #{ non_existing_record_id } " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Impersonation Token Not Found' )
end
it 'returns a 404 error if token is not impersonation token' do
2023-06-20 00:43:36 +05:30
get api ( " /users/ #{ user . id } /impersonation_tokens/ #{ personal_access_token . id } " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Impersonation Token Not Found' )
end
it 'returns a 403 error when authenticated as normal user' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden' )
end
2018-12-05 23:21:45 +05:30
it 'returns an impersonation token' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
2018-12-05 23:21:45 +05:30
expect ( json_response [ 'token' ] ) . not_to be_present
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'impersonation' ] ) . to be_truthy
end
end
describe 'DELETE /users/:user_id/impersonation_tokens/:impersonation_token_id' do
2020-06-23 00:09:42 +05:30
let_it_be ( :personal_access_token ) { create ( :personal_access_token , user : user ) }
let_it_be ( :impersonation_token ) { create ( :personal_access_token , :impersonation , user : user ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /impersonation_tokens/ #{ impersonation_token . id } " }
it_behaves_like 'DELETE request permissions for admin mode'
2017-08-17 22:00:37 +05:30
it 'returns a 404 error if user not found' do
2023-06-20 00:43:36 +05:30
delete api ( " /users/ #{ non_existing_record_id } /impersonation_tokens/1 " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 User Not Found' )
end
it 'returns a 404 error if impersonation token not found' do
2023-06-20 00:43:36 +05:30
delete api ( " /users/ #{ user . id } /impersonation_tokens/ #{ non_existing_record_id } " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Impersonation Token Not Found' )
end
it 'returns a 404 error if token is not impersonation token' do
2023-06-20 00:43:36 +05:30
delete api ( " /users/ #{ user . id } /impersonation_tokens/ #{ personal_access_token . id } " , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '404 Impersonation Token Not Found' )
end
it 'returns a 403 error when authenticated as normal user' do
2023-07-09 08:55:56 +05:30
delete api ( path , user )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :forbidden )
2017-08-17 22:00:37 +05:30
expect ( json_response [ 'message' ] ) . to eq ( '403 Forbidden' )
end
2018-03-17 18:26:18 +05:30
it_behaves_like '412 response' do
2023-07-09 08:55:56 +05:30
let ( :request ) { api ( path , admin , admin_mode : true ) }
2018-03-17 18:26:18 +05:30
end
2017-08-17 22:00:37 +05:30
it 'revokes a impersonation token' do
2023-07-09 08:55:56 +05:30
delete api ( path , admin , admin_mode : true )
2017-08-17 22:00:37 +05:30
2020-04-08 14:13:33 +05:30
expect ( response ) . to have_gitlab_http_status ( :no_content )
2017-08-17 22:00:37 +05:30
expect ( impersonation_token . revoked ) . to be_falsey
expect ( impersonation_token . reload . revoked ) . to be_truthy
end
end
2018-03-17 18:26:18 +05:30
2023-01-13 00:05:48 +05:30
describe 'GET /users/:id/associations_count' do
let_it_be ( :group ) { create ( :group ) }
let_it_be ( :project ) { create ( :project , :public , group : group ) }
2023-07-09 08:55:56 +05:30
let ( :path ) { " /users/ #{ user . id } /associations_count " }
2023-01-13 00:05:48 +05:30
let ( :associations ) do
{
groups_count : 1 ,
projects_count : 1 ,
issues_count : 2 ,
merge_requests_count : 1
} . as_json
end
before :all do
group . add_member ( user , Gitlab :: Access :: OWNER )
project . add_member ( user , Gitlab :: Access :: OWNER )
create ( :merge_request , source_project : project , source_branch : " my-personal-branch-1 " , author : user )
create_list ( :issue , 2 , project : project , author : user )
end
2023-07-09 08:55:56 +05:30
it_behaves_like 'GET request permissions for admin mode'
2023-01-13 00:05:48 +05:30
context 'as an unauthorized user' do
it 'returns 401 unauthorized' do
2023-07-09 08:55:56 +05:30
get api ( path , nil )
2023-01-13 00:05:48 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
context 'as a non-admin user' do
context 'with a different user id' do
it 'returns 403 Forbidden' do
get api ( " /users/ #{ omniauth_user . id } /associations_count " , user )
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end
end
context 'with the current user id' do
it 'returns valid JSON response' do
2023-07-09 08:55:56 +05:30
get api ( path , user )
2023-01-13 00:05:48 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response ) . to be_a Hash
expect ( json_response ) . to match ( associations )
end
end
end
context 'as an admin user' do
context 'with invalid user id' do
it 'returns 404 User Not Found' do
2023-06-20 00:43:36 +05:30
get api ( " /users/ #{ non_existing_record_id } /associations_count " , admin , admin_mode : true )
2023-01-13 00:05:48 +05:30
expect ( response ) . to have_gitlab_http_status ( :not_found )
end
end
context 'with valid user id' do
it 'returns valid JSON response' do
2023-07-09 08:55:56 +05:30
get api ( path , admin , admin_mode : true )
2023-01-13 00:05:48 +05:30
expect ( response ) . to have_gitlab_http_status ( :ok )
expect ( json_response ) . to be_a Hash
expect ( json_response ) . to match ( associations )
end
end
end
end
2018-03-17 18:26:18 +05:30
it_behaves_like 'custom attributes endpoints' , 'users' do
let ( :attributable ) { user }
let ( :other_attributable ) { admin }
end
2023-06-20 00:43:36 +05:30
describe 'POST /user/runners' , feature_category : :runner_fleet do
2023-07-09 08:55:56 +05:30
subject ( :request ) { post api ( path , current_user , ** post_args ) , params : runner_attrs }
2023-06-20 00:43:36 +05:30
let_it_be ( :group_owner ) { create ( :user ) }
let_it_be ( :group ) { create ( :group ) }
let_it_be ( :project ) { create ( :project , namespace : group ) }
let ( :post_args ) { { admin_mode : true } }
let ( :runner_attrs ) { { runner_type : 'instance_type' } }
2023-07-09 08:55:56 +05:30
let ( :path ) { '/user/runners' }
2023-06-20 00:43:36 +05:30
before do
group . add_owner ( group_owner )
end
shared_context 'returns forbidden when user does not have sufficient permissions' do
let ( :current_user ) { admin }
let ( :post_args ) { { admin_mode : false } }
it 'does not create a runner' do
expect do
request
expect ( response ) . to have_gitlab_http_status ( :forbidden )
end . not_to change { Ci :: Runner . count }
end
end
shared_examples 'creates a runner' do
it 'creates a runner' do
expect do
request
expect ( response ) . to have_gitlab_http_status ( :created )
end . to change { Ci :: Runner . count } . by ( 1 )
end
end
shared_examples 'fails to create runner with :bad_request' do
it 'does not create runner' do
expect do
request
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expect ( json_response [ 'message' ] ) . to include ( expected_error )
end . not_to change { Ci :: Runner . count }
end
end
context 'when runner_type is :instance_type' do
let ( :runner_attrs ) { { runner_type : 'instance_type' } }
context 'when user has sufficient permissions' do
let ( :current_user ) { admin }
it_behaves_like 'creates a runner'
end
it_behaves_like 'returns forbidden when user does not have sufficient permissions'
context 'when model validation fails' do
let ( :runner_attrs ) { { runner_type : 'instance_type' , run_untagged : false , tag_list : [ ] } }
let ( :current_user ) { admin }
it_behaves_like 'fails to create runner with :bad_request' do
let ( :expected_error ) { 'Tags list can not be empty' }
end
end
end
context 'when runner_type is :group_type' do
let ( :post_args ) { { } }
context 'when group_id is specified' do
let ( :runner_attrs ) { { runner_type : 'group_type' , group_id : group . id } }
context 'when user has sufficient permissions' do
let ( :current_user ) { group_owner }
it_behaves_like 'creates a runner'
end
it_behaves_like 'returns forbidden when user does not have sufficient permissions'
end
context 'when group_id is not specified' do
let ( :runner_attrs ) { { runner_type : 'group_type' } }
let ( :current_user ) { group_owner }
it 'fails to create runner with :bad_request' do
expect do
request
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expect ( json_response [ 'error' ] ) . to include ( 'group_id is missing' )
end . not_to change { Ci :: Runner . count }
end
end
end
context 'when runner_type is :project_type' do
let ( :post_args ) { { } }
context 'when project_id is specified' do
let ( :runner_attrs ) { { runner_type : 'project_type' , project_id : project . id } }
context 'when user has sufficient permissions' do
let ( :current_user ) { group_owner }
it_behaves_like 'creates a runner'
end
it_behaves_like 'returns forbidden when user does not have sufficient permissions'
end
context 'when project_id is not specified' do
let ( :runner_attrs ) { { runner_type : 'project_type' } }
let ( :current_user ) { group_owner }
it 'fails to create runner with :bad_request' do
expect do
request
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expect ( json_response [ 'error' ] ) . to include ( 'project_id is missing' )
end . not_to change { Ci :: Runner . count }
end
end
end
context 'with missing runner_type' do
let ( :runner_attrs ) { { } }
let ( :current_user ) { admin }
it 'fails to create runner with :bad_request' do
expect do
request
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expect ( json_response [ 'error' ] ) . to eq ( 'runner_type is missing, runner_type does not have a valid value' )
end . not_to change { Ci :: Runner . count }
end
end
context 'with unknown runner_type' do
let ( :runner_attrs ) { { runner_type : 'unknown' } }
let ( :current_user ) { admin }
it 'fails to create runner with :bad_request' do
expect do
request
expect ( response ) . to have_gitlab_http_status ( :bad_request )
expect ( json_response [ 'error' ] ) . to eq ( 'runner_type does not have a valid value' )
end . not_to change { Ci :: Runner . count }
end
end
it 'returns a 401 error if unauthorized' do
2023-07-09 08:55:56 +05:30
post api ( path ) , params : runner_attrs
2023-06-20 00:43:36 +05:30
expect ( response ) . to have_gitlab_http_status ( :unauthorized )
end
end
2014-09-02 18:07:02 +05:30
end